After successfully configuring my network with VLANs, I had to change the topology, and now I have a situation where one ethernet port has to serve two machines that are in different VLANs. I tried enabling the MACVLAN, untagging the ethernet port and allowing all traffic and setting DHCP on the macvlan1, but no machine was detected in the port, even before the DHCP server had a chance to connect to it. What is the correct way to change the "standard" VLAN configuration for one port being trunk with MACVLAN on it?
Code: Select all
/interface bridge
add admin-mac=DC:2C:6E:13:F3:B3 auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country=brazil disabled=no distance=indoors frequency-mode=superchannel \
mode=ap-bridge secondary-frequency=auto ssid=loveandrockets wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n channel-width=20/40mhz-XX country=brazil disabled=no distance=indoors frequency=2447 frequency-mode=\
superchannel installation=indoor mode=ap-bridge ssid=rocketsandlove wireless-protocol=802.11
/interface vlan
add interface=bridge name=base_vlan vlan-id=99
add interface=bridge name=guest_vlan vlan-id=30
add interface=bridge name=home_vlan vlan-id=10
add interface=bridge name=work_vlan vlan-id=20
/interface macvlan
add disabled=yes interface=ether9 mac-address=A2:86:E2:AC:4B:F3 name=macvlan1
/interface pppoe-client
add ac-name=i-br-sp-scl-cli-hl4-01 add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=cliente@cliente
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wifi channel
add band=5ghz-ax disabled=no frequency=2300-7300 name=channel1 width=20/40/80+80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=home_wifi_sec wps=disable
/interface wifi configuration
add channel.band=5ghz-ax .frequency=2300-7300 .width=20/40/80+80mhz country=Brazil disabled=no manager=local mode=station-bridge name=cfg1 security=\
home_wifi_sec security.connect-priority=0 ssid=loveandrockets
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=workshop supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=DE:2C:6E:13:F3:BD master-interface=wlan1 name=wlan3 security-profile=workshop ssid=workshop
add disabled=no mac-address=2E:C8:1B:BF:E8:D6 master-interface=wlan2 name=wlan4 security-profile=guest ssid=paloma
/ip pool
add name=home_pool ranges=192.168.10.2-192.168.10.254
add name=work_pool ranges=192.168.20.2-192.168.20.254
add name=guest_pool ranges=192.168.30.2-192.168.30.254
add name=base_pool ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=home_pool interface=home_vlan name=home_dhcp
add address-pool=work_pool interface=work_vlan name=work_dhcp
add address-pool=guest_pool interface=guest_vlan name=guest_dhcp
add address-pool=base_pool interface=base_vlan name=base_dhcp
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
add name=logserver remote=192.168.10.2 target=remote
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=30
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=99
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan4 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan3 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20
add bridge=bridge tagged=bridge vlan-ids=30
add bridge=bridge tagged=bridge vlan-ids=99
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=home_vlan list=VLAN
add interface=work_vlan list=VLAN
add interface=guest_vlan list=VLAN
add interface=base_vlan list=BASE
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.0.1/24 interface=base_vlan network=192.168.0.0
add address=192.168.10.1/24 interface=home_vlan network=192.168.10.0
add address=192.168.20.1/24 interface=work_vlan network=192.168.20.0
add address=192.168.30.1/24 interface=guest_vlan network=192.168.30.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.10.2,192.168.0.1,1.1.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=8.8.8.8 comment="google DNS" list=GOOGLE_DNS
add address=8.8.4.4 comment="google DNS" list=GOOGLE_DNS
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.0.0/24 list=allowed_to_router
add address=192.168.0.0/16 comment="internal networks, including VLANs" list=allowed_lan
add address=192.168.10.11 comment=roku list=redirect_dns
add address=192.168.10.7 comment=chiba list=redirect_dns
add address=192.168.10.7 list=allowed_to_router
add address=192.168.10.12 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow list to router" src-address-list=allowed_to_router
add action=accept chain=input comment="DNS - UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="DNS - TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop google DNS" disabled=yes dst-address-list=GOOGLE_DNS log=yes log-prefix=googledns
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=fw_invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=\
WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4 log=yes
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="fix the ntp client by changing its source port 123 with something higher (mikrotik forum 794718)" protocol=\
udp src-port=123 to-ports=12400-12440
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.2 dst-port=53 log=yes log-prefix=roku_dns_src protocol=udp src-address-list=\
redirect_dns
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.2 dst-port=53 log=yes log-prefix=roku_dns_src protocol=tcp src-address-list=\
redirect_dns
add action=dst-nat chain=dstnat dst-port=53 log-prefix=roku_dns_dst protocol=udp src-address-list=redirect_dns to-addresses=192.168.10.2 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 log-prefix=roku_dns_dst protocol=tcp src-address-list=redirect_dns to-addresses=192.168.10.2 to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2233
set www-ssl address=192.168.0.0/16 certificate=tunguska.cc.cer_0 disabled=no
set api disabled=yes
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16 certificate=tunguska.cc.cer_0 disabled=yes
/ip ssh
set host-key-size=4096 host-key-type=ed25519
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="allow established and related" connection-state=established,related
add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed
add action=drop chain=input comment="Drop all"
add action=accept chain=forward comment=established,related connection-state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="drop all" log-prefix=IPV6
/system clock
set time-zone-name=America/Sao_Paulo
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
set 0 topics=info,!firewall
add prefix=login topics=system,info
add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp,!dns
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=2001:12ff::8
add address=200.189.40.8
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool netwatch
add comment=NAS disabled=no down-script=":log message=\"NAS down\"" host=192.168.10.2 interval=1m packet-count=10 packet-interval=1s test-script="" \
timeout=10s type=icmp up-script=":log message=\"NAS up\""