Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

VLAN filtering partially not working

Post Reply
 
mmee
just joined
Topic Author
Posts: 16
Joined: Sat Aug 28, 2021 8:30 am
Location: Estonia

VLAN filtering partially not working

Wed Oct 23, 2024 2:18 pm

Hello,
I would like to ask you help regarding VNET filtering, as I think I read all docs and videos regarding this, but still not functioning fully.
About the setup: Main router is RB4011iGS+5HacQ2HnD with 2 hap ac2 managed by capsman. It's a home environment.
eth1: WAN
eth2 (vlan 100): hap ac2 1
eth3 (vlan 100): hap ac2 2
eth4 (vlan 100): client device
eth5 (vlan 100): client device
eth6-7: empty
eth8 (vlan 10): admin access
eth9 (vlan 200): poe switch for survilliance cameras
eth10: empty
wlan1 (vlan 100)
wlan2 (vlan 100)

Currently vlan 100 is not configured, because if I change PVID on any bridge port from 1 to 100, no connection works and devices don't get IP address.

I created separate dhcp for each vlan only vlan 100 is not working.
My other assumption is that the bridge interface is not correct for dhcp1 (which should belongs to vlan100), but when I change the interface to vlan100, it's not working, and dhcp1 marked as red in Winbox.

Can you help me what did I miss?

Code: Select all
# 2024-10-23 13:49:44 by RouterOS 7.16
# software id = PT47-7AMD
#
# model = RB4011iGS+5HacQ2HnD

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=ch24
add band=5ghz-onlyn name=ch5
/interface bridge
add name=bridge vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5300/20-Ce/an/DP(17dBm), SSID: MY_SSID, CAPsMAN forwarding
set [ find default-name=wlan2 ] country=MY_COUNTRY mode=ap-bridge ssid=\
    MikroTik_5G
/interface wireguard
add listen-port=9980 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/caps-man datapath
add bridge=bridge name=datapath1 vlan-id=1 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk encryption=aes-ccm name=sec1
/caps-man configuration
add channel=ch24 country=MY_COUNTRY datapath=datapath1 distance=indoors \
    installation=indoor mode=ap name=cfg_24 security=sec1 ssid=\
    "MY_SSID_2"
add channel=ch5 channel.band=5ghz-n/ac .control-channel-width=20mhz \
    .frequency=5240 country=MY_COUNTRY datapath=datapath1 distance=indoors \
    installation=indoor mode=ap name=cfg_5 rates.supported="" security=sec1 \
    ssid="MY_SSID"
/caps-man interface
add configuration=cfg_24 disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx \
    master-interface=none name=cap1 radio-mac=xx:xx:xx:xx:xx:xx radio-name=  xx
add channel=ch5 channel.frequency=5300 configuration=cfg_5 \
    configuration.installation=any disabled=no l2mtu=1600 mac-address=\
    xx:xx:xx:xx:xx:xx master-interface=none name=cap2 radio-mac=\
    xx:xx:xx:xx:xx:xx radio-name=xx
add channel.frequency=2422 configuration=cfg_24 disabled=no l2mtu=1600 \
    mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap3 radio-mac=\
    xx:xx:xx:xx:xx:xx radio-name=xx
add channel=ch5 channel.frequency=5180 configuration=cfg_5 disabled=no l2mtu=\
    1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=none mtu=1500 name=\
    cap4 radio-mac=xx:xx:xx:xx:xx:xx radio-name=xx
add channel.frequency=2432 configuration=cfg_24 disabled=no l2mtu=1600 \
    mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap5 radio-mac=\
    xx:xx:xx:xx:xx:xx radio-name=xx
add channel=ch5 channel.frequency=5240 configuration=cfg_5 disabled=no l2mtu=\
    1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap6 \
    radio-mac=xx:xx:xx:xx:xx:xx radio-name=xx
/interface list
add name=LAN
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=sec
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile1 \
    supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(17dBm), SSID: MY_SSID_2, CAPsMAN forwarding
set [ find default-name=wlan1 ] country=MY_COUNTRY installation=indoor mode=\
    ap-bridge security-profile=profile1 ssid=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.95.30-192.168.95.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge name=dhcp1
add address-pool=dhcp_pool1 interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool2 interface=vlan200 name=dhcp_vlan200
/port
set 0 name=serial0
set 1 name=serial1
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_24 radio-mac=\
    xx:xx:xx:xx:xx:xx
add action=create-dynamic-enabled master-configuration=cfg_24 radio-mac=\
    xx:xx:xx:xx:xx:xx
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface=ether9 pvid=200
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=ether8 vlan-ids=10
add bridge=bridge tagged=ether2,ether3,ether4,ether5,cap1,cap3,cap5 vlan-ids=100
add bridge=bridge tagged=ether9 vlan-ids=200
/interface list member
add interface=bridge list=LAN
add interface=ether8 list=LAN
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.95.1/24 interface=bridge network=192.168.95.0
add address=192.168.200.1/24 interface=vlan200 network=192.168.200.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.90.1/24 interface=wireguard1 network=192.168.90.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.95.3,192.168.95.33 gateway=192.168.10.1
add address=192.168.95.0/24 dns-server=192.168.95.3,192.168.95.33 gateway=192.168.95.1
add address=192.168.200.0/24 dns-server=192.168.95.3,192.168.95.33 gateway=192.168.200.1
/ip firewall address-list
add address=192.168.95.0/24 list=admin_list
add address=192.168.10.0/24 list=admin_list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.95.0/24 list=LAN_network
add address=192.168.10.0/24 list=LAN_network
add address=10.15.0.0/16 list=SW_Server
add address=192.168.8.0/24 list=SW_Server
add address=10.8.0.0/16 list=SW_Server
add address=192.168.68.0/24 list=SW_Server
add address=172.28.249.0/24 list=SW_Server
add address=172.28.1.0/24 list=SW_Server
add address=192.168.4.0/24 list=SW_Server
/ip firewall filter
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related disabled=yes
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=input dst-port=8291,80 protocol=tcp src-address-list=\
    admin_list
add action=accept chain=input comment="Accept ICMP" in-interface=ether1 \
    protocol=icmp
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=accept chain=forward dst-address-list=LAN_network \
    src-address-list=LAN_network
add action=accept chain=forward comment=bridge_to_vlan200 in-interface=bridge \
    log=yes log-prefix=bridge_to_vlan200 out-interface=vlan200
add action=accept chain=forward comment=vlan200_to_bridge connection-state=\
    established,related in-interface=vlan200 log=yes log-prefix=\
    vlan200_to_bridge out-interface=bridge
add action=accept chain=forward comment=vlan200_to_eth1 disabled=yes \
    in-interface=vlan200 log=yes log-prefix=vlan200_to_eth1 out-interface=\
    ether1
add action=accept chain=input comment="Wireguard allow" dst-port=9980 \
    protocol=udp
add action=accept chain=forward comment="SW allow" dst-address-list=\
    SW_Server src-mac-address=xx:xx:xx:xx:xx:xx
add action=drop chain=input comment="block everything else - input_drop" \
    in-interface=ether1 log-prefix=input_drop
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN - !public_from_LAN" \
    dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=\
    !public_from_LAN out-interface=!bridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted - !NAT" connection-nat-state=\
    !dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP - !public" \
    in-interface=ether1 log=yes log-prefix=!public src-address-list=\
    not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP - LAN_!LAN" in-interface=\
    bridge log=yes log-prefix=LAN_!LAN src-address-list=!LAN_network
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat src-address=192.168.90.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.95.0/24,192.168.10.0/24
/system clock
set time-zone-name=Location
/system identity
set name=MikroTik_4011
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
Top
 
akakua
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Mon Apr 06, 2020 4:52 pm

Re: VLAN filtering partially not working

Wed Oct 23, 2024 4:45 pm

Try delete entry for vlan 100 in bridge/vlan tab, and after this set pvid on ports.
Top
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 254
Joined: Thu Dec 21, 2023 6:45 pm

Re: VLAN filtering partially not working

Wed Oct 23, 2024 7:23 pm

When adding the entries under /interface bridge vlan you also need to add the "bridge" to the list of tagged ports. Otherwise, layer 3 features won't work. In this case the "bridge" port acts as the CPU port.
Top
 
mmee
just joined
Topic Author
Posts: 16
Joined: Sat Aug 28, 2021 8:30 am
Location: Estonia

Re: VLAN filtering partially not working

Wed Oct 23, 2024 10:22 pm

Hi,
When adding the entries under /interface bridge vlan you also need to add the "bridge" to the list of tagged ports. Otherwise, layer 3 features won't work. In this case the "bridge" port acts as the CPU port.
Added bridge to vlan100 and set PVID 100 on interface eth4 and eth5 for testing, but clients didn't get valid ip.. (169.254.210.251) Also tried to set vlan100 for dhcp1 inerface, but that is still red..
Code: Select all
/interface bridge vlan
add bridge=bridge untagged=ether8 vlan-ids=10
add bridge=bridge tagged=ether2,ether3,ether4,ether5,bridge vlan-ids=100
add bridge=bridge tagged=ether9 vlan-ids=200
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4 pvid=100
add bridge=bridge interface=ether5 pvid=100
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface=ether9 pvid=200
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2

dhcp1_vlan100.png
You do not have the required permissions to view the files attached to this post.
Top
 
GabrieleV
just joined
Posts: 13
Joined: Thu Mar 05, 2020 8:03 pm

Re: VLAN filtering partially not working

Wed Oct 23, 2024 10:52 pm

Why you have add bridge=bridge tagged=ether2,ether3,ether4,ether5,bridge vlan-ids=100
I guess that you have clients there and not another switch, so they should be untagged, not tagged
Top
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 254
Joined: Thu Dec 21, 2023 6:45 pm

Re: VLAN filtering partially not working

Thu Oct 24, 2024 3:40 am

In addition to what @GabrieleV wrote (moving ether3 and ether4 to the untagged list after setting PVID). Did you also move the /ip address entry for 192.168.95.1/24 from the interface "bridge" to "vlan100" before changing the DHCP server entry?
Top
 
mmee
just joined
Topic Author
Posts: 16
Joined: Sat Aug 28, 2021 8:30 am
Location: Estonia

Re: VLAN filtering partially not working

Sun Oct 27, 2024 11:03 pm

Hello!
Appreciate your suggestions, they helped a lot!
Why you have add bridge=bridge tagged=ether2,ether3,ether4,ether5,bridge vlan-ids=100
I guess that you have clients there and not another switch, so they should be untagged, not tagged
I added ether2-5 as untagged (ether2-3 are cap devices and they didn't work when they were tagged) and finally I can see devices under /interface/bridge/host> with correct vlan id.

Did you also move the /ip address entry for 192.168.95.1/24 from the interface "bridge" to "vlan100" before changing the DHCP server entry?
Also modifying vlan100 interface in /ip/address fixed the dhcp issue.


Something is still not correct, because security camera in vlan200 (Hikvision camera connected to poe switch on ether9) is not reachable from vlan100 even though I added firewall rule to enable this.
Code: Select all
add action=accept chain=forward comment=vlan100_to_vlan200 in-interface=\
    vlan100 log=yes log-prefix=vlan100_to_vlan200 out-interface=vlan200
Based on logs accept rule allows the traffic. When I connect to vlan200, all connection works perfectly (ping, port80), so I don't think it's camera issue. (there is no access limitation implemented on the camera side)
Any experience is welcome!
Code: Select all
# 2024-10-27 20:35:05 by RouterOS 7.16
# software id = PT47-7AMD
#
# model = RB4011iGS+5HacQ2HnD
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=ch24
add band=5ghz-onlyn name=ch5
/interface bridge
add name=bridge vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5300/20-Ce/an/DP(17dBm), SSID: MY_SSID, CAPsMAN forwarding
set [ find default-name=wlan2 ] country=MY_COUNTRY mode=ap-bridge ssid=\
    MikroTik_5G
/interface wireguard
add listen-port=9980 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath1 vlan-id=100 \
    vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk encryption=aes-ccm name=sec1
/caps-man configuration
add channel=ch24 country=MY_COUNTRY datapath=datapath1 distance=indoors \
    installation=indoor mode=ap name=cfg_24 security=sec1 ssid=\
    "MY_SSID"
add channel=ch5 channel.band=5ghz-n/ac .control-channel-width=20mhz \
    .frequency=5240 country=MY_COUNTRY datapath=datapath1 distance=indoors \
    installation=indoor mode=ap name=cfg_5 rates.supported="" security=sec1 \
    ssid="MY_SSID"
/caps-man interface
add configuration=cfg_24 disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx \
    master-interface=none name=cap1 radio-mac=xx:xx:xx:xx:xx:xx radio-name=\
    xx
add channel=ch5 channel.frequency=5300 configuration=cfg_5 \
    configuration.installation=any disabled=no l2mtu=1600 mac-address=\
    xx:xx:xx:xx:xx:xx master-interface=none name=cap2 radio-mac=\
    xx:xx:xx:xx:xx:xx radio-name=xx
add channel.frequency=2422 configuration=cfg_24 disabled=no l2mtu=1600 \
    mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap3 radio-mac=\
    xx:xx:xx:xx:xx:xx radio-name=xx
add channel=ch5 channel.frequency=5180 configuration=cfg_5 disabled=no l2mtu=\
    1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=none mtu=1500 name=\
    cap4 radio-mac=xx:xx:xx:xx:xx:xx radio-name=xx
add channel.frequency=2432 configuration=cfg_24 disabled=no l2mtu=1600 \
    mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap5 radio-mac=\
    xx:xx:xx:xx:xx:xx radio-name=xx
add channel=ch5 channel.frequency=5240 configuration=cfg_5 disabled=no l2mtu=\
    1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap6 \
    radio-mac=xx:xx:xx:xx:xx:xx radio-name=xx
/interface list
add name=LAN
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=sec
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile1 \
    supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(17dBm), SSID: MY_SSID, CAPsMAN forwarding
set [ find default-name=wlan1 ] country=MY_COUNTRY installation=indoor mode=\
    ap-bridge security-profile=profile1 ssid=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.95.30-192.168.95.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100 name=dhcp1
add address-pool=dhcp_pool1 interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool2 interface=vlan200 name=dhcp_vlan200
/port
set 0 name=serial0
set 1 name=serial1
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_24 radio-mac=\
    xx:xx:xx:xx:xx:xx
add action=create-dynamic-enabled master-configuration=cfg_24 radio-mac=\
    xx:xx:xx:xx:xx:xx
/interface bridge port
add bridge=bridge interface=ether2 pvid=100
add bridge=bridge interface=ether3 pvid=100
add bridge=bridge interface=ether4 pvid=100
add bridge=bridge interface=ether5 pvid=100
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface=ether9 pvid=200
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=ether8 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether4,ether5,ether3,ether2 \
    vlan-ids=100
add bridge=bridge tagged=ether9,bridge vlan-ids=200
/interface list member
add interface=bridge list=LAN
add interface=ether8 list=LAN
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.95.1/24 interface=vlan100 network=192.168.95.0
add address=192.168.200.1/24 interface=vlan200 network=192.168.200.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.90.1/24 interface=wireguard1 network=192.168.90.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.95.99 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.95.3,192.168.95.33 gateway=\
    192.168.10.1
add address=192.168.95.0/24 dns-server=8.8.8.8 gateway=192.168.95.1
add address=192.168.200.0/24 dns-server=192.168.95.3,192.168.95.33 gateway=\
    192.168.200.1
/ip firewall address-list
add address=192.168.95.0/24 list=admin_list
add address=192.168.10.0/24 list=admin_list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.95.0/24 list=LAN_network
add address=192.168.10.0/24 list=LAN_network
add address=10.15.0.0/16 list=SW_Server
add address=192.168.8.0/24 list=SW_Server
add address=10.8.0.0/16 list=SW_Server
add address=192.168.68.0/24 list=SW_Server
add address=172.28.249.0/24 list=SW_Server
add address=172.28.1.0/24 list=SW_Server
add address=192.168.4.0/24 list=SW_Server
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=input dst-port=8291,80 protocol=tcp src-address-list=\
    admin_list
add action=accept chain=input comment="Accept ICMP" in-interface=ether1 \
    protocol=icmp
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=accept chain=forward dst-address-list=LAN_network \
    src-address-list=LAN_network
add action=accept chain=forward comment=vlan100_to_vlan200 in-interface=\
    vlan100 log=yes log-prefix=vlan100_to_vlan200 out-interface=vlan200
add action=accept chain=forward comment=vlan200_to_bridge connection-state="" \
    in-interface=vlan200 log=yes log-prefix=vlan200_to_bridge out-interface=\
    vlan100
add action=accept chain=input comment="Wireguard allow" dst-port=9980 \
    protocol=udp
add action=accept chain=forward comment="SW allow" dst-address-list=SW_Server \
    src-mac-address=xx:xx:xx:xx:xx:xx
add action=drop chain=input comment="block everything else - input_drop" \
    in-interface=ether1 log-prefix=input_drop
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN - !public_from_LAN" \
    dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=\
    !public_from_LAN out-interface=!bridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted - !NAT" connection-nat-state=\
    !dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP - !public" \
    in-interface=ether1 log=yes log-prefix=!public src-address-list=\
    not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP - LAN_!LAN" in-interface=\
    bridge log=yes log-prefix=LAN_!LAN src-address-list=!LAN_network
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat src-address=192.168.90.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.95.0/24,192.168.10.0/24
/system identity
set name=MikroTik_4011
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 37 guests
  4. RouterOS
  5. Beginner Basics