First Mikrotik router

Sob · November 2, 2022, 4:28pm

@anav: “co-location datacenter” => static addresses are far more likely to occur than at your average home router

pinheiro · November 4, 2022, 12:58am

Hi All!

Everything worked like a charm! Just the firewall rules using VLAN interface list to give access to vlan didn’t work (Don’t know why). Then a used the network address and got access to the Internet.

This was the last configuration that I used.

Thanks again for all your help!

# nov/03/2022 14:50:01 by RouterOS 6.48.6
# software id = ZID6-L6JF
#
# model = RB3011UiAS
# serial number = **********
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan200 vlan-id=200
add interface=ether1 name=vlan3207 vlan-id=3207
/interface list
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan200_pool ranges=10.0.200.2-10.0.200.254
/ip dhcp-server
add address-pool=vlan200_pool disabled=no interface=vlan200 name=dhcp_server
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=200
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=200
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=200
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=200
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether6 pvid=200
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether7 pvid=200
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether8 pvid=200
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether9 pvid=200
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether10 pvid=200
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=3207
add bridge=bridge1 tagged=bridge1 untagged=\
    ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=\
    200
/interface list member
add interface=vlan3207 list=WAN
add interface=ether1 list=WAN
add interface=bridge1 list=VLAN
/ip address
add address=10.0.200.1/24 interface=vlan200 network=10.0.200.0
add address=*.*.*.117/28 interface=vlan3207 network=*.*.*.112
/ip dhcp-server network
add address=10.0.200.0/24 dns-server=8.8.8.8 gateway=10.0.200.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow access from ec2 (odata-access)" \
    src-address=*.*.*.86
add action=accept chain=input comment="Allow VLAN" src-address=10.0.200.0/24
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow winbox from vlan" dst-port=8291 \
    protocol=tcp src-address=10.0.200.0/24
add action=drop chain=input comment=Drop log=yes
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new out-interface-list=WAN src-address=10.0.200.0/24
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip route
add distance=1 gateway=*.*.*.113
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=moray
/system ntp client
set enabled=yes primary-ntp=200.160.0.8 secondary-ntp=200.189.40.8 \
    server-dns-names=8.8.8.8