Can you check my router configuration ?

Hi everyone,
I’ve bought a hEX PoE and I’m very happy of it !

I’m trying to achieve this, and I think I’m done, everything works…

• I want to access my security cameras through my nvr from anywhere
• I want it to a dedicated VLAN (because it’s best practice ?)
• R7000 wifi access point will be replaced soon by a a dedicated access point Linksys LAPAC1750PRO
• I haven’t enabled IPV6 yeah I know, I just wanted a working IPV4 setup before, I know nothing about IPV6…
• My ISP needs DHCP enabled on VLAN100 with some parameters in the dhcp discover, but the IPV4 returned is always the same.

I just wanted some advice on my work since I’ve never done this before, if some of you have some free time to check my RouterOS configuration (see below)

• Is my setup secure ?
• Is this the best way to configure this ?
• Does my overall configuration won’t restrict my throughput ? I have a gigabit line, I appreciate having decent speed, and I want to have a good camera feedback.
• I’ve two lines for setting up my vlan99, is this normal ? (honestly this part is a nightmare, you can set vlan on ports, switches, interfaces, with countless options… I’ve just tried to do my best to achieve my very simple setup)

/interface ethernet switch port
set 4 default-vlan-id=99 vlan-header=always-strip

/interface ethernet switch vlan
add independent-learning=yes ports=ether5 switch=switch1 vlan-id=99

This is the full configuration, sorry it’s very long but I think share the whole config is better.

[admin@MikroTik] > /export 
# 2024-01-14 23:17:01 by RouterOS 7.12.1
# software id = 3V1L-5HVQ
#
# model = RB960PGS
# serial number = XXXXXXXXXXXXX

/interface bridge
add admin-mac=78:9A:18:70:70:79 auto-mac=no comment=defconf name="bridge - LAN"

/interface ethernet
set [ find default-name=ether1 ] mac-address=B8:66:85:3D:DC:78

/interface vlan
add interface=ether1 name=vlan100 vlan-id=100

/interface ethernet switch port
set 4 default-vlan-id=99 vlan-header=always-strip

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip dhcp-client option
add code=60 name=vendor-class-identifier-BYGTELIAD value="'BYGTELIAD'"

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.100

/ip dhcp-server
add address-pool=dhcp interface="bridge - LAN" lease-time=10m name="DHCP - LAN"

/routing bgp template
set default disabled=no output.network=bgp-networks

/routing ospf instance
add disabled=no name=default-v2

/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2

/interface bridge port
add bridge="bridge - LAN" comment=defconf ingress-filtering=no interface=ether2
add bridge="bridge - LAN" comment=defconf ingress-filtering=no interface=ether3
add bridge="bridge - LAN" comment=defconf ingress-filtering=no interface=ether4
add bridge="bridge - LAN" interface=ether5
add bridge="bridge - LAN" interface=sfp1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface ethernet switch vlan
add independent-learning=yes ports=ether5 switch=switch1 vlan-id=99

/interface list member
add comment=defconf interface="bridge - LAN" list=LAN
add comment=defconf interface=vlan100 list=WAN
add disabled=yes interface=ether1 list=WAN

/interface ovpn-server server
set auth=sha1,md5

/ip address
add address=192.168.1.254/24 comment=defconf interface="bridge - LAN" network=192.168.1.0
add address=192.168.99.254/24 interface=ether5 network=192.168.99.0

/ip dhcp-client
add comment=defconf dhcp-options=vendor-class-identifier-BYGTELIAD,hostname,clientid interface=vlan100
add disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=9.9.9.9 gateway=192.168.1.254 netmask=24

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.1.222 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=176.131.191.215 dst-port=9000 protocol=tcp to-addresses=192.168.99.253
add action=dst-nat chain=dstnat dst-address=176.131.191.215 dst-port=80 protocol=tcp to-addresses=192.168.99.253
add action=dst-nat chain=dstnat dst-address=176.131.191.215 dst-port=443 protocol=tcp to-addresses=192.168.99.253
add action=dst-nat chain=dstnat dst-address=176.131.191.215 dst-port=554 protocol=tcp to-addresses=192.168.99.253
add action=dst-nat chain=dstnat dst-address=176.131.191.215 dst-port=1935 protocol=tcp to-addresses=192.168.99.253
add action=dst-nat chain=dstnat dst-address=176.131.191.215 dst-port=8000 protocol=tcp to-addresses=192.168.99.253

/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5

/system clock
set time-zone-name=Europe/Paris

/system note
set show-at-login=no

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

/tool sniffer
set file-name=sniffe.txt filter-interface=vlan100

Awesome first port, great diagram full config and a sense of the requirements.
I would recommend reading this article → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Create one bridge and assign all vlans to the bridge interface. (exception is the single vlan for WAN attached to etherport interface)
Use vlans for all your subnets, HOME LAN, NVR, ETC..
the new AP is a smart AP so you can send it vlans via a trunk port.

Consider a separate managment vlan if your home vlan is not trusted.
If it is trusted, no need for an extra vlan.
All the smart devices should get an IP address on the trusted subnet including the linksys AP.

I wont comment on the config until you add the vlans you will need as the requirements will be different.

I will state that your port forwarding rules are not correct. you need to indicate
either in-interface-list=WAN if the IP you get is dynamic, if the IP is static then dst-address=wanip address

Also, mac-server by itself is not a securce access method and thus should be set to NONE vice LAN.

Ok your link seems very interesting, I’ll start there

Thx for your advice !