another Beginner VLAN setup questions

RouterOS Beginner Basics
1

Hello,

I’m using “pcunite Router-Switch-AP all in one device” even more simplified.
Basically I just wanted to isolate Wifi and decent security.
Here is my configuration with sensitive data removed.

# apr/09/2023 08:38:26 by RouterOS 7.8
# software id = aaaa

# model = C53UiG+5HPaxD2HPaxD
# serial number = bbbb

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes

/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.country=xxx .mode=ap \
    .ssid=MikroTik-A disabled=no security.authentication-types=wpa2-psk,wpa3-psk .passphrase=blabla

set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country=xxx .mode=ap .ssid=\
    MikroTik-B disabled=no security.authentication-types=wpa2-psk,wpa3-psk .passphrase=blabla

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=bla user=bla

/ipv6 settings
set disable-ipv6=yes

/ip cloud
set ddns-enabled=yes

/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10

/interface list
add name=WAN
add name=VLAN
add name=BASE


/ip pool
add name=BASE_POOL ranges=192.168.88.10-192.168.88.254
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254

/ip dhcp-server
add address-pool=BASE_POOL interface=BASE_VLAN lease-time=8h name=BASE_DHCP
add address-pool=BLUE_POOL interface=BLUE_VLAN lease-time=8h name=BLUE_DHCP

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=99


/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=99

/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=BLUE_VLAN list=VLAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE

/ip address
add address=192.168.88.1/24 interface=BASE_VLAN network=192.168.88.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0


/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.quad9.net/dns-query verify-doh-cert=yes

/ip dns static
add address=9.9.9.9 name=dns.quad9.net
add address=149.112.112.112 name=dns.quad9.net


/ip firewall filter
1. add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
2. add action=accept chain=input comment="Allow VLAN DNS" dst-port=53 in-interface-list=VLAN protocol=udp
3. add action=accept chain=input comment="Allow VLAN DNS" dst-port=53 in-interface-list=VLAN protocol=tcp
4. add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
5. add action=drop chain=input comment=Drop

6. add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
7. add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
8. add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
9. add action=drop chain=forward comment=Drop

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=192.168.88.100 to-ports=xxxx


/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes


/system clock set time-zone-name=bla/bla

/system identity set name=RouterSwitchAP

/tool bandwidth-server set enabled=no

/tool graphing set store-every=24hours

My questions are related to the firewall.

  • is the rule #3 really needed? Seems like the DNS traffic use the udp protocol, not tcp
  • On the forward chain, the order for #7 & #8 matter? Is there any effect if I move the “allow port forwarding” before “VLAN Internet Access”?
  • On the default configuration I saw the fasttrack-connection rule on the forward chain. Am I missing something if I didn’t have any fasttrack-connection rule?


    Thank you.
    Best regards,
2

Great Start…
The rule order between the two items make very little difference.
Makes more sense to put the rule that is matched more often first and thus if most of the traffic is internet then …

Yes fastrack speeds up performance significantly.
Yes DNS can be both and is always so identified.

Changes:


/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=wifi1,wifi2 vlan-ids=10 { untagging not necessary, personal preference }
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,ether5 vlan-ids=99 { untagging not necessary, personal preference }

/ip firewall filter

  1. add action=accept chain=input comment=“Allow Estab & Related & Untracked” connection-state=established,related,untracked
    add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
    add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
  2. add action=accept chain=input comment=“Allow VLAN DNS” dst-port=53 in-interface-list=VLAN protocol=udp
  3. add action=accept chain=input comment=“Allow VLAN DNS” dst-port=53 in-interface-list=VLAN protocol=tcp
  4. add action=accept chain=input comment=“Allow Base_Vlan Full Access” in-interface=BASE_VLAN
  5. add action=drop chain=input comment=Drop
    add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
  6. add action=accept chain=forward comment=“Allow Estab & Related& Untracked” connection-state=established,related,untracked
    add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
  7. add action=accept chain=forward comment=“VLAN Internet Access only” in-interface-list=VLAN out-interface-list=WAN
  8. add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
  9. add action=drop chain=forward comment=Drop

/ip firewall nat
add action=masquerade chain=srcnat comment=“Default masquerade” out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=192.168.88.100 to-ports=xxxx /
in-interface-list=WAN

/ip neighbor discovery-settings
set discover-interface-list=BASE
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

3

Hi anav,

I modified the config based on your guidance.
Thank you!

/ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; Allow VLAN DNS
      chain=input action=accept protocol=udp in-interface-list=VLAN dst-port=53 

 5    ;;; Allow VLAN DNS
      chain=input action=accept protocol=tcp in-interface-list=VLAN dst-port=53 

 6    ;;; Allow Base_Vlan Full Access
      chain=input action=accept in-interface=BASE_VLAN 

 7    ;;; Drop
      chain=input action=drop 

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

11    ;;; VLAN Internet Access only
      chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN 

12    ;;; allow port forwarding
      chain=forward action=accept connection-nat-state=dstnat 

13    ;;; Drop
      chain=forward action=drop 



/ip/firewall/nat> print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; Default masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 

 1    chain=dstnat action=dst-nat to-addresses=192.168.88.100 to-ports=xxxx protocol=tcp in-interface-list=WAN dst-port=xxxx
 


/ip neighbor discovery-settings print 
   discover-interface-list: BASE


/tool mac-server print 
  allowed-interface-list: none


/tool mac-server mac-winbox print
  allowed-interface-list: BASE
4

As long as you understand the purpose of every rule, then its worth it…