This is my current configuration, which works (vlans probably not, there is no traffic, but I have two networks each with own bridge and dhcp). Code above are attempts to merge bridges into one according to that example on microtic site (
https://help.mikrotik.com/docs/display/ ... rewall/NAT). Not applied in this code:
# model = CCR2116-12G-4S+
# serial number = censored
/interface bridge
add fast-forward=no name=bridge-home-88
add arp=proxy-arp fast-forward=no name=bridge-servers-78
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-LAN
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus2-WAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus2-WAN max-mru=1492 \
max-mtu=1492 mrru=1500 name=pppoe-out1 user=\
censored_user
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge-home-88 name=vlan-home-88 vlan-id=88
add interface=bridge-servers-78 name=vlan-servers-78 vlan-id=78
/interface list
add comment=defconf name=LAN
add comment=defconf name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.78.2-192.168.78.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-home-88 lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=bridge-servers-78 lease-time=1d name=\
dhcp2
/port
set 0 name=serial0
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.78.1 name=L2TP remote-address=\
dhcp_pool1
/system logging action
add name=remotekiwi remote=192.168.78.27 target=remote
/interface bridge port
add bridge=bridge-servers-78 interface=ether2 pvid=78
add bridge=bridge-servers-78 interface=ether3 pvid=78
add bridge=bridge-servers-78 interface=ether4 pvid=78
add bridge=bridge-servers-78 interface=ether5 pvid=78
add bridge=bridge-servers-78 interface=ether6 pvid=78
add bridge=bridge-servers-78 interface=ether7 pvid=78
add bridge=bridge-servers-78 interface=ether8 pvid=78
add bridge=bridge-servers-78 interface=ether9 pvid=78
add bridge=bridge-servers-78 interface=ether10 pvid=78
add bridge=bridge-home-88 interface=ether11 pvid=88
add bridge=bridge-home-88 interface=ether12 pvid=88
add bridge=bridge-home-88 interface=sfp-sfpplus1-LAN pvid=88
add bridge=bridge-home-88 interface=ether1 pvid=88
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-unacked-timeout=1m udp-stream-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=loose tcp-syncookies=yes
/interface l2tp-server server
set allow-fast-path=yes use-ipsec=required
/interface list member
add interface=bridge-home-88 list=LAN
add interface=bridge-servers-78 list=LAN
add interface=sfp-sfpplus2-WAN list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=192.168.68.150/32 disabled=yes interface=wireguard1 \
public-key="aaaaaaaaaaaaaaaaa"
/ip address
add address=192.168.88.1/24 interface=bridge-home-88 network=192.168.88.0
add address=192.168.78.1/24 interface=bridge-servers-78 network=192.168.78.0
add address=192.168.68.1/24 disabled=yes interface=wireguard1 network=\
192.168.68.0
/ip dhcp-server lease
add address=192.168.88.19 client-id=1:9c:6b:0:b:95:15 comment=aaaa \
mac-address=9C:6B:00:0B:95:15 server=dhcp1
add address=192.168.78.253 client-id=1:9c:6b:0:b:92:1e comment=aaa \
mac-address=9C:6B:00:0B:92:1E server=dhcp2
add address=192.168.78.21 client-id=1:0:c:29:77:75:cb comment=aaaa \
mac-address=00:0C:29:77:75:CB server=dhcp2
add address=192.168.78.15 client-id=\
ff:9f:6e:85:24:0:2:0:0:ab:11:f3:d9:d1:53:f4:c6:2b:ed comment=\
aaaaaaa mac-address=00:0C:29:81:4A:91 server=dhcp2
add address=192.168.78.250 client-id=1:0:c:29:13:ef:cf comment=aaa \
mac-address=00:0C:29:13:EF:CF server=dhcp2
add address=192.168.78.249 client-id=\
ff:29:c9:f5:c7:0:1:0:1:2c:bd:10:cf:0:c:29:c9:f5:c7 comment=aaaaa \
mac-address=00:0C:29:C9:F5:C7 server=dhcp2
add address=192.168.78.27 client-id=1:0:c:29:dd:fa:e6 comment=aaaa \
mac-address=00:0C:29:DD:FA:E6 server=dhcp2
add address=192.168.78.31 client-id=1:0:c:29:75:c9:1d comment=\
Cermi_workstation mac-address=00:0C:29:75:C9:1D server=dhcp2
add address=192.168.88.5 client-id=1:8:d1:f9:2d:4e:ef comment=\
"Tasmota bridge" mac-address=08:D1:F9:2D:4E:EF server=dhcp1
add address=192.168.88.16 client-id=1:20:f8:3b:0:2e:fe comment=\
"home assistant" mac-address=20:F8:3B:00:2E:FE server=dhcp1
/ip dhcp-server network
add address=192.168.78.0/24 dns-server=192.168.78.1 gateway=192.168.78.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=185.227.171.225 comment=aaaae list=allowed_people
add address=90.180.18.73 comment=aaaa list=allowed_people
add address=109.81.170.106 comment=aaaa list=allowed_people
add address=46.16.123.71 comment=aaaa list=allowed_people
add address=217.75.215.155 comment=aaaa list=allowed_people
add address=46.13.165.115 comment=aaaa list=allowed_people
add address=86.49.230.14 comment=aaa list=allowed_people
add address=89.187.144.87 comment=aaaa list=allowed_people
add address=89.103.155.29 comment=aaaa list=allowed_people
add address=109.81.91.239 comment=aaaa list=allowed_people
add address=46.23.60.179 comment=aaa list=allowed_people
add address=178.143.69.99 comment=aaaa list=allowed_people
add address=86.49.112.197 comment=aaaa list=allowed_people
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=144.217.157.4 comment="aaaaa" list=secure
add address=70.32.23.81 comment="aaaaaa" list=secure
add address=88.212.6.0/24 comment=aaaaa list=allowed_people
add address=1.1.1.1 list=secure_dns
add address=8.8.8.8 list=secure_dns
add address=212.111.4.206 comment=aaaaa list=allowed_people
add address=94.228.83.136 comment=aaaaa list=allowed_people
add list=bad_attempts
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter
add action=accept chain=input comment=\
"Accepting established, related, untracked connections" connection-state=\
established,related,untracked
add action=accept chain=forward connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=L2TP disabled=yes dst-port=\
500,1701,4500 protocol=udp
add action=accept chain=input comment="accept local" in-interface-list=LAN
add action=accept chain=forward in-interface-list=LAN
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=jump chain=forward comment="All new jump to detect-ddos" \
connection-state=new jump-target=detect-ddos src-address=!192.168.0.0/16
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=25m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=25m chain=detect-ddos
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
new jump-target=SYN-Protect protocol=tcp src-address=!192.168.0.0/16 \
tcp-flags=syn
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" disabled=yes \
dst-address-list=not_in_internet in-interface=bridge-home-88 \
out-interface=!bridge-home-88
add action=add-src-to-address-list address-list=port:aaaa \
address-list-timeout=1m chain=input comment="Start of port knocking" \
dst-port=aaaa log=yes log-prefix=_endor_knock protocol=tcp
add action=add-src-to-address-list address-list=port:bbbb \
address-list-timeout=1m chain=input dst-port=bbbb log=yes log-prefix=\
_endor_knock protocol=tcp src-address-list=port:aaaa
add action=add-src-to-address-list address-list=bad_attempts \
address-list-timeout=none-dynamic chain=input dst-port=bbbb log=yes \
log-prefix=_endor_bad_knock protocol=tcp src-address-list=!port:aaaa
add action=add-src-to-address-list address-list=bad_attempts \
address-list-timeout=none-dynamic chain=input dst-port=eeee log=yes \
log-prefix=_endor_bad_knock protocol=tcp src-address-list=!port:bbbb
add action=add-src-to-address-list address-list=port:eeee \
address-list-timeout=1m chain=input dst-port=eeee log=yes log-prefix=\
_endor_knock protocol=tcp src-address-list=port:bbbb
add action=add-src-to-address-list address-list=bad_attempts \
address-list-timeout=none-dynamic chain=input dst-port=dddd log=yes \
log-prefix=_endor_bad_knock_last protocol=tcp src-address-list=!port:eeee
add action=add-src-to-address-list address-list=secure address-list-timeout=\
1m chain=input dst-port=dddd log=yes log-prefix=_endor_knock_last \
protocol=tcp src-address-list=port:eeee
add action=accept chain=forward comment="Accepting POL just to be sure" \
dst-port=cccc protocol=tcp
add action=accept chain=input dst-port=cccc protocol=tcp
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward in-interface-list=!LAN
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=SYN-Protect connection-state=new limit=150,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=censored dst-port=cccc \
in-interface=pppoe-out1 protocol=tcp src-address-list=secure \
to-addresses=192.168.78.21 to-ports=cccc
add action=dst-nat chain=dstnat comment=censored dst-port=ffff \
in-interface=pppoe-out1 protocol=tcp src-address-list=secure \
to-addresses=192.168.78.21 to-ports=cccc
add action=dst-nat chain=dstnat comment=censored dst-port=kkkk \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.21 to-ports=3389
add action=dst-nat chain=dstnat comment=censored dst-port=13003 \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.21 to-ports=3306
add action=dst-nat chain=dstnat comment="az bude neco treba" disabled=yes \
dst-port=13004 in-interface=pppoe-out1 protocol=tcp src-address-list=\
allowed_people to-addresses=192.168.78.21 to-ports=23
add action=dst-nat chain=dstnat comment=censored dst-port=jjjj \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.21 to-ports=2597
add action=dst-nat chain=dstnat comment=censored_shadow dst-port=\
kkkk in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.21 to-ports=2598
add action=dst-nat chain=dstnat comment=censored dst-port=mmmm \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.21 to-ports=23
add action=dst-nat chain=dstnat comment=censored dst-port=nnnn \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.27 to-ports=24
add action=dst-nat chain=dstnat comment=censored dst-port=gggg \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.27 to-ports=3389
add action=dst-nat chain=dstnat comment=censored dst-port=hhhh \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.27 to-ports=8080
add action=dst-nat chain=dstnat comment=censored dst-port=hhhh \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.31 to-ports=3389
add action=dst-nat chain=dstnat comment=censored dst-port=iiii\
in-interface=pppoe-out1 protocol=tcp src-address-list=secure \
to-addresses=192.168.78.31 to-ports=5010
add action=dst-nat chain=dstnat comment=censored dst-address=\
mypublicip dst-port=80 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.78.15 to-ports=80
/ip firewall raw
add action=drop chain=prerouting src-address-list=ddos-attackers
add action=drop chain=prerouting dst-port=65372 protocol=tcp
add action=accept chain=prerouting comment=\
"accept only google and cloudfare DNS" protocol=udp src-address-list=\
secure_dns src-port=53
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
disabled=yes dst-address=255.255.255.255 dst-port=67 in-interface-list=\
LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment=wireguard dst-port=13231 protocol=\
udp
add action=accept chain=prerouting comment=L2TP disabled=yes dst-port=\
500,1701,4500 protocol=udp
add action=drop chain=prerouting comment="drop DNS (UDP) krome zevnitr" \
in-interface-list=!LAN protocol=udp
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface=pppoe-out1 src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=192.168.0.0/16 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!192.168.0.0/16 src-address-list=""
add action=jump chain=prerouting comment="jump to TCP chain" disabled=yes \
jump-target=tcp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to bad TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=tcp protocol=tcp src-address-list=allowed_people
add action=accept chain=tcp dst-port=80 protocol=tcp
add action=accept chain=tcp dst-port=443 protocol=tcp
add action=accept chain=tcp dst-port=aaaa protocol=tcp
add action=accept chain=tcp dst-port=eeee protocol=tcp
add action=accept chain=tcp dst-port=dddd protocol=tcp
add action=accept chain=tcp dst-port=bbbb protocol=tcp
add action=accept chain=tcp dst-port=ffff protocol=tcp
add action=accept chain=tcp dst-port=iiiiprotocol=tcp
add action=accept chain=tcp dst-port=cccc protocol=tcp
add action=accept chain=tcp dst-address=192.168.0.0/16 in-interface=\
pppoe-out1
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=demostenes profile=L2TP service=l2tp
/system clock
set time-zone-name=Europe/Prague
/system logging
add action=remotekiwi topics=info
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing
set store-every=24hours
/tool graphing interface
add allow-address=192.168.0.0/16 interface=pppoe-out1
add allow-address=192.168.0.0/16 interface=bridge-servers-78
/tool graphing queue
add allow-address=192.168.0.0/16
/tool graphing resource
add allow-address=192.168.0.0/16
Goal is to have one bridge and 2 VLANS, each with own dhcp, to have only one bridge on chip and be able to properly use l2 and l3 hw offloading. I started with bridge 88:
adding interfaces to LAN list:
/interface list member
add interface=ether1 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=sfp-sfpplus1-LAN list=LAN
adding tagged untagged ports:
/interface bridge vlan
add bridge=bridge-home-88 tagged=bridge-home-88 untagged=ether1,ether11,ether12,sfp-sfpplus1-LAN vlan-ids=88
changing interface from bridge-home-88 to vlan-home-88 (now network 88 stops working)
/ip address
add address=192.168.88.1/24 interface=vlan-home-88 network=192.168.88.0
turning on vlan filtering
/interface bridge
add name=bridge-home-88 vlan-filtering=yes
there is also change of DHCP from bridge-home-88 to interface=vlan-home-88 and removing bridge-home-88 from lan interfaces, to be on par with that example on web.
Once I put VLAN as interface (add address=192.168.88.1/24 interface=vlan-home-88 network=192.168.88.0), it stops working. But according to that microtic example it should work. Does it mean, that that example is not complete? Why does that example does not have bridge in LAN interfaces list? Idea is to make one VLAN working, than add second and move productions ports to it with minimal donwtime.
Thanks for your help.