Page 1 of 1
VLAN help
Posted: Tue Mar 18, 2014 3:07 pm
by mpreissner
I'm definitely a noob to the Mikrotik family...used to working with Nortel ERS switches. I have to say that setting up VLANs is a bit more confusing than the old Nortel equipment, but that's probably just because I'm new to it. So here's the issue...
I'm running an RB750GL as my main router. Ether1 is my incoming WAN, ether2 is a trunk to a media center, ether3 will be a trunk to my home office, ether4 trunks to my wireless AP, and ether5 is an access port for a media device in another room. Ether3-5 are slaves to ether2. I was able to get the trunk on ether2 set up (it goes to an RB260GS), but I'm having trouble figuring out how to trunk the same VLANs over to ether5. Essentially, I want to configure ether5 as an access port that will carry the same VLAN as ether2.
Configuration on the 750 is a default install of 6.10, with two VLANs created on ether2. I tried creating the same VLAN on ether5, and configured a DHCP relay on that interface, but the device that's on that port can't get an address. I'm further confused by the "Switch" section in the WebFig interface...do I create the VLANs there, or on the Interfaces section (which is where I successfully trunked the router to the 260GS switch)?
Any help is appreciated. Thanks!
Re: VLAN help
Posted: Tue Mar 18, 2014 3:30 pm
by rextended
Why you need vlan @ home ???
Re: VLAN help
Posted: Tue Mar 18, 2014 3:43 pm
by mpreissner
I'm running a number of business systems at home and want to keep them separate from my test lab. But why I need VLANs at home isn't relevant to my question...
Re: VLAN help
Posted: Tue Mar 18, 2014 4:10 pm
by efaden
I'm running a number of business systems at home and want to keep them separate from my test lab. But why I need VLANs at home isn't relevant to my question...
Are you trying to do the VLANs with the switch chip or with bridges?...
Re: VLAN help
Posted: Tue Mar 18, 2014 4:15 pm
by mpreissner
I'm looking for the easiest way to set it up. I got my trunk on ether2 set up using the instructions found in this article:
http://wiki.mikrotik.com/wiki/SwOS/Router-On-A-Stick
I would assume that I probably want to do it all with the switch chip, but I don't think that's what I've done as yet.
Re: VLAN help
Posted: Tue Mar 18, 2014 4:21 pm
by efaden
I'm looking for the easiest way to set it up. I got my trunk on ether2 set up using the instructions found in this article:
http://wiki.mikrotik.com/wiki/SwOS/Router-On-A-Stick
I would assume that I probably want to do it all with the switch chip, but I don't think that's what I've done as yet.
Post your export so I can at least see what you have.... VLANs on MikroTik are a little ... well... goofy, but once you understand them its not that bad. Basically what your going to want to do is have ether3 to ether5 set with ether2 as their master. Then add all of the VLANs you want to ether2 ONLY. Since ether2 is the master you shouldn't be adding IPs, DHCP servers, VLANs, or really ANYTHING else on to interfaces other than ether2. You then will use some of the options in the switch menu to actually control what VLANs go where.
Post your export and I'll help you get it right...
Also post a diagram of what you want coming out of each port.... or at least list it... something like
ether2 - 1 Tagged, 3 Tagged, 100 Untagged
ether3 - 3 Tagged, 100 Tagged
ether4 - 100 Untagged
...
etc
so I know exactly what you want on each port.
See:
http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features for the switch chip features.
The upside to doing this in the switch chip is that it is near wire speed and doesn't use the CPU on the box.
Re: VLAN help
Posted: Tue Mar 18, 2014 4:30 pm
by mpreissner
I'll post my config as soon as I get home. Thanks!
Re: VLAN help
Posted: Tue Mar 18, 2014 4:32 pm
by efaden
I'll post my config as soon as I get home. Thanks!
Yep. Sounds good. Just make sure you also post exactly what you want on each port...
Re: VLAN help
Posted: Wed Mar 19, 2014 12:16 am
by mpreissner
Ok, attached is my working config.
I know my WAN port (ether1) currently has a private IP address...I'm NAT'd behind my Verizon router at the moment. I'll be eliminating that in the coming weeks.
Ether2 trunks to an RB260GS that connects to all my media devices. This trunk carries VLANs 1 and 501 (mgmt and mediaLAN, respectively).
Ether3 currently needs to be configured as an access port. My entire home office sits on some unmanaged switches off that port. I'd like to call that VLAN 200. I'll eventually put a 24 port MikroTik switch back there, at which point I'll need VLANs 300 (DMZ), 400 (VoIP phones), and 1 trunked back there as well.
Ether4 goes to my Wireless AP (Ubiquiti UAP-AC). I want VLAN 1 (for its mgmt address), 501 (so I can wirelessly add my Wii to the existing pool of media devices on that VLAN), 801 (Internal Wireless), and 901 (guest wireless).
Ether5 is an access point for an AppleTV in a different room. I want VLAN 501 on this port.
I run my own DHCP server - it sits off one of the unmanaged switches connected to Ether3.
The overall IP schema I want to use (for no particular reason) is this:
VLAN 1: 172.16.0.0/28
200: 10.1.150.0/24
300: 172.31.252.0/29
400: 10.22.35.64/28
501: 172.18.0.16/28
801: 10.1.168.0/28
901: 192.168.15.0/27
Re: VLAN help
Posted: Wed Mar 19, 2014 12:43 am
by efaden
Pretty sure I get it. I'll look through it after my son goes to bed or early tomorrow.
Sent from my SCH-I545 using Tapatalk
Re: VLAN help
Posted: Wed Mar 19, 2014 2:03 am
by efaden
Pretty sure I get it. I'll look through it after my son goes to bed or early tomorrow.
Sent from my SCH-I545 using Tapatalk
Post your export... just just logs... type "/export" and then paste the output into a new message inside of syntax tags.
Re: VLAN help
Posted: Wed Mar 19, 2014 2:39 am
by mpreissner
ros code
/interface ethernet
set [ find default-name=ether1 ] name=WAN
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/interface vlan
add interface=ether2 l2mtu=1594 name=Infrastructure vlan-id=1
add interface=ether2 l2mtu=1594 name=MediaLAN vlan-id=501
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=10.1.150.31-10.1.150.239
/ip dhcp-server
add address-pool=default-dhcp interface=ether2 name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=10.1.150.254/24 comment="default configuration" interface=ether2 network=10.1.150.0
add address=172.18.0.30/28 interface=MediaLAN network=172.18.0.16
add address=172.16.0.14/28 interface=ether2 network=172.16.0.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-relay
add dhcp-server=10.1.150.1 disabled=no interface=MediaLAN name=relay1
/ip dhcp-server network
add address=10.1.150.0/24 dns-server=10.1.150.250,10.1.150.1 domain=preissner.us gateway=10.1.150.254 netmask=24 \
ntp-server=10.1.150.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=WAN
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface=WAN protocol=tcp to-addresses=10.1.150.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN protocol=tcp to-addresses=10.1.150.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=25 in-interface=WAN protocol=tcp to-addresses=10.1.150.249 to-ports=25
add action=dst-nat chain=dstnat dst-port=465 in-interface=WAN protocol=tcp to-addresses=10.1.150.249 to-ports=465
add action=dst-nat chain=dstnat dst-port=587 in-interface=WAN protocol=tcp to-addresses=10.1.150.249 to-ports=587
add action=dst-nat chain=dstnat dst-port=993 in-interface=WAN protocol=tcp to-addresses=10.1.150.249 to-ports=993
/ip service
set telnet disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=gateway
/system ntp client
set enabled=yes mode=unicast primary-ntp=10.1.150.1
/tool e-mail
set address=10.1.150.249 from=gateway@preissner.us
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
Re: VLAN help
Posted: Wed Mar 19, 2014 2:48 am
by efaden
Alright... I'm working on it. Just curious thought... why on earth do you need to actually segregate your home network that much?... also it seems like your picking just crazy annoying and complex ranges... just my $0.02
-Eric
Re: VLAN help
Posted: Wed Mar 19, 2014 3:02 am
by efaden
You'll have to fix the DHCP for whatever you want... but the rest should basically be working.
ros code
/interface ethernet
set [ find default-name=ether1 ] name=WAN
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/interface vlan
add interface=ether2 l2mtu=1594 name=Vlan1 vlan-id=1
add interface=ether2 l2mtu=1594 name=Vlan200 vlan-id=200
add interface=ether2 l2mtu=1594 name=Vlan300 vlan-id=300
add interface=ether2 l2mtu=1594 name=Vlan400 vlan-id=400
add interface=ether2 l2mtu=1594 name=Vlan501 vlan-id=501
add interface=ether2 l2mtu=1594 name=Vlan801 vlan-id=801
add interface=ether2 l2mtu=1594 name=Vlan901 vlan-id=901
/ip pool
add name=vlan200-pool ranges=10.1.150.31-10.1.150.239
/ip dhcp-server
add address-pool=vlan200-pool interface=ether2 name=vlan200-dhcp
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-relay
add dhcp-server=10.1.150.1 disabled=no interface=MediaLAN name=relay1
/ip dhcp-server network
add address=10.1.150.0/24 dns-server=10.1.150.250,10.1.150.1 domain=preissner.us gateway=10.1.150.254 netmask=24 \
ntp-server=10.1.150.1
/interface ethernet switch port
add vlan-id=1 switch=switch1 ports=ether2,ether4,cpu
add vlan-id=200 switch=switch1 ports=ether3,cpu
add vlan-id=300 switch=switch1 ports=ether3,cpu
add vlan-id=400 switch=switch1 ports=ether3,cpu
add vlan-id=501 switch=switch1 ports=ether4,ether5,cpu
add vlan-id=801 switch=switch1 ports=ether4,cpu
add vlan-id=901 switch=switch1 ports=ether4,cpu
/interface ethernet switch vlan
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set ether4 vlan-mode=secure vlan-header=add-if-missing
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=501
/ip address
add address=172.16.0.0/28 interface=Vlan1 network=172.16.0.0
add address=10.1.150.0/24 interface=Vlan200 network=10.1.150.0
add address=172.31.252.0/29 interface=Vlan300 network=172.31.252.0
add address=10.22.35.64/28 interface=Vlan400 network=10.22.35.64
add address=172.18.0.16/28 interface=Vlan501 network=172.18.0.16
add address=10.1.168.0/28 interface=Vlan801 network=10.1.168.0
add address=192.168.15.0/27 interface=Vlan901 network=192.168.15.0
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=WAN
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface=WAN protocol=tcp to-addresses=10.1.150.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN protocol=tcp to-addresses=10.1.150.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=25 in-interface=WAN protocol=tcp to-addresses=10.1.150.249 to-ports=25
add action=dst-nat chain=dstnat dst-port=465 in-interface=WAN protocol=tcp to-addresses=10.1.150.249 to-ports=465
add action=dst-nat chain=dstnat dst-port=587 in-interface=WAN protocol=tcp to-addresses=10.1.150.249 to-ports=587
add action=dst-nat chain=dstnat dst-port=993 in-interface=WAN protocol=tcp to-addresses=10.1.150.249 to-ports=993
Re: VLAN help
Posted: Wed Mar 19, 2014 4:35 am
by CelticComms
Just curious thought... why on earth do you need to actually segregate your home network that much?...
CISSPs running a business at home tend to have a healthy interest in controls. Personally I would probably dump all use of VLAN 1 and throw some 802.1x in for good measure so the OP isn't being at all excessive....
Re: VLAN help
Posted: Wed Mar 19, 2014 7:36 am
by lordzar
I think your problem is that the LAN port are mastered to ether2.
You are trying to config port 5 as if it was independent. When you master ports together only the master port is configurable.
Re: VLAN help
Posted: Wed Mar 19, 2014 12:41 pm
by mpreissner
Thanks! I'm starting to understand how ROS does this...I'll probably get the config straightened out tonight (Internet interruptions during the day tend to upset the future Mrs.
)
802.1x is in the roadmap, but I figured I'd go for the low-hanging fruit to start. Next up is EAP-TLS on my internal wireless
Re: VLAN help
Posted: Wed Mar 19, 2014 4:58 pm
by efaden
I think your problem is that the LAN port are mastered to ether2.
You are trying to config port 5 as if it was independent. When you master ports together only the master port is configurable.
Lordzar - Thats actually the point... he is using the switch chip to control the VLANs... not bridges. In order to use the switch chip you set all of them to have the same master port and then use the switch settings to control what goes where.
Thanks! I'm starting to understand how ROS does this...I'll probably get the config straightened out tonight (Internet interruptions during the day tend to upset the future Mrs.
)
802.1x is in the roadmap, but I figured I'd go for the low-hanging fruit to start. Next up is EAP-TLS on my internal wireless
Sounds good... let me know how it goes.
Re: VLAN help
Posted: Wed Mar 19, 2014 10:10 pm
by benitton
I am having similar issues configuring an RB2011UiAS2HnD. Is there a "clearer" tutorial on how to setup the switching? I have been struggling to understand how to use the switching features vs. the bridge vlan configuration that is shown on the VLAN wiki portion.
Thank you so much!!!!
Re: VLAN help
Posted: Wed Mar 19, 2014 10:14 pm
by efaden
Not that I know of. Start a thread and I can try to help you.
Sent from my SCH-I545 using Tapatalk
Re: VLAN help
Posted: Wed Mar 19, 2014 11:21 pm
by benitton
[quote="efaden"]Not that I know of. Start a thread and I can try to help you.
Thank you very much!!!!! The thread I created is
http://forum.mikrotik.com/viewtopic.php?f=13&t=83134.
Any guidance will be more than appreciated!
Re: VLAN help
Posted: Sat Mar 22, 2014 3:21 pm
by mpreissner
Just wanted to say thanks! I finally got everything on my network running the way I wanted it. Had to play with a few things, but I'm finally getting the hang of RouterOS. Here's the config I ended up with:
ros code
/certificate
add common-name=gateway.preissner.us country=US key-size=4096 locality=Columbia name=cert_1 organization=\
"The Preissner Group" state=Maryland trusted=yes unit=Gateway
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface vlan
add interface=ether2-master-local l2mtu=1594 name=DMZ vlan-id=300
add interface=ether2-master-local l2mtu=1594 name=GuestWireless vlan-id=901
add interface=ether2-master-local l2mtu=1594 name=InternalWireless vlan-id=801
add interface=ether2-master-local l2mtu=1594 name=MediaLAN vlan-id=501
add interface=ether2-master-local l2mtu=1594 name=Mgmt vlan-id=1
add interface=ether2-master-local l2mtu=1594 name=Phones vlan-id=400
add interface=ether2-master-local l2mtu=1594 name=Servers vlan-id=200
/interface ethernet switch port
set 1 vlan-mode=secure
set 2 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=501 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/interface ethernet switch vlan
add independent-learning=no ports=ether2-master-local,ether4-slave-local,switch1-cpu,ether5-slave-local switch=\
switch1 vlan-id=501
add independent-learning=no ports=ether3-slave-local,switch1-cpu switch=switch1 vlan-id=200
add independent-learning=no ports=switch1-cpu,ether4-slave-local switch=switch1 vlan-id=801
add independent-learning=no ports=switch1-cpu,ether4-slave-local switch=switch1 vlan-id=901
add independent-learning=no ports=\
ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,switch1-cpu switch=switch1 vlan-id=1
/ip address
add address=172.16.0.14/28 comment="default configuration" interface=ether2-master-local network=172.16.0.0
add address=172.16.0.14/28 interface=Mgmt network=172.16.0.0
add address=10.1.150.254/24 interface=Servers network=10.1.150.0
add address=10.1.168.14/28 interface=InternalWireless network=10.1.168.0
add address=192.168.15.30/27 interface=GuestWireless network=192.168.15.0
add address=172.18.0.30/28 interface=MediaLAN network=172.18.0.16
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-relay
add dhcp-server=10.1.150.1 disabled=no interface=MediaLAN name=MediaRelay
add dhcp-server=10.1.150.1 disabled=no interface=InternalWireless name=IntWrlsRelay
add dhcp-server=10.1.150.1 disabled=no interface=GuestWireless name=GuestWrlsRelay
/ip dns
set allow-remote-requests=yes servers=10.1.150.250,10.1.150.1
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.10 \
to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.10 \
to-ports=443
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.249 \
to-ports=25
add action=dst-nat chain=dstnat dst-port=465 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.249 \
to-ports=465
add action=dst-nat chain=dstnat dst-port=587 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.249 \
to-ports=587
add action=dst-nat chain=dstnat dst-port=993 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.249 \
to-ports=993
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=cert_1 disabled=no
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=gateway
/system ntp client
set enabled=yes mode=unicast primary-ntp=10.1.150.1
/tool e-mail
set address=10.1.150.249 from=gateway@preissner.us last-status=succeeded
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
Re: VLAN help
Posted: Sat Mar 22, 2014 3:23 pm
by efaden
Just wanted to say thanks! I finally got everything on my network running the way I wanted it. Had to play with a few things, but I'm finally getting the hang of RouterOS. Here's the config I ended up with:
ros code
/certificate
add common-name=gateway.preissner.us country=US key-size=4096 locality=Columbia name=cert_1 organization=\
"The Preissner Group" state=Maryland trusted=yes unit=Gateway
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface vlan
add interface=ether2-master-local l2mtu=1594 name=DMZ vlan-id=300
add interface=ether2-master-local l2mtu=1594 name=GuestWireless vlan-id=901
add interface=ether2-master-local l2mtu=1594 name=InternalWireless vlan-id=801
add interface=ether2-master-local l2mtu=1594 name=MediaLAN vlan-id=501
add interface=ether2-master-local l2mtu=1594 name=Mgmt vlan-id=1
add interface=ether2-master-local l2mtu=1594 name=Phones vlan-id=400
add interface=ether2-master-local l2mtu=1594 name=Servers vlan-id=200
/interface ethernet switch port
set 1 vlan-mode=secure
set 2 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=501 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/interface ethernet switch vlan
add independent-learning=no ports=ether2-master-local,ether4-slave-local,switch1-cpu,ether5-slave-local switch=\
switch1 vlan-id=501
add independent-learning=no ports=ether3-slave-local,switch1-cpu switch=switch1 vlan-id=200
add independent-learning=no ports=switch1-cpu,ether4-slave-local switch=switch1 vlan-id=801
add independent-learning=no ports=switch1-cpu,ether4-slave-local switch=switch1 vlan-id=901
add independent-learning=no ports=\
ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,switch1-cpu switch=switch1 vlan-id=1
/ip address
add address=172.16.0.14/28 comment="default configuration" interface=ether2-master-local network=172.16.0.0
add address=172.16.0.14/28 interface=Mgmt network=172.16.0.0
add address=10.1.150.254/24 interface=Servers network=10.1.150.0
add address=10.1.168.14/28 interface=InternalWireless network=10.1.168.0
add address=192.168.15.30/27 interface=GuestWireless network=192.168.15.0
add address=172.18.0.30/28 interface=MediaLAN network=172.18.0.16
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-relay
add dhcp-server=10.1.150.1 disabled=no interface=MediaLAN name=MediaRelay
add dhcp-server=10.1.150.1 disabled=no interface=InternalWireless name=IntWrlsRelay
add dhcp-server=10.1.150.1 disabled=no interface=GuestWireless name=GuestWrlsRelay
/ip dns
set allow-remote-requests=yes servers=10.1.150.250,10.1.150.1
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.10 \
to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.10 \
to-ports=443
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.249 \
to-ports=25
add action=dst-nat chain=dstnat dst-port=465 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.249 \
to-ports=465
add action=dst-nat chain=dstnat dst-port=587 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.249 \
to-ports=587
add action=dst-nat chain=dstnat dst-port=993 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.150.249 \
to-ports=993
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=cert_1 disabled=no
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=gateway
/system ntp client
set enabled=yes mode=unicast primary-ntp=10.1.150.1
/tool e-mail
set address=10.1.150.249 from=gateway@preissner.us last-status=succeeded
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
Glad you got it working. It is a little awkward..