3 interface, 1 subnet?

Spirch · May 6, 2014, 2:10pm

I have 3 interfaces

LAN1 which is ether2
bridge which is ether3,4,5
WLAN which is wlan1

I want winbox to be available only on LAN1 so i have this

/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=interface-LAN1

I have LAN1 and WLAN setup so ip is assigned by reply-only, arp lease and no pool

I have bridge setup so ip is assign by a pool

currently i use 3 subnet, is there a way to make only 1 subnet for these 3 interfaces?

mostly i would like 1 line in these

/ip dhcp-server lease

/ip dhcp-server network

/ip dns static

I tried a few things here and there and I didn’t kept track of what i tried and I had to reset the router twice because i was locked-out…

config;

/interface ethernet
set [ find default-name=ether2 ] arp=reply-only name=interface-LAN1
set [ find default-name=ether3 ] name=interface-LAN2
set [ find default-name=ether4 ] name=interface-LAN3
set [ find default-name=ether5 ] name=interface-LAN4
set [ find default-name=ether1 ] name=interface-WAN

/interface bridge
add admin-mac=***** auto-mac=no l2mtu=1598 name=interface-bridge

/interface wireless
set [ find default-name=wlan1 ] arp=reply-only band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=canada disabled=no distance=indoors l2mtu=2290 mode=ap-bridge name=interface-WLAN ssid=***** wireless-protocol=802.11

/ip pool
add name=pool-bridge ranges=192.168.200.100-192.168.200.200

/ip dhcp-server
add add-arp=yes disabled=no interface=interface-LAN1 lease-time=10m name=dhcp-server-LAN1
add add-arp=yes disabled=no interface=interface-WLAN lease-time=10m name=dhcp-server-WLAN
add address-pool=pool-bridge disabled=no interface=interface-bridge lease-time=10m name=dhcp-server-bridge

/interface bridge port
add bridge=interface-bridge interface=interface-LAN2
add bridge=interface-bridge interface=interface-LAN3
add bridge=interface-bridge interface=interface-LAN4

/ip address
add address=192.168.10.1/24 interface=interface-LAN1 network=192.168.10.0
add address=192.168.100.1/24 interface=interface-WLAN network=192.168.100.0
add address=192.168.200.1/24 interface=interface-bridge network=192.168.200.0

/ip dhcp-server lease
add address=192.168.10.200 address-list=support client-id=1:***** comment="***** Desktop" mac-address=***** server=dhcp-server-LAN1
add address=192.168.100.200 address-list=support client-id=1:***** comment="***** Android Phone" mac-address=***** server=dhcp-server-WLAN
add address=192.168.100.210 address-list=support client-id=1:***** comment="***** Laptop" mac-address=***** server=dhcp-server-WLAN

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1

/ip dns static
add address=192.168.10.1 name=dns-LAN1
add address=192.168.100.1 name=dns-WLAN
add address=192.168.200.1 name=dns-bridge

CelticComms · May 7, 2014, 3:28pm

Blocking MAC-Winbox does not block access using the IP address. If you want to block access via IP number use input chain filters in /IP Firewall.

Spirch · May 7, 2014, 5:21pm

i already have a firewall filter on a specific list for winbox-ip, if you look at the /ip dhcp-server lease, you can see that i’m adding these 3 in a list, which have access to winbox-ip

the only thing so far that i would like to do and i’m not sure how is to only have 1 subnet

192.168.10.xxx

so i would like to remove 192.168.100.xxx and 192.168.200.xxx

every time that i try something, i get locked out of internet or the router(hard reset needed)

Full Config
/interface ethernet
set [ find default-name=ether2 ] arp=reply-only name=interface-LAN1
set [ find default-name=ether3 ] name=interface-LAN2
set [ find default-name=ether4 ] name=interface-LAN3
set [ find default-name=ether5 ] name=interface-LAN4
set [ find default-name=ether1 ] name=interface-WAN

/interface bridge
add admin-mac=***** auto-mac=no l2mtu=1598 name=interface-bridge

/interface wireless
set [ find default-name=wlan1 ] arp=reply-only band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=canada disabled=no distance=indoors l2mtu=2290 mode=ap-bridge name=interface-WLAN ssid=***** wireless-protocol=802.11

/ip neighbor discovery
set interface-LAN1 discover=no
set interface-LAN2 discover=no
set interface-LAN3 discover=no
set interface-LAN4 discover=no
set interface-WAN discover=no
set interface-WLAN discover=no
set interface-bridge discover=no

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa-pre-shared-key=***** wpa2-pre-shared-key=*****

/ip pool
add name=pool-bridge ranges=192.168.200.100-192.168.200.200

/ip dhcp-server
add add-arp=yes disabled=no interface=interface-LAN1 lease-time=10m name=dhcp-server-LAN1
add add-arp=yes disabled=no interface=interface-WLAN lease-time=10m name=dhcp-server-WLAN
add address-pool=pool-bridge disabled=no interface=interface-bridge lease-time=10m name=dhcp-server-bridge

/system logging action
set 0 memory-lines=2000

/interface bridge port
add bridge=interface-bridge interface=interface-LAN2
add bridge=interface-bridge interface=interface-LAN3
add bridge=interface-bridge interface=interface-LAN4

/ip address
add address=192.168.10.1/24 interface=interface-LAN1 network=192.168.10.0
add address=192.168.100.1/24 interface=interface-WLAN network=192.168.100.0
add address=192.168.200.1/24 interface=interface-bridge network=192.168.200.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=interface-WAN

/ip dhcp-server lease
add address=192.168.10.200 address-list=support client-id=1:***** comment=“***** Desktop” mac-address=***** server=dhcp-server-LAN1
add address=192.168.100.200 address-list=support client-id=1:***** comment=“***** Android Phone” mac-address=***** server=dhcp-server-WLAN
add address=192.168.100.210 address-list=support client-id=1:***** comment=“***** Laptop” mac-address=***** server=dhcp-server-WLAN
/ip dhcp-server network

add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.10.1 name=dns-LAN1
add address=192.168.100.1 name=dns-WLAN
add address=192.168.200.1 name=dns-bridge

/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=10.0.0.0/8 list=bogons
add address=100.64.0.0/10 list=bogons
add address=127.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=172.16.0.0/12 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.168.200.0/24 list=support-other
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=224.0.0.0/4 list=bogons
add address=240.0.0.0/4 list=bogons

/ip firewall filter
add action=log chain=input comment=“Drop INPUT TCP flags NULL” log-prefix=“Drop INPUT TCP flags NULL” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“Drop INPUT TCP flags NULL” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=input comment=“Drop INPUT TCP flags fin (stealth)” log-prefix="Drop INPUT TCP flags fin (stealth): " protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“Drop INPUT TCP flags fin (stealth)” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=input comment=“Drop INPUT TCP flags fin,psh,urg (stealth)” log-prefix="Drop INPUT TCP flags fin,psh,urg (stealth): " protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=drop chain=input comment=“Drop INPUT TCP flags fin,psh,urg (stealth)” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=log chain=input comment=“Drop INPUT TCP flags syn,fin,rst,psh,ack,urg” log-prefix="Drop INPUT TCP flags syn,fin,rst,psh,ack,urg: " protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=drop chain=input comment=“Drop INPUT TCP flags syn,fin,rst,psh,ack,urg” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=log chain=input comment=“Drop INPUT TCP flags syn,fin,rst,psh,ack” log-prefix="Drop INPUT TCP flags syn,fin,rst,psh,ack: " protocol=tcp tcp-flags=fin,syn,rst,psh,ack
add action=drop chain=input comment=“Drop INPUT TCP flags syn,fin,rst,psh,ack” protocol=tcp tcp-flags=fin,syn,rst,psh,ack
add action=log chain=input comment=“Drop INPUT TCP flags fin,rst,psh,urg” log-prefix="Drop INPUT TCP flags fin,rst,psh,urg: " protocol=tcp tcp-flags=fin,rst,psh,urg
add action=drop chain=input comment=“Drop INPUT TCP flags fin,rst,psh,urg” protocol=tcp tcp-flags=fin,rst,psh,urg
add action=log chain=input comment=“Drop INPUT TCP flags syn,fin,rst,psh” log-prefix="Drop INPUT TCP flags syn,fin,rst,psh: " protocol=tcp tcp-flags=fin,syn,rst,psh
add action=drop chain=input comment=“Drop INPUT TCP flags syn,fin,rst,psh” protocol=tcp tcp-flags=fin,syn,rst,psh
add action=log chain=input comment=“Drop INPUT TCP flags syn,fin,psh” log-prefix="Drop INPUT TCP flags syn,fin,psh: " protocol=tcp tcp-flags=fin,syn,psh
add action=drop chain=input comment=“Drop INPUT TCP flags syn,fin,psh” protocol=tcp tcp-flags=fin,syn,psh
add action=log chain=input comment=“Drop INPUT TCP flags fin,rst,urg” log-prefix="Drop INPUT TCP flags fin,rst,urg: " protocol=tcp tcp-flags=fin,rst,urg
add action=drop chain=input comment=“Drop INPUT TCP flags fin,rst,urg” protocol=tcp tcp-flags=fin,rst,urg
add action=log chain=input comment=“Drop INPUT TCP flags syn,fin,rst” log-prefix="Drop INPUT TCP flags syn,fin,rst: " protocol=tcp tcp-flags=fin,syn,rst
add action=drop chain=input comment=“Drop INPUT TCP flags syn,fin,rst” protocol=tcp tcp-flags=fin,syn,rst
add action=log chain=input comment=“Drop INPUT TCP flags ack,urg” log-prefix="Drop INPUT TCP flags ack,urg: " protocol=tcp tcp-flags=ack,urg
add action=drop chain=input comment=“Drop INPUT TCP flags ack,urg” protocol=tcp tcp-flags=ack,urg
add action=log chain=input comment=“Drop INPUT TCP flags fin,psh (stealth)” log-prefix="Drop INPUT TCP flags fin,psh (stealth): " protocol=tcp tcp-flags=fin,psh,!ack
add action=drop chain=input comment=“Drop INPUT TCP flags fin,psh (stealth)” protocol=tcp tcp-flags=fin,psh,!ack
add action=log chain=input comment=“Drop INPUT TCP flags fin,rst” log-prefix="Drop INPUT TCP flags fin,rst: " protocol=tcp tcp-flags=fin,rst
add action=drop chain=input comment=“Drop INPUT TCP flags fin,rst” protocol=tcp tcp-flags=fin,rst
add action=log chain=input comment=“Drop INPUT TCP flags fin,urg” log-prefix="Drop INPUT TCP flags fin,urg: " protocol=tcp tcp-flags=fin,urg
add action=drop chain=input comment=“Drop INPUT TCP flags fin,urg” protocol=tcp tcp-flags=fin,urg
add action=log chain=input comment=“Drop INPUT TCP flags syn,fin” log-prefix="Drop INPUT TCP flags syn,fin: " protocol=tcp tcp-flags=fin,syn
add action=drop chain=input comment=“Drop INPUT TCP flags syn,fin” protocol=tcp tcp-flags=fin,syn
add action=log chain=input comment=“Drop INPUT TCP flags syn,rst” log-prefix="Drop INPUT TCP flags syn,rst: " protocol=tcp tcp-flags=syn,rst
add action=drop chain=input comment=“Drop INPUT TCP flags syn,rst” protocol=tcp tcp-flags=syn,rst
add action=log chain=input comment=“Drop INPUT invalid connection” connection-state=invalid log-prefix="Drop INPUT invalid connection: "
add action=drop chain=input comment=“Drop INPUT invalid connection” connection-state=invalid
add action=log chain=forward comment=“Drop FORWARD invalid connection” connection-state=invalid log-prefix="Drop FORWARD invalid connection: "
add action=drop chain=forward comment=“Drop FORWARD invalid connection” connection-state=invalid
add action=log chain=output comment=“Drop OUTPUT invalid connection” connection-state=invalid log-prefix="Drop OUTPUT invalid connection: "
add action=drop chain=output comment=“Drop OUTPUT invalid connection” connection-state=invalid
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=10m chain=input comment=“Add to list INPUT Syn Flood IP” connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=log chain=input comment=“Drop INPUT Syn Flood list” log-prefix=“Drop INPUT Syn Flood list:” src-address-list=Syn_Flooder
add action=drop chain=input comment=“Drop INPUT Syn Flood list” src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=10m chain=input comment=“Add to list INPUT Port Scanner IP” protocol=tcp psd=21,5s,3,1
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=10m chain=input comment=“Add to list INPUT Port Scanner IP” protocol=udp psd=21,5s,3,1 src-port=!53
add action=log chain=input comment=“Drop INPUT Port Scanner list” log-prefix="Drop INPUT Port Scanner list: " src-address-list=Port_Scanner
add action=drop chain=input comment=“Drop INPUT Port Scanner list” src-address-list=Port_Scanner
add action=log chain=input comment=“Drop INPUT TCP src port 0” log-prefix="Drop INPUT TCP src port 0: " protocol=tcp src-port=0
add action=drop chain=input comment=“Drop INPUT TCP src port 0” protocol=tcp src-port=0
add action=log chain=input comment=“Drop INPUT TCP dst port 0” dst-port=0 log-prefix="Drop INPUT TCP dst port 0: " protocol=tcp
add action=drop chain=input comment=“Drop INPUT TCP dst port 0” dst-port=0 protocol=tcp
add action=log chain=input comment=“Drop INPUT UDP src port 0” log-prefix="Drop INPUT UDP src port 0: " protocol=udp src-port=0
add action=drop chain=input comment=“Drop INPUT UDP src port 0” protocol=udp src-port=0
add action=log chain=input comment=“Drop INPUT UDP dst port 0” dst-port=0 log-prefix="Drop INPUT UDP dst port 0: " protocol=udp
add action=drop chain=input comment=“Drop INPUT UDP dst port 0” dst-port=0 protocol=udp
add action=log chain=input comment=“Drop INPUT All access to winbox - except support list” dst-port=8291 log-prefix="Drop INPUT All access to winbox - except support list: " protocol=tcp src-address-list=!support
add action=drop chain=input comment=“Drop INPUT All access to winbox - except support list” dst-port=8291 protocol=tcp src-address-list=!support
add action=log chain=input comment=“Drop INPUT Bogon list” disabled=yes log-prefix="Drop INPUT Bogon list: " src-address-list=bogons
add action=drop chain=input comment=“Drop INPUT Bogon list” src-address-list=bogons
add action=log chain=forward comment=“Drop FORWARD Bogon list” dst-address-list=bogons log-prefix="Drop FORWARD Bogon list: "
add action=drop chain=forward comment=“Drop FORWARD Bogon list” dst-address-list=bogons
add action=jump chain=input comment=“Jump for icmp input flow” jump-target=ICMP protocol=icmp
add action=jump chain=forward comment=“Jump for icmp forward flow” jump-target=ICMP protocol=icmp
add action=jump chain=output comment=“Jump for icmp output flow” jump-target=ICMP protocol=icmp
add chain=output comment=“Accept OUTPUT DNS - UDP” dst-port=53 out-interface=interface-WAN protocol=udp
add chain=output comment=“Accept OUTPUT DNS - TCP” dst-port=53 out-interface=interface-WAN protocol=tcp
add chain=output comment=“Accept OUTPUT NTP - UDP” dst-port=123 out-interface=interface-WAN protocol=udp src-port=123
add chain=input comment=“Accept INPUT Established connection” connection-state=established
add chain=input comment=“Accept INPUT Related connection” connection-state=related
add chain=input comment=“Accept INPUT Support list” src-address-list=support
add chain=input comment=“Accept INPUT Support-Other list” src-address-list=support-other
add action=drop chain=input comment=“Drop INPUT Torrent” dst-port=51415 protocol=tcp
add action=drop chain=input comment=“Drop INPUT Torrent” dst-port=51415 protocol=udp
add action=log chain=input comment=“Drop INPUT Everything else” log-prefix="Drop INPUT Everything else: "
add action=drop chain=input comment=“Drop INPUT Everything else”
add chain=forward comment=“Accept FORWARD Established connection” connection-state=established
add chain=forward comment=“Accept FORWARD Related connection” connection-state=related
add chain=forward comment=“Accept FORWARD Support list” src-address-list=support
add chain=forward comment=“Accept FORWARD Support-Other list” src-address-list=support-other
add chain=forward comment=“Accept FORWARD Support list” disabled=yes dst-address-list=support dst-port=2222 protocol=tcp
add action=log chain=forward comment=“Drop FORWARD Everything else” log-prefix="Drop FORWARD Everything else: "
add action=drop chain=forward comment=“Drop FORWARD Everything else”
add chain=output comment=“Accept OUTPUT Established connection” connection-state=established
add chain=output comment=“Accept OUTPUT Related connection” connection-state=related
add chain=output comment=“Accept OUTPUT Support list” src-address-list=support
add chain=output comment=“Accept OUTPUT Support-Other list” src-address-list=support-other
add action=log chain=output comment=“Drop OUTPUT Everything else” log-prefix="Drop OUTPUT Everything else: "
add action=drop chain=output comment=“Drop OUTPUT Everything else”
add action=log chain=ICMP comment=“Log ICMP Everything” disabled=yes log-prefix="Log ICMP Everything: " protocol=icmp
add chain=ICMP comment=“Accept ICMP Echo request - Avoiding Ping Flood” icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment=“Accept ICMP Echo reply” icmp-options=0:0 protocol=icmp
add chain=ICMP comment=“Accept ICMP Time exceeded” icmp-options=11:0 protocol=icmp
add chain=ICMP comment=“Accept ICMP Destination unreachable (Code 0-1)” icmp-options=3:0-1 protocol=icmp
add chain=ICMP comment=“Accept ICMP Destination unreachable (Code 3)” icmp-options=3:3 protocol=icmp
add chain=ICMP comment=“Accept ICMP Destination unreachable (Code 4)” icmp-options=3:4 protocol=icmp
add action=log chain=ICMP comment=“Drop ICMP Everything else” log-prefix="Drop ICMP Everything else: " protocol=icmp
add action=drop chain=ICMP comment=“Drop ICMP Everything else” protocol=icmp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=interface-WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=2222 in-interface=interface-WAN protocol=tcp to-addresses=192.168.88.200 to-ports=2222

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip upnp
set allow-disable-external-interface=no

/system clock
set time-zone-name=America/Montreal

/system leds
set 0 interface=interface-WLAN

/system ntp client
set enabled=yes primary-ntp=198.50.209.202 secondary-ntp=142.137.247.109

/system ntp server
set enabled=yes manycast=no

/system routerboard settings
set silent-boot=yes

/tool e-mail
set address=*****

/tool mac-server
set [ find default=yes ] disabled=yes

/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=interface-LAN1

Spirch · May 9, 2014, 10:56pm

i finally did what i wanted, i’m not a network guy so it took me a while, here is what i did
/ip address
add address=192.168.100.1/29 interface=interface-LAN1 network=192.168.100.0
add address=192.168.100.81/29 interface=interface-bridge network=192.168.100.80
add address=192.168.100.129/27 interface=interface-WLAN network=192.168.100.128

/ip dhcp-server network
add address=192.168.100.0/29 dns-server=192.168.100.1 gateway=192.168.100.1
add address=192.168.100.80/29 dns-server=192.168.100.1 gateway=192.168.100.81
add address=192.168.100.128/27 dns-server=192.168.100.1 gateway=192.168.100.129

/ip pool
add name=pool-bridge ranges=192.168.100.80/29

/ip dhcp-server
add add-arp=yes disabled=no interface=interface-LAN1 lease-time=10m name=dhcp-server-LAN1
add add-arp=yes disabled=no interface=interface-WLAN lease-time=10m name=dhcp-server-WLAN
add address-pool=pool-bridge disabled=no interface=interface-bridge lease-time=10m name=dhcp-server-bridge

/ip dns static
add address=192.168.100.1 name=dns