I’m pretty new here and I only have some experience with Cisco devices.
But I was planning to build a home network with the following router CCR1009-7G-1C.
My plan goes as followed:
My Router (CCR1009) gets a DHCP IP from my ISP and I would like to source nat this 2 SVI’s both with there own subnets lets say:
Then I would like these 2 SVI’s configured with DHCP servers so I have 2 completely separated networks.
Then I would like to configure 1 port as a trunk with both VLANs 1 and 10 to my access point, so I can make 2 separated SSID.
all other ports I would like to configure as switch ports so I can use them all for VLAN 1
What are the best practices I can use, because I have tried several configs but I can’t get a DHCP request to my test device.
I also have the same model and will assist where i can.
I have approximately 12 vlans, one of which is a management/home/trusted vlan.
I use bridge vlan filtering to a mix of managed (MT, DLINK, Netgear etc) , un-managed switches, and vlan aware access points (MT and TPLINK).
First thing is DONT USE vlan1, its the default vlan that works in the background and is the default of VLAN1…
So use VLAN101 instead for example.
Thank you for your reply so I think I figured it out.
you were right about the vlan1 so i changed it to 10 and 20.
see my config:
/interface bridge
add name=bridge-LAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] name=WAN
set [ find default-name=ether7 ] name=ether7_Management
/interface vlan
add comment=LAN interface=bridge-LAN name=vlan10 vlan-id=10
add comment=DMZ interface=bridge-LAN name=vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.11-192.168.1.200
add name=dhcp_pool1 ranges=192.168.2.11-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10 lease-time=10h name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan20 lease-time=10h name=dhcp2
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2
pvid=10
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6
pvid=10
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether1 vlan-ids=20
add bridge=bridge-LAN tagged=bridge-LAN,ether1 vlan-ids=10
/ip address
add address=192.168.1.1/24 interface=vlan10 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan20 network=192.168.2.0
/ip dhcp-client
add interface=WAN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment=“6to4 relay Anycast [RFC 3068]” list=not_in_internet
add address=192.168.1.2-192.168.1.254 list=allowed_to_router1
add address=192.168.2.2-192.168.2.254 list=allowed_to_router2
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment=“Established, Related” connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=“Drop incoming packets that are not NATted” connection-nat-state=!dstnat
connection-state=new in-interface=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment=“Drop incoming from internet which is not public IP” in-interface=WAN log=yes
log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=“Drop tries to reach not public addresses from LAN” dst-address-list=
not_in_internet in-interface=bridge-LAN log=yes log-prefix=!public_from_LAN out-interface=!bridge-LAN
add action=drop chain=forward comment=“Drop packets from LAN that do not have LAN IP” in-interface=bridge-LAN log=
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=forward comment=“Drop packets from LAN that do not have LAN IP” in-interface=bridge-LAN log=
yes log-prefix=LAN_!LAN src-address=!192.168.2.0/24
add action=accept chain=input comment=“default configuration” connection-state=established,related
add action=accept chain=input comment=allowed_to_router1 src-address-list=allowed_to_router1
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=input comment=allowed_to_router2 src-address-list=allowed_to_router2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip route
add distance=1 gateway=WAN pref-src=192.168.2.1
add distance=1 gateway=WAN pref-src=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=8192 strong-crypto=yes
Everything seems to work with DHCP wise, I have to test if my Ubiquiti AP will work with 2 VLANs.
I’m still waiting for my provider to deliver my modem so till then I need to wait with testing the AP.
Do you have any other recommendations for my config?
Q1: What about the other interfaces, hard to know what they are intended for without a diagram or definition… /interface bridge
add name=bridge-LAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] name=WAN
set [ find default-name=ether7 ] name=ether7_Management
Q2. Typically I dont use ingress filtering on untagged access ports but I guess there is no harm and probably better security just not sure. So what I gather only etherports 1 is a trunk port headed for a smart device that can read vlan tags, and the rest are going to ‘dumb devices’ /interface bridge port
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2
pvid=10
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6
pvid=10
Q3. Why none. Its best to use your mngmnt vlan here so that to ensure the device is discoverable by winbox for example. /ip neighbor discovery-settings
set discover-interface-list=none
Q4. I prefer to stated untagged ports (2,3,4,5,6) for vlan-id=10 , just so I can understand the config but not necessary… what you have is fine.
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether1 vlan-ids=20
add bridge=bridge-LAN tagged=bridge-LAN,ether1 untagged=??? vlan-ids=10
The rest is commentary on your Firewall Rules. I am a minimalist and thus consider what you have is slightly bloated. /ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment=“6to4 relay Anycast [RFC 3068]” list=not_in_internet
add address=192.168.1.2-192.168.1.254 list=allowed_to_router1
add address=192.168.2.2-192.168.2.254 list=allowed_to_router2
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment=“Established, Related” connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=“Drop incoming packets that are not NATted” connection-nat-state=!dstnat
connection-state=new in-interface=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment=“Drop incoming from internet which is not public IP” in-interface=WAN log=yes
log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=“Drop tries to reach not public addresses from LAN” dst-address-list=
not_in_internet in-interface=bridge-LAN log=yes log-prefix=!public_from_LAN out-interface=!bridge-LAN
add action=drop chain=forward comment=“Drop packets from LAN that do not have LAN IP” in-interface=bridge-LAN log=
yes log-prefix=LAN!LAN src-address=!192.168.1.0/24
add action=drop chain=forward comment=“Drop packets from LAN that do not have LAN IP” in-interface=bridge-LAN log=
yes log-prefix=LAN_!LAN src-address=!192.168.2.0/24
add action=accept chain=input comment=“default configuration” connection-state=established,related
add action=accept chain=input comment=allowed_to_router1 src-address-list=allowed_to_router1
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=input comment=allowed_to_router2 src-address-list=allowed_to_router2
Here is what I would shorten it to!!
/ip firewall address-list
add address=adminlaptop list=adminaccess
add address=admindesktop list=adminaccess
add address=adminipad list=adminaccess
note these two rules, have good intent but best accomplished by interfaces. I use firewall address lists for sub selections of interfaces or single IPs across subnets etc… Not bad what you do here but I prefer interfaces for entire subnets!! Further, and to the point, the entire set of LAN users trusted or otherwise DO NOT and should not need FULL access to the router. Only the specific services required should be permitted.
add address=192.168.1.2-192.168.1.254 list=allowed_to_router1
add address=192.168.2.2-192.168.2.254 list=allowed_to_router2
ALSO it drives me bonkers when people mix input chain (to the router) and forward chain (through the router) in the config. YOu are THE FIRST ever to put the Forward chain in order in front of the input chain. SO THANKYOU, at least they are not mixed up and which comes first really doesnt matter.
The rules with no change or included in small italics
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment=“Established, Related” connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN [assumes all lan users need internet access]
**** add any other allow rules required, admin to dmz vlan for example, or perhaps dmz folks need access to a shared printer on the regular vlan****
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward comment=“allow port forwarding” \ [becomes an optional rule you can disable until you need port forwarding]
connection-nat-state**=d**stnat connection-state=new in-interface=WAN
add action=drop chain=forward comment=‘drop all else’ (one simple rule to drop all other not allowed/defined traffic above)
First of all, I want to thank you for the very thorough answer.
I finally got the new modem set in bridge mode and connect to my MT.
Plus the VLAN taggings seem to work for my trunking port.
I have to admit I’m not fully understanding the firewall side so I used this page and try to translate to my network: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#IPv4_firewall_to_a_router
So the 3 main goals are VLAN 10 can access 20 but 20 can’t access 10.
Both VLANs can access the internet.
Secure my environment from the outside so that’s why I tried with the website above and used the Bogans block list.
The only thing you have to do to the above config I laid out is
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
I added it in pink…
Keep it simple avoid all the bloat from those links…
