Note that I am feeding the script selectively and bit by bit to the router during my debugging. And I've simplified down to just the internet, the hex-router and Winbox on a PC. Right now the problem is accessing the internet. Ping and DNS work from the hex-router. But other parts of the configutation have not worked before, so I'm sure there are some fundamental things I'm missing. I will need to control access between VLANs, to hAPs and the other APs., so I need to get the basics done correctly.
I'm new to RouterOS in the sense that I've yet to get any of my Mikrotik devices to do what I want. But I feel like a veteran for the amount of effort I've put in. I'm not entirely sad for that because this is a learning experience. But it's time to ask for help! And thanks in advance for any education.
( Previously I was on a Synology EdgeRouter + 4 of their APs that weren't configured for VLANs. But several devices became unresponsive during a transfer of adoption, and I discovered Mikrotik at the same time. )
Code: Select all
################################################################################
# Title: RouterOS config for hex-router
# Description: Router with one WAN input, a second port used for MGMT, three LAN outputs, VLANs, no WiFi.
# Notes: Start with a reset (/system reset-configuration with no default configuration)
################################################################################
# Name the device being configured
/system identity set name="hex-router"
set [ find default-name=ether1 ] comment="skyfiber is my WAN"
set [ find default-name=ether2 ] comment="MGMT access port, for now. But later Skyline, and we shall see who wins."
set [ find default-name=ether3 ] comment="unused today"
set [ find default-name=ether4 ] comment="will be connected as trunks eventually"
set [ find default-name=ether5 ] comment="brainroom"
########################################
# VLAN Overview
########################################
# 10 = HOME - laptops, phone, etc
# 99 = MGMT (MGMT) VLAN - networking devices and servers, all with static IP
# More VLANs for guest (id 20), IOT (id 2), etc, but I'm simplifying for demo purposes
########################################
# Bridge
########################################
# create our bridge, set VLAN mode off while we configure
/interface bridge add name=LAN_BRIDGE vlan-filtering=no protocol-mode=none
########################################
# Access Ports
########################################
# ingress behavior
/interface bridge port
# No Access Ports defined for this device
# MGMT_VLAN access ports, set aside ports for admin access to Winbox the device.
add bridge=LAN_BRIDGE interface=ether2 comment="MGMT access port" pvid=99
########################################
# WAN Ports
########################################
# ether1 is connected to SKYFIBER_WAN.
# ether2 will be connected to SKYLINK and I will have a new job of figuring out how to optimize two WANs.
########################################
# Trunk Ports
########################################
# Trunks. Leave pvid set to default of 1
add bridge=LAN_BRIDGE interface=ether3 comment=unused
add bridge=LAN_BRIDGE interface=ether4 comment=dryroom
add bridge=LAN_BRIDGE interface=ether5 comment=brainroom
# egress behavior
/interface bridge vlan
# Allow traffic tagged with these vlan-ids to be forwarded to other ports on the bridge.
# Trunk. These need IP Services (L3), so add LAN_BRIDGE as member
# NOTE: I really don't understand these commands well enough
add bridge=LAN_BRIDGE tagged=LAN_BRIDGE,ether3,ether4,ether5 vlan-ids=99
add bridge=LAN_BRIDGE tagged=LAN_BRIDGE,ether3,ether4,ether5 vlan-ids=10
########################################
# IP Addressing & Routing
########################################
# LAN-facing router's IP address on the MGMT_VLAN
/interface vlan add interface=LAN_BRIDGE name=MGMT_VLAN vlan-id=99
/ip address add interface=MGMT_VLAN address=10.0.0.1/24
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes
# The cache=true is an error, but I haven't corrected it yet
/ip dns set cache=true servers=1.1.1.1,8.8.8.8
# this doesn't work either, so I just skip this line
/ip dns cache set enabled=yes
# DHCP client with dynamic IP on port ether1
# I see my IP address being assigned at least
/ip dhcp-client add interface=ether1
########################################
# IP Services - I am somewhat confused about the /interface vlan add and /ip addres add commands.
########################################
# HOME_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=LAN_BRIDGE name=HOME_VLAN vlan-id=10
/ip address add interface=HOME_VLAN address=10.0.10.1/24
/ip pool add name=HOME_POOL ranges=10.0.10.64-10.0.10.254
/ip dhcp-server add address-pool=HOME_POOL interface=HOME_VLAN name=HOME_DHCP disabled=no lease-time=60m
/ip dhcp-server network add address=10.0.10.0/24 dns-server=10.0.0.1 gateway=10.0.10.1
# Create a DHCP instance for MGMT. Convenience feature for an admin
/ip pool add name=MGMT_POOL ranges=10.0.0.100-10.0.0.254
/ip dhcp-server add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP disabled=no lease-time=60m
/ip dhcp-server network add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
########################################
# Interface Lists
########################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN_LIST
/interface list add name=SKYFIBER_WAN_LIST
/interface list add name=MGMT_LIST
/interface list add name=VLAN_LIST
/interface list add name=INTERNAL_LIST
/interface list member
add interface=ether1 list=SKYFIBER_WAN_LIST
add interface=ether1 list=WAN_LIST
add interface=MGMT_VLAN list=MGMT_LIST
add interface=MGMT_VLAN list=VLAN_LIST
add interface=MGMT_VLAN list=INTERNAL_LIST
add interface=HOME_VLAN list=MGMT_LIST
add interface=HOME_VLAN list=VLAN_LIST
add interface=HOME_VLAN list=INTERNAL_LIST
add interface=ether1 comment="skyfiber"
add interface=ether2 comment="MGMT access port"
add interface=ether3 comment="unused"
add interface=ether4 comment="dryroom"
add interface=ether5 comment="brainroom"
########################################
# Firewalling & NAT
########################################
# VLAN-aware firewall. Order is important
/ip firewall filter
########################################
# INPUT CHAIN
########################################
add chain=input action=accept comment="accept established,related,untracked" connection-state=established,related,untracked
add chain=input action=accept comment="Allow VLAN" in-interface-list=VLAN_LIST
add chain=input action=accept comment="Allow VLAN" in-interface-list=MGMT_LIST
add chain=input action=drop comment="drop connection-state=invalid" connection-state=invalid
add chain=input action=jump comment="check ICMP" protocol=icmp jump-target=core-icmp
add chain=input action=accept comment="accept SSH and HTTP (LAN only)" connection-state=established,related,untracked protocol=tcp dst-port=22,80 in-interface-list=MGMT_LIST
########################################
# FORWARD CHAIN
########################################
add chain=forward action=accept connection-state=new comment="VLAN internet access only" in-interface-list=VLAN_LIST out-interface-list=WAN_LIST
add chain=forward action=accept connection-state=new comment="InterVLAN is unrestricted, for now" in-interface-list=VLAN_LIST out-interface-list=VLAN_LIST
add chain=forward action=accept comment="accept established,related" connection-state=established,related
add chain=forward action=drop comment=Drop
########################################
# NAT
########################################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN_LIST comment="Default masquerade"
########################################
# VLAN Security - I haven't turned this on yet
########################################
/interface bridge port
# Only allow ingress packets without tags on Access Ports
set bridge=LAN_BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
# Only allow ingress packets WITH tags on Trunk Ports
set bridge=LAN_BRIDGE ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=LAN_BRIDGE ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=LAN_BRIDGE ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]
########################################
# MAC Server settings - also not turned out, else I'll get locked out!
########################################
# Ensure only visibility and availability from MGMT_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=MGMT_LIST
/tool mac-server mac-winbox set allowed-interface-list=MGMT_LIST
/tool mac-server set allowed-interface-list=MGMT_LIST
########################################
# Turn on VLAN mode - yes I ran this
########################################
/interface bridge set name=LAN_BRIDGE vlan-filtering=yes
########################################
# Appended static IPs
########################################
/ip dhcp-server lease add address=10.0.0.2 mac-address=xx:xx:xx:xx:xx:xx client-id=nas2 server=MGMT_DHCP
/ip dhcp-server lease add address=10.0.0.3 mac-address=xx:xx:xx:xx:xx:xx client-id=nas3 server=MGMT_DHCP
/ip dhcp-server lease add address=10.0.0.5 mac-address=xx:xx:xx:xx:xx:xx client-id=beelink server=MGMT_DHCP
/ip dhcp-server lease add address=10.0.0.6 mac-address=xx:xx:xx:xx:xx:xx client-id=printer-hpenvy server=MGMT_DHCP