MikroTik

Posted: **Tue Jun 22, 2021 2:52 pm**

Hi,

I have a hex S since a few years, connected to a CSS322. Back then, all tutorials were not using any bridge. Now I want to use a Bridge, however, if I activate VLAN Filtering, my network collapses.
The network looks like that:

Netzwerk(1).png

This is my configuration:

export hide-sensitive 
# jun/22/2021 13:38:39 by RouterOS 6.48.3
# software id = XE0V-A40Q
#
# model = RB760iGS
# serial number = A815099AF64D

/interface bridge
add name=bridge1

/interface ethernet
set [ find default-name=ether2 ] name="ether2(WLAN)"
set [ find default-name=sfp1 ] disabled=yes

/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
add interface=bridge1 name=vlan50 vlan-id=50

/interface list
add name=WAN
add name=LAN
add name=VLAN
add name=BASE
add name=VLANblock

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=vlan1 ranges=192.168.0.20-192.168.0.40
add name=vlan20 ranges=192.168.20.2-192.168.20.254
add name=vlan10 ranges=192.168.10.2-192.168.10.254
add name=DMZ ranges=192.168.100.2-192.168.100.254
add name=vlan30 ranges=192.168.30.2-192.168.30.254
add name=vlan50 ranges=192.168.50.3-192.168.50.100
add name=" pool-vpn" ranges=192.168.123.100-192.168.123.199

/ip dhcp-server
add address-pool=vlan1 disabled=no interface=vlan1 lease-script=\
    dhcp-lease-script lease-time=2h name=vlan1
add address-pool=vlan20 disabled=no interface=vlan20 lease-script=\
    dhcp-lease-script name=vlan20
add address-pool=DMZ disabled=no interface=ether4 name=dhcp3
add address-pool=vlan10 disabled=no interface=vlan10 lease-script=\
    dhcp-lease-script name=vlan10
add address-pool=vlan30 disabled=no interface=vlan30 lease-script=\
    dhcp-lease-script lease-time=4d4h10m name=vlan30
add address-pool=vlan1 interface="ether2(WLAN)" name=WLAN
add address-pool=vlan50 disabled=no interface=vlan50 lease-script=\
    dhcp-lease-script name=vlan50
    
/port
set 0 name=serial0

/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
    
/dude
set enabled=yes

/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3
add bridge=bridge1 interface="ether2(WLAN)"

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5,ether3 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5,ether3 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether5,ether3 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether5,ether3 vlan-ids=50
add bridge=bridge1 tagged=bridge1 untagged=ether3,ether5 vlan-ids=1

/interface detect-internet
set detect-interface-list=all

/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=LAN
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan30 list=VLAN
add interface=vlan50 list=VLAN
add interface=vlan1 list=BASE

/interface ovpn-server server
set auth=sha1 certificate="VPN Server" cipher=aes256 default-profile=vpn \
    enabled=yes require-client-certificate=yes
    
/ip address
add address=192.168.0.1/24 interface=ether5 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=ether4 network=192.168.100.0
add address=xx.xx.xx.xx2/30 interface=ether1 network=xx.xx.xx.xx0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.50.1/24 interface=vlan50 network=192.168.50.0
add address=192.168.0.1/24 disabled=yes interface=vlan1 network=192.168.0.0

/ip dhcp-server lease
add address=192.168.0.136 allow-dual-stack-queue=no disabled=yes mac-address=\
    00:02:C9:4E:89:26 server=vlan1
add address=192.168.0.113 allow-dual-stack-queue=no disabled=yes mac-address=\
    F2:E7:52:EB:6E:9B server=vlan1
add address=192.168.0.26 client-id=1:0:26:ab:6c:6:27 disabled=yes mac-address=\
    00:26:AB:6C:06:27 server=vlan1
add address=192.168.0.33 client-id=1:0:2:c9:51:77:dc disabled=yes mac-address=\
    00:02:C9:51:77:DC server=vlan1
add address=192.168.50.100 client-id=1:2c:f0:5d:3b:db:d3 disabled=yes \
    mac-address=2C:F0:5D:3B:DB:D3 server=WLAN
    
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 domain=home.lab gateway=\
    192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.0.1 domain=service.lab gateway=\
    192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.0.1 domain=vlan20.lab gateway=\
    192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=192.168.30.1 domain=vlan30.lab gateway=\
    192.168.30.1
add address=192.168.50.0/24 dns-server=192.168.0.1 domain=private.lab gateway=\
    192.168.50.1
add address=192.168.100.0/24 dns-server=192.168.100.1 domain=dmz.lab gateway=\
    192.168.100.1 netmask=24
    
/ip dns
set allow-remote-requests=yes servers=192.168.0.3,192.168.10.13

/ip dns static
add address=192.168.100.110 name=mydomain2.de
add address=192.168.100.110 name=mydomain1.de
add address=192.168.100.110 name=mydomain3.de
add address=192.168.0.131 name=pve.home.lab
add address=192.168.0.2 name=r620.home.lab
add address=192.168.0.113 name=nanopineo.home.lab
add address=192.168.0.128 name=grafana.home.lab
add address=192.168.0.136 name=fileserver.home.lab
add address=192.168.0.10 name=pve2.home.lab
add address=192.168.10.18 name=bookstack.service.lab
add address=192.168.10.123 name=Guacamole.service.lab
add address=192.168.10.101 comment=#DHCP name=Heimdall.service.lab ttl=10m
add address=192.168.10.122 disabled=yes name=avideo.service.lab
add address=192.168.10.123 name=avideo1.service.lab
add address=192.168.0.21 comment=#DHCP name=GUI.home.lab ttl=2h
add address=192.168.0.22 comment=#DHCP name=GUI.home.lab ttl=2h
add address=192.168.0.32 comment=#DHCP name=openhab.home.lab ttl=2h
add address=192.168.30.254 comment=#DHCP name=debian.vlan30.lab ttl=4d4h10m
add address=192.168.0.24 comment=#DHCP name=HS110.home.lab ttl=2h
add address=192.168.0.27 comment=#DHCP name=Ryzen-Workstation.home.lab ttl=2h
add address=192.168.10.253 comment=#DHCP name=debian2.service.lab ttl=10m

/ip firewall filter
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow VLAN" in-interface-list=BASE
add action=accept chain=input comment="Allow LAN" in-interface=bridge1
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-nat-state="" connection-state=established,related
add action=accept chain=forward comment="VLAN darf ins Internet" \
    connection-nat-state="" connection-state=related,new in-interface-list=VLAN \
    out-interface-list=WAN
add action=accept chain=forward comment=\
    "alllow inter VLAN Access for all not originated from vlan30" \
    connection-state=new in-interface=!vlan30 in-interface-list=VLAN \
    out-interface-list=VLAN
add action=accept chain=forward comment="Wireguard #1" dst-port=51820 protocol=\
    udp
add action=accept chain=forward comment="Wireguard #2" dst-port=51821 protocol=\
    udp
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=10.9.0.0/24
add action=accept chain=input comment="Allow winbox from LAN" dst-port=8291 \
    in-interface-list=!WAN log=yes protocol=tcp
add action=accept chain=input dst-port=4443 protocol=tcp
add action=accept chain=input dst-port=88 protocol=tcp
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=accept chain=input dst-port=161 in-interface=bridge1 protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=forward comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE (Wlan Telefonie)" \
    connection-type=sip dst-port=500 log=yes protocol=udp
add action=accept chain=forward comment="allow IKE (Wlan Telefonie)" dst-port=\
    500 protocol=udp
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=192.168.0.127 \
    dst-port=445 protocol=tcp src-address=192.168.100.156
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.0/24
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid protocol=tcp
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.20.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.10.0/24 src-address=192.168.100.0/24
add action=drop chain=input comment="Block Russian, Chinese and Vietnam IPs" \
    log=yes src-address-list=CountryIPBlocks
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 \
    in-interface-list=WAN log=yes protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Block everything else"
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=\
    WAN
add action=drop chain=forward comment="Block everything else" disabled=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=srcnat dst-address-type=local
add action=dst-nat chain=dstnat comment="HTTPS an reverse proxy" dst-address=\
    xx.xx.xx.xx2 dst-port=80,443 protocol=tcp to-addresses=192.168.100.110
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx2 dst-port=8444 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.100.110 to-ports=443
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx2 dst-port=1194 \
    in-interface=ether1 log=yes protocol=udp to-addresses=192.168.0.113 \
    to-ports=1194
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=3478 log=yes protocol=tcp to-addresses=\
    192.168.100.156 to-ports=3478
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=3479 log=yes protocol=tcp to-addresses=\
    192.168.100.156 to-ports=3479
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=3478 protocol=udp to-addresses=\
    192.168.100.156 to-ports=3478
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=3479 log=yes protocol=udp to-addresses=\
    192.168.100.156 to-ports=3479
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=5349 log=yes protocol=tcp to-addresses=\
    192.168.100.138 to-ports=5349
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=5350 log=yes protocol=tcp to-addresses=\
    192.168.100.138 to-ports=5350
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=5349 log=yes protocol=udp to-addresses=\
    192.168.100.138 to-ports=5349
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=5350 in-interface=ether1 log=yes \
    protocol=udp to-addresses=192.168.100.138 to-ports=5350
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=udp \
    to-addresses=192.168.0.217 to-ports=51820
add action=dst-nat chain=dstnat dst-port=51821 in-interface=ether1 protocol=udp \
    to-addresses=192.168.0.218 to-ports=51821
    
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes

/ip ipsec policy
set 0 disabled=yes

/ip route
add distance=1 gateway=xx.xx.xx.xx1

/ip service
set telnet address=192.168.0.0/24 disabled=yes
set ftp address=192.168.0.0/24 disabled=yes
set www address=192.168.0.0/24 port=88
set ssh address=192.168.0.0/24 disabled=yes
set www-ssl address=192.168.0.0/24 disabled=no port=4443
set api address=192.168.0.0/24 disabled=yes
set winbox address=192.168.0.0/24
set api-ssl address=192.168.0.0/24 disabled=yes

/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote

/ip upnp
set allow-disable-external-interface=yes

/ip upnp interfaces
add type=internal
add interface=ether1 type=external

/ppp secret
add name=AWI profile=vpn service=ovpn

/snmp
set enabled=yes trap-generators="" trap-version=2

/system clock
set time-zone-name=Europe/Berlin

/system script
add dont-require-permissions=no name=dhcp-lease-script owner=user policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="   \
    \_:local DHCPtag\r\
    \n    :set DHCPtag \"#DHCP\"\r\
    \n    :if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\"\
    \_}\r\
    \n    :if ( \$leaseBound = 1 ) do={\r\
    \n        :local ttl\r\
    \n        :local domain\r\
    \n        :local hostname\r\
    \n        :local dnsname\r\
    \n        :local fqdn\r\
    \n        :local leaseId\r\
    \n        :local comment\r\
    \n        :local devicename\r\
    \n        :local convert ({})\r\
    \n        :local validChars \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST\
    UVWXYZ01234567890-\"\r\
    \n        /ip dhcp-server\r\
    \n        :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n        network \r\
    \n        :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n        .. lease\r\
    \n        :set leaseId [ find address=\$leaseActIP ]\r\
    \n        # Check for multiple active leases for the same IP address. It's w\
    eird and it shouldn't be, but just in case.\r\
    \n        :if ( [ :len \$leaseId ] != 1) do={\r\
    \n            :log info \"DHCP2DNS: not registering domain name for address \
    \$leaseActIP because of multiple active leases for \$leaseActIP\"\r\
    \n            :error \"multiple active leases for \$leaseActIP\"\r\
    \n        }\r\
    \n        :set hostname [ get \$leaseId host-name ]\r\
    \n        :set comment [ get \$leaseId comment ]\r\
    \n        /\r\
    \n        # Namen f\FCr Ger\E4t ermittlen\r\
    \n        :set devicename \$comment\r\
    \n        :if ( [ :len \$devicename ] <= 0 ) do={\r\
    \n            :set devicename \$hostname\r\
    \n        }\r\
    \n        # Ger\E4tenamen auf ung\FCltige Zeichen pr\FCfen\r\
    \n        :for validCharsIndex from=0 to=([:len \$validChars] - 1) do={\r\
    \n            :local validChar [:pick \$validChars \$validCharsIndex]\r\
    \n            :set (\$convert->(\$validChar)) (\$validChar)\r\
    \n        }\r\
    \n        :set (\$convert->(\"_\")) (\"-\")\r\
    \n        :set (\$convert->(\" \")) (\"-\")\r\
    \n        :for i from=0 to=([:len \$devicename] - 1) do={\r\
    \n            :local char [:pick \$devicename \$i]\r\
    \n            :local converted (\$convert->\"\$char\")\r\
    \n            :local convertedType [:typeof \$converted]\r\
    \n            :if (\$convertedType = \"str\") do={\r\
    \n                :set \$char \$converted\r\
    \n            } else={\r\
    \n                :set \$char \"\"\r\
    \n            }\r\
    \n            :set dnsname (\$dnsname.\$char)\r\
    \n        }\r\
    \n        # FQDN festlegen\r\
    \n        :if ( [ :len \$dnsname ] <= 0 ) do={\r\
    \n            :log error \"DHCP2DNS: not registering domain name for address\
    \_\$leaseActIP because of empty lease host-name or comment\"\r\
    \n            :error \"empty lease host-name or comment\"\r\
    \n        }\r\
    \n        :if ( [ :len \$domain ] <= 0 ) do={\r\
    \n            :log error \"DHCP2DNS: not registering domain name for address\
    \_\$leaseActIP because of empty network domain name\"\r\
    \n            :error \"empty network domain name\"\r\
    \n        }\r\
    \n        :set fqdn \"\$dnsname.\$domain\"\r\
    \n        /ip dns static\r\
    \n        :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disab\
    led=no ] ] = 0 ) do={\r\
    \n            :log info \"DHCP2DNS: registering static domain name \$fqdn fo\
    r address \$leaseActIP with ttl \$ttl\"\r\
    \n            add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPt\
    ag disabled=no\r\
    \n        } else={\r\
    \n            :log error \"DHCP2DNS: not registering domain name \$fqdn for \
    address \$leaseActIP because of existing active static DNS entry with this n\
    ame or address\"\r\
    \n        }\r\
    \n        /\r\
    \n    } else={\r\
    \n        /ip dns static\r\
    \n        :local dnsDhcpId\r\
    \n        :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\
    \r\
    \n        :if ( [ :len \$dnsDhcpId ] > 0 ) do={\r\
    \n            :log info \"DHCP2DNS: removing static domain name(s) for addre\
    ss \$leaseActIP\"\r\
    \n            remove \$dnsDhcpId\r\
    \n        }\r\
    \n        /\r\
    \n    }"
    
/tool bandwidth-server
set enabled=no

/tool graphing interface
add interface=ether1
add interface=ether5
add interface="ether2(WLAN)"
add interface=ether3
add interface=ether4
add interface=vlan20
add interface=vlan10

/tool mac-server ping
set enabled=no

With this configuration, everything is working. But VLAN Filtering over the Bridge is deactivated. In order to activate it, I have to change these:

1. activate VLAN Filtering on the Bridge
2. deactivate this: add address=192.168.0.1/24 interface=ether5 network=192.168.0.0 and activate this: add address=192.168.0.1/24 disabled=yes interface=vlan1 network=192.168.0.0

With this I have internet connection on VLAN 1, but not on any other VLAN. And I can't connect to any other VLAN machine from VLAN1.

Further, if I activate this: add action=drop chain=forward comment="Block everything else" disabled=yes then I will loose any internet connection.

What is wrong?

Posted: **Tue Jun 22, 2021 3:12 pm**

add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3

As ports ether3 and ether5 are hybrid ports carrying both untagged (VLAN1) and tagged frames (VIDs 10, 20, 30 and 50), these two ports should be set with frame-types=admit-all.

My suggestion, though, would be to convert ether3 and ether5 to proper trunk ports (remember to do the same on CSS as well) and would configure CSS to perform tagging (with VID 1) on access/hybrid ports.

BTW, why are you using ether3 and ether5 as individual connections? I'd say you'd get better performance if you configured both links into a LACP group. If they're used individually and some xSTP protocol is running on either CSS or hEX, one of links is probably disabled all the time and gets only enabled when the active one breaks.

Posted: **Tue Jun 22, 2021 3:23 pm**

My suggestion, though, would be to convert ether3 and ether5 to proper trunk ports (remember to do the same on CSS as well) and would configure CSS to perform tagging (with VID 1) on access/hybrid ports.

How can I do that? I want every port of the CSS to use every VLAN. The separation is done in my proxmox server, where I just install something using a vmbr in a specific VLAN.

I used a bonding before, but someone told me that this will slow down the hex S. I reactivated the bonding on ether 3 and 5 right now.

And: even if I set frame types admit all on the bridge-port "bonding1", the problem with connection lost is still there.

What I recognized: right now I i download something from my PC (192.168.0.x) the traffic does not go over "VLAN1", it just goes over the "bridge". Why is that so?

Edit: I am moving everything from VLAN1 to VLAN20. Hopefully this will to the trick?

Edit2: not really. But I set the Archer 7 on a Trunk port in the CSS on VLAN50. Now the PC gets a DHCP-IP in the VLAN50. This is working. But still: if I activate the VLAN Filtering in the Bridge, I loose every connection.

Posted: **Tue Jun 22, 2021 7:53 pm**

If you haven't already, I suggest you to read through this nice tutorial.

The problem when using VLAN 1 is that VID=1 is (implicit) default PVID setting for all bridge ports and if you're not careful, you get mix of tagged and untagged traffic.

Posted: **Wed Jun 23, 2021 10:36 am**

I think I got it working. This is my config now:

export hide-sensitive 
# jun/23/2021 09:17:23 by RouterOS 6.48.3
# software id = XE0V-A40Q
#
# model = RB760iGS
# serial number = A815099AF64D
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name="ether2(WLAN)"
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
add interface=bridge1 name=vlan50 vlan-id=50
add interface=bridge1 name=vlan60 vlan-id=60
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether3,ether5
/interface list
add name=WAN
add name=LAN
add name=VLAN
add name=BASE
add name=VLANblock
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name="Block Site" regexp="^.+(facebook).*\$"
/ip pool
add name=vlan1 ranges=192.168.0.20-192.168.0.40
add name=vlan20 ranges=192.168.20.2-192.168.20.254
add name=vlan10 ranges=192.168.10.2-192.168.10.254
add name=DMZ ranges=192.168.100.2-192.168.100.254
add name=vlan30 ranges=192.168.30.2-192.168.30.254
add name=vlan50 ranges=192.168.50.3-192.168.50.100
add name=vlan60 ranges=192.168.60.3-192.168.60.254
/ip dhcp-server
add address-pool=vlan1 disabled=no interface=bridge1 lease-script=\
    dhcp-lease-script lease-time=2h name=vlan1
add address-pool=vlan20 disabled=no interface=vlan20 lease-script=\
    dhcp-lease-script name=vlan20
add address-pool=DMZ disabled=no interface=ether4 name=dhcp3
add address-pool=vlan10 disabled=no interface=vlan10 lease-script=\
    dhcp-lease-script name=vlan10
add address-pool=vlan30 disabled=no interface=vlan30 lease-script=\
    dhcp-lease-script lease-time=4d4h10m name=vlan30
add address-pool=vlan1 interface="ether2(WLAN)" name=WLAN
add address-pool=vlan50 disabled=no interface=vlan50 lease-script=\
    dhcp-lease-script name=vlan50
add address-pool=vlan60 disabled=no interface=vlan60 lease-script=\
    dhcp-lease-script name=vlan60
/port
set 0 name=serial0

/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 disabled=yes ingress-filtering=yes interface=ether5
add bridge=bridge1 disabled=yes interface="ether2(WLAN)" pvid=50
add bridge=bridge1 interface=bonding1
add bridge=bridge1 interface="ether2(WLAN)"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bonding1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,bonding1 vlan-ids=20
add bridge=bridge1 tagged=bridge1,bonding1 vlan-ids=30
add bridge=bridge1 tagged=bridge1,bonding1 vlan-ids=50
add bridge=bridge1 tagged=bridge1 vlan-ids=1
add bridge=bridge1 tagged=bridge1,bonding1 vlan-ids=60
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add disabled=yes interface=ether5 list=BASE
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan30 list=VLAN
add interface=vlan50 list=VLAN
add interface=vlan1 list=VLAN
add interface=vlan60 list=VLAN
/interface ovpn-server server
set auth=sha1 certificate="VPN Server" cipher=aes256 default-profile=vpn \
    enabled=yes require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=ether5 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=ether4 network=192.168.100.0
add address=xx.xx.xx.xx2/30 interface=ether1 network=xx.xx.xx.xx0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.50.1/24 interface=vlan50 network=192.168.50.0
add address=192.168.0.1/24 disabled=yes interface=vlan1 network=192.168.0.0
add address=192.168.60.1/24 interface=vlan60 network=192.168.60.0
/ip dhcp-server lease
add address=192.168.0.136 allow-dual-stack-queue=no disabled=yes mac-address=\
    00:02:C9:4E:89:26 server=vlan1
add address=192.168.0.113 allow-dual-stack-queue=no disabled=yes mac-address=\
    F2:E7:52:EB:6E:9B server=vlan1
add address=192.168.0.26 client-id=1:0:26:ab:6c:6:27 disabled=yes mac-address=\
    00:26:AB:6C:06:27 server=vlan1
add address=192.168.0.33 client-id=1:0:2:c9:51:77:dc disabled=yes mac-address=\
    00:02:C9:51:77:DC server=vlan1
add address=192.168.50.100 client-id=1:2c:f0:5d:3b:db:d3 disabled=yes \
    mac-address=2C:F0:5D:3B:DB:D3 server=WLAN
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 domain=home.lab gateway=\
    192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.0.1 domain=service.lab gateway=\
    192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.0.1 domain=vlan20.lab gateway=\
    192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=192.168.30.1 domain=vlan30.lab gateway=\
    192.168.30.1
add address=192.168.50.0/24 dns-server=192.168.0.1 domain=private.lab gateway=\
    192.168.50.1
add address=192.168.60.0/24 dns-server=192.168.0.1 domain=vlan60.lab gateway=\
    192.168.60.1
add address=192.168.100.0/24 dns-server=192.168.100.1 domain=dmz.lab gateway=\
    192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.10.3,192.168.10.13
/ip dns static
add address=192.168.100.110 name=mydomain2.de
add address=192.168.100.110 name=mydomain3.de
add address=192.168.100.110 name=mydomain1.de
/ip firewall filter
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow VLAN" in-interface-list=BASE
add action=accept chain=input comment="Allow LAN" in-interface=bridge1
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-nat-state="" connection-state=established,related
add action=accept chain=forward comment="VLAN darf ins Internet" \
    connection-nat-state="" connection-state=related,new in-interface-list=VLAN \
    out-interface-list=WAN
add action=accept chain=forward comment=\
    "alllow inter VLAN Access for all not originated from vlan30" \
    connection-state=new in-interface=!vlan30 in-interface-list=VLAN \
    out-interface-list=VLAN
add action=accept chain=forward comment="Wireguard #1" dst-port=51820 protocol=\
    udp
add action=accept chain=forward comment="Wireguard #2" dst-port=51821 protocol=\
    udp
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=10.9.0.0/24
add action=accept chain=input comment="Allow winbox from LAN" dst-port=8291 \
    in-interface-list=!WAN log=yes protocol=tcp
add action=accept chain=input dst-port=4443 protocol=tcp
add action=accept chain=input dst-port=88 protocol=tcp
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=accept chain=input dst-port=161 in-interface=bridge1 protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=forward comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE (Wlan Telefonie)" \
    connection-type=sip dst-port=500 log=yes protocol=udp
add action=accept chain=forward comment="allow IKE (Wlan Telefonie)" dst-port=\
    500 protocol=udp
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=192.168.0.127 \
    dst-port=445 protocol=tcp src-address=192.168.100.156
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.0/24
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid protocol=tcp
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.20.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.10.0/24 src-address=192.168.100.0/24
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 \
    in-interface-list=WAN log=yes protocol=tcp
add action=drop chain=forward comment="Block Fressebuch" layer7-protocol=\
    "Block Site" src-address=192.168.0.0/24
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Block everything else"
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=\
    WAN
add action=drop chain=forward comment="Block everything else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=srcnat dst-address-type=local
add action=dst-nat chain=dstnat comment="HTTPS an reverse proxy" dst-address=\
    xx.xx.xx.xx2 dst-port=80,443 protocol=tcp to-addresses=192.168.100.110
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx2 dst-port=8444 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.100.110 to-ports=443
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx2 dst-port=1194 \
    in-interface=ether1 log=yes protocol=udp to-addresses=192.168.0.113 \
    to-ports=1194
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=3478 log=yes protocol=tcp to-addresses=\
    192.168.100.156 to-ports=3478
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=3479 log=yes protocol=tcp to-addresses=\
    192.168.100.156 to-ports=3479
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=3478 protocol=udp to-addresses=\
    192.168.100.156 to-ports=3478
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=3479 log=yes protocol=udp to-addresses=\
    192.168.100.156 to-ports=3479
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=5349 log=yes protocol=tcp to-addresses=\
    192.168.100.138 to-ports=5349
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=5350 log=yes protocol=tcp to-addresses=\
    192.168.100.138 to-ports=5350
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=5349 log=yes protocol=udp to-addresses=\
    192.168.100.138 to-ports=5349
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain2" \
    dst-address=xx.xx.xx.xx2 dst-port=5350 in-interface=ether1 log=yes \
    protocol=udp to-addresses=192.168.100.138 to-ports=5350
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=udp \
    to-addresses=192.168.10.217 to-ports=51820
add action=dst-nat chain=dstnat dst-port=51821 in-interface=ether1 protocol=udp \
    to-addresses=192.168.10.218 to-ports=51821
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=xx.xx.xx.xx1
/ip service
set telnet address=192.168.0.0/24 disabled=yes
set ftp address=192.168.0.0/24 disabled=yes
set www address=192.168.0.0/24 port=88
set ssh address=192.168.0.0/24 disabled=yes
set www-ssl address=192.168.0.0/24 disabled=no port=4443
set api address=192.168.0.0/24 disabled=yes
set winbox address=192.168.0.0/24
set api-ssl address=192.168.0.0/24 disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add type=internal
add interface=ether1 type=external
/ppp secret
add name=AWI profile=vpn service=ovpn
/snmp
set enabled=yes trap-generators="" trap-version=2
/system clock
set time-zone-name=Europe/Berlin
/system script
add dont-require-permissions=no name=dhcp-lease-script owner=user policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="   \
    \_:local DHCPtag\r\
    \n    :set DHCPtag \"#DHCP\"\r\
    \n    :if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\"\
    \_}\r\
    \n    :if ( \$leaseBound = 1 ) do={\r\
    \n        :local ttl\r\
    \n        :local domain\r\
    \n        :local hostname\r\
    \n        :local dnsname\r\
    \n        :local fqdn\r\
    \n        :local leaseId\r\
    \n        :local comment\r\
    \n        :local devicename\r\
    \n        :local convert ({})\r\
    \n        :local validChars \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST\
    UVWXYZ01234567890-\"\r\
    \n        /ip dhcp-server\r\
    \n        :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n        network \r\
    \n        :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n        .. lease\r\
    \n        :set leaseId [ find address=\$leaseActIP ]\r\
    \n        # Check for multiple active leases for the same IP address. It's w\
    eird and it shouldn't be, but just in case.\r\
    \n        :if ( [ :len \$leaseId ] != 1) do={\r\
    \n            :log info \"DHCP2DNS: not registering domain name for address \
    \$leaseActIP because of multiple active leases for \$leaseActIP\"\r\
    \n            :error \"multiple active leases for \$leaseActIP\"\r\
    \n        }\r\
    \n        :set hostname [ get \$leaseId host-name ]\r\
    \n        :set comment [ get \$leaseId comment ]\r\
    \n        /\r\
    \n        # Namen f\FCr Ger\E4t ermittlen\r\
    \n        :set devicename \$comment\r\
    \n        :if ( [ :len \$devicename ] <= 0 ) do={\r\
    \n            :set devicename \$hostname\r\
    \n        }\r\
    \n        # Ger\E4tenamen auf ung\FCltige Zeichen pr\FCfen\r\
    \n        :for validCharsIndex from=0 to=([:len \$validChars] - 1) do={\r\
    \n            :local validChar [:pick \$validChars \$validCharsIndex]\r\
    \n            :set (\$convert->(\$validChar)) (\$validChar)\r\
    \n        }\r\
    \n        :set (\$convert->(\"_\")) (\"-\")\r\
    \n        :set (\$convert->(\" \")) (\"-\")\r\
    \n        :for i from=0 to=([:len \$devicename] - 1) do={\r\
    \n            :local char [:pick \$devicename \$i]\r\
    \n            :local converted (\$convert->\"\$char\")\r\
    \n            :local convertedType [:typeof \$converted]\r\
    \n            :if (\$convertedType = \"str\") do={\r\
    \n                :set \$char \$converted\r\
    \n            } else={\r\
    \n                :set \$char \"\"\r\
    \n            }\r\
    \n            :set dnsname (\$dnsname.\$char)\r\
    \n        }\r\
    \n        # FQDN festlegen\r\
    \n        :if ( [ :len \$dnsname ] <= 0 ) do={\r\
    \n            :log error \"DHCP2DNS: not registering domain name for address\
    \_\$leaseActIP because of empty lease host-name or comment\"\r\
    \n            :error \"empty lease host-name or comment\"\r\
    \n        }\r\
    \n        :if ( [ :len \$domain ] <= 0 ) do={\r\
    \n            :log error \"DHCP2DNS: not registering domain name for address\
    \_\$leaseActIP because of empty network domain name\"\r\
    \n            :error \"empty network domain name\"\r\
    \n        }\r\
    \n        :set fqdn \"\$dnsname.\$domain\"\r\
    \n        /ip dns static\r\
    \n        :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disab\
    led=no ] ] = 0 ) do={\r\
    \n            :log info \"DHCP2DNS: registering static domain name \$fqdn fo\
    r address \$leaseActIP with ttl \$ttl\"\r\
    \n            add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPt\
    ag disabled=no\r\
    \n        } else={\r\
    \n            :log error \"DHCP2DNS: not registering domain name \$fqdn for \
    address \$leaseActIP because of existing active static DNS entry with this n\
    ame or address\"\r\
    \n        }\r\
    \n        /\r\
    \n    } else={\r\
    \n        /ip dns static\r\
    \n        :local dnsDhcpId\r\
    \n        :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\
    \r\
    \n        :if ( [ :len \$dnsDhcpId ] > 0 ) do={\r\
    \n            :log info \"DHCP2DNS: removing static domain name(s) for addre\
    ss \$leaseActIP\"\r\
    \n            remove \$dnsDhcpId\r\
    \n        }\r\
    \n        /\r\
    \n    }"
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
add interface=ether5
add interface="ether2(WLAN)"
add interface=ether3
add interface=ether4
add interface=vlan20
add interface=vlan10
/tool mac-server ping
set enabled=no

What's running:
- I can now communicate with the VLANs and the Internet.
- WiFi Calling

New problems:

- Wireguard isn't really working anymore. I can connect to my wireguard server (LXC on Proxmox), but the traffic to the internet is really slow (12 mbit down, 0.8 mbit up). I CAN connect to some linux clients over SSH, BUT it is really really slow. The connection oftens breaks. Over wireguard the Ping to my Proxmox-Server is about 1500 ms. And that's far to high.
- I tried to block the traffic from vlan30 to everything. But I can still access everything originating from vlan30.
- the VLAN routing is really slow (~150 mbit/s). Is this normal?

Edit: I had to move wireguard back to VLAN1, and I had to insert accept chains for the traffic between the subnets. Now everything is working.

Strange: iperf between PC (VLAN50) and Server1 (VLAN20): 350 mbit/s and cpu of hex S @ 30 %. iperf between Server2 (VLAN50) and Server1 (VLAN20): 950 mbit/s and CPU of hex S @ 1 %.

Posted: **Wed Jun 23, 2021 3:05 pm**

You have to be ware that hEX S is not really a beast of a router. It can realistically route at around 0.5 Gbps depending on amount and complexity of firewall rules. It's been mentioned on this forum before, that some devices in certain conditions seem to struggle tagging and untagging packets passing ether ports. For this reason it's beneficial to let proper switch (CSS) do the tagging and untagging. This may (or may not) explain the difference in iperf test results (if PC is connected to untagged port of hEX S).

You don't have fasttracking enabled (fasttracking helps with firewall performance quite a lot). Default config has a pair of rules like these:

filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"

Just beware that certain functions (such as queuing, IPsec and some others) don't work with fasttracking enabled ... which is solvable, but one has to craft the action=fasttrack rule so that it skips packets/connections which need special attention.

And remember that firewall rule order matters (first matching rule makes packet skip processing the rest of rules).

Posted: **Thu Jun 24, 2021 11:22 am**

I activated fasttrack, but I don't see any improvement. Still 350 mbit/s.

What can I do that if I connect a new PC to the CSS to get him an IP in VLAN50 without setting it manually in the PC or set the port in the CSS to VLAN ID 50?

MikroTik

Problems with VLAN and Bridge

Problems with VLAN and Bridge

Re: Problems with VLAN and Bridge

Re: Problems with VLAN and Bridge

Re: Problems with VLAN and Bridge

Re: Problems with VLAN and Bridge

Re: Problems with VLAN and Bridge

Re: Problems with VLAN and Bridge