Tik0
October 30, 2018, 10:32pm
1
First, hello to everyone
I changing ISP router on RB951G and I need your help in configuration.
ETH1 (wan):
ETH2-4+WLAN1:
ETH5:
below I’m posting how it is currently configured:
/interface bridge
add admin-mac=4C:5E:0C:7C:CF:71 auto-mac=no comment=NET-DHCP name=bridge
add name=bridge-vlan10
add igmp-snooping=yes name=bridge-vlan14
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
distance=indoors frequency=auto mode=ap-bridge ssid=AccessPoint \
wireless-protocol=802.11
/interface vlan
add interface=ether1 name=eth1-vlan10 vlan-id=10
add interface=ether1 name=eth1-vlan14 vlan-id=14
/interface list
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des pfs-group=\
none
/ip pool
add name=vpn-pool ranges=172.16.0.1-172.16.0.100
add name=DHCP ranges=192.168.5.0/24
/ip dhcp-server
add add-arp=yes address-pool=DHCP disabled=no interface=bridge name="DHCP LAN"
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.10.1 \
name=l2tp-vpn-profile1 use-encryption=yes use-mpls=no use-upnp=no
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge-vlan14 comment=IPTV interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge-vlan10 comment="VLAN NET" interface=eth1-vlan10
add bridge=bridge-vlan14 comment="VLAN IPTV" interface=eth1-vlan14
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-vpn-profile1 enabled=yes \
ipsec-secret= use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.5.1/24 interface=bridge network=192.168.5.0
/ip dhcp-client
add comment="WAN NET" dhcp-options=hostname,clientid disabled=no interface=\
bridge-vlan10
/ip dhcp-server network
add address=192.168.5.0/24 comment=LAN gateway=192.168.5.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.5.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add chain=input dst-port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=forward src-address=172.16.0.0/25
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
A request to you, where I made a mistake that I do not have internet on LAN
You did not post running version. Assuming some recent version, you’d better use the new bridge config with vlan filtering.
So, one bridge for WAN with two vlans:
/interface bridge
add igmp-snooping=yes name=bridge-wan vlan-filtering=yes
/interface bridge port
add bridge=bridge-wan interface=ether1
add bridge=bridge-wan interface=ether5 pvid=14
/interface bridge vlan
add bridge=bridge-wan comment=NET tagged=ether1 vlan-ids=10
add bridge=bridge-wan comment=IPTV tagged=ether1 untagged=ether5 vlan-ids=14
This will split off IPTV traffic to eth5.
Then, create WAN NET interface on router:
/interface vlan
add interface=bridge-wan name=bridge-wan-vlan10 vlan-id=10
/ip dhcp-client
add comment="WAN NET" dhcp-options=hostname,clientid disabled=no interface=\
bridge-wan-vlan10
/interface list member
add interface=bridge-wan list=WAN
add interface=bridge-wan-vlan10 list=WAN
LAN settings remain the same.
Edit: added pvid=14 to bridge port ether5
Tik0
October 31, 2018, 8:15pm
3
I have changed the configuration according to your instructions but I do not get an IP addresses on vlan 10 & 13. I can see mac addresses from vlan 10 and 13 on the switch that is in front of this MT.
sep/21/2018 20:07:43 by RouterOS 6.43.4
# model = 951G-2HnD
/interface bridge
add igmp-snooping=yes name=bridge-wan vlan-filtering=yes
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=poland disabled=no distance=indoors frequency=auto mode=ap-bridge \
ssid=AccessPoint wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface vlan
add interface=bridge-wan loop-protect-disable-time=3m name=bridge-wan-vlan10 \
use-service-tag=yes vlan-id=10
add interface=bridge-wan name=bridge-wan-vlan13 vlan-id=13
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=vpn-pool ranges=172.16.0.1-172.16.0.100
add name=dhcp ranges=192.168.5.3-192.168.5.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge1 name="DHCP LAN"
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.10.1 \
name=l2tp-vpn-profile1 use-encryption=yes use-mpls=no use-upnp=no
/interface bridge port
add bridge=bridge1 comment="LAN ether 2-4 & wlan" interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan1
add bridge=bridge-wan comment=WAN interface=ether1
add bridge=bridge-wan comment=IPTV interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-wan comment=NET tagged=ether1 vlan-ids=10
add bridge=bridge-wan comment=IPTV tagged=ether1 untagged=ether5 vlan-ids=14
add bridge=bridge-wan comment=MGNT tagged=ether1 vlan-ids=13
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-vpn-profile1 enabled=yes \
ipsec-secret= use-ipsec=yes
/interface list member
add list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=bridge-wan list=WAN
add interface=bridge-wan-vlan10 list=WAN
add interface=bridge-wan-vlan13 list=WAN
/ip address
add address=192.168.5.1/24 interface=ether2 network=192.168.5.0
/ip dhcp-client
add comment="WAN MGNT" dhcp-options=hostname,clientid disabled=no interface=\
bridge-wan-vlan13
add comment="WAN NET" dhcp-options=hostname,clientid disabled=no interface=\
bridge-wan-vlan10
/ip dhcp-server network
add address=192.168.5.0/24 comment=LAN gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.5.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add chain=input dst-port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=forward src-address=172.16.0.0/25
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ppp secret
add name=andrzej password= profile=l2tp-vpn-profile1 remote-address=\
192.168.10.10 service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MikroTikRB951G
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN/code]
If there is a managed switch on WAN side, why don’t you use this switch to split off iptv?
Are you sure that the switch is well configured?
You could disable use-service-tag on vlan-14, temporarily remove the switch on wan side or remove ether1 from bridge and set vlans directly to ether1 to rule out bridge issues.
Use Torch to check traffic on physical interfaces and vlans.
Tik0
October 31, 2018, 10:07pm
5
Because this managed switch will be in a different location.
Yes, because I see all mac address correctly. I wonder just one thing: can vl 10 and 14 be visible under one mac address?
after deleting vlan 13 and 14 and the bridge-wan I created vlan 10 directly on ether1 and I received an IP address.
CZFan
October 31, 2018, 11:19pm
6
Remove all bridges, then add the VLAN’s directly to ether 1, then create first bridge for ports 2-4 and wlan.
Tik0
November 1, 2018, 10:35am
7
Thank you, guys! You helped me a lot.
add action=masquerade chain=srcnat out-interface=vlan10
and everything works as it needs
Better add all untrusted interfaces (ether1 + vlans) to WAN interface list. Firewall drops connections based on interface list.
