First time user - Diving into the deep end

RouterOS Beginner Basics
1

It’s time to start configuring my first MT device (hAP ax2) to replace the USG. My setup at home is a bit more than your standard single LAN so it’s going to take some trial, error and a lot of being pointed in the right direction. I’m keen to learn as I do this so there will be a lot of questions or explanations that I’ll come begging for.

What I am trying to setup:

  1. MikroTik aAP AX2 replacement of my USG
  2. Keep the existing Unfi routers and APs (4 x US 8 60W switches, 1 x US24 250W switch, 2 x U6 Lite APs, 2 x UAP AC LR APs) and control them via the existing unifi self-hosted controller (I have setup a new site in the controller in the belief this makes the most sense)
  3. 2 x 1 Gb WAN connections. Primary WAN default for the setup, secondary WAN servicing just one VLAN
  4. 1 x LAN & 6 x VLANs
  • Mgmt server, routers, switches
  • VLAN10 Adults
  • VLAN20 Kids
  • VLAN30 IoT, Devices
  • VLAN40 Docker Containers (all on one server, separate nic)
  • VLAN50 WFH-Direct to WAN 2
  • VLAN99 Guest
  1. Control of the VLANs to specific switch ports via the Unifi controller
  2. VLAN10,20,30 & 99 as SSIDs on 2 routers
  3. VLAN10,30, 50 & 99 asSSIDs on 2 routers
  4. hAP AX2 as DHCP for entire network
  5. 2 x Pihole DNS for entire network

That’s pretty much it I think, for now. One question is whether I should move the DHCP to the PiHoles but I’m not sure they handle VLANs that well.

I’ll also be configuring a new site in the Unfi Controller and intend to move switches/APs to the new site when I have setup the VLANs and routing etc the way I want them. My (maybe mistaken) belief is that this would be the easiet way to migrate slowly with no downtime.

At this point, is anyone has any concerns about what I am trying to do, or think I am over complicating things, let me know as I have no issues with moving to a new way of setup/doing things rather than just migrating what I have now.

First question I have:

To setup 2 x WAN circuits, which I intend to plug into port 1 and 2 (does RouterOS not start with ether0?), what do I need to do. The Quick start has created 1 WAN connection and 1 bridge with all the ethernet ports on that bridge (I think). Ideally I want to have WAN1 in on Port 1, WAN2 in on Port 2, with the Port 3 carrying everything to my network. Due to physical constraints, only Port 3 will plug into one of the switches as there is a single cable run from where the router is to where my kit is.

My confusion here is whether I use the same bridge or a different bridge (coming from Unifi, the concept of setting up multiple bridges in a router is alien). As the next step will be to create the VLANs, I will also want the VLANS to be available on Port 3, but do I also need to bind them to the WAN ports?

2

Well if you are willing to learn then I can recommend you this topic: https://forum.mikrotik.com/viewtopic.php?t=182373

It have pretty much everything you need. Read it, learn something, try on your own and of course if you get stuck you can always ask for help on the forum. :smiley: :smiley:

Don’t use multiple bridges, one is enough and I can recommend you to remove one port from the bridge, assign IP address, add that port to LAN interface list so you can have mgmt port. In that case you will not lock yourself out of the router in case you misconfigured something.

3

Thanks, I’ll have a read, Family come back in 8 days so everything needs to be working by then. I sleepless nights in my near future. I’m more of an experimental learner than a visual learner.

4

You have plenty of time then, maybe even for relaxing :smiley:

5

Ha. If I get it working with time to spare, I’ll be rewiring the house so that I can run straight from the hap ax to the 24 port switch, instead of needing an 8port switch in between the two.

6

Yesterday was Day 1. Only had to reset the MT 5 times to get back into it. Not a bad first effort.

Starting the day with another reset, but I won’t count this one as one of today’s resets.

7

So I presume you didn’t create off bridge port for configuration ?

8

I tried that a couple of times, but somehow I managed to blow it up when it came to firewall rules time. It’s again the first thing I have setup this morning. Not working perfectly as the only way I can connect is via MAC address and not IP, but I’ll now leave it as it is.

9

Can you export your configuration here ? For bringing port off bridge you don’t need to mess with a firewall rules.

10

Here it is. ether5 seems to give me access but only with a MAC connection. Same for the wlan I setup called wifi-access. While I can still reach winbox via mac address, I can’t use putty to run an ssh session.

Anyway, after Day 2 I am no closer to reaching where I want to reach. One more day like this and it might be time to find someone locally who’ll set it up as I want for a fee
rad20231016.rsc (8.84 KB)

11

I can see that you don’t have VLAN filtering enabled on your bridge. If you have problems with VLANs that could be one of the reasons why.

12

I recreated the VLANS and trunk today and will move the router to a place where I can plug a WAN cable in soon. Before I do that, I’m having trouble with the following:

In summary the setup is:
wan1 & wan2 - I think I need to add DHCP clients to them
ether3 - Trunk Port carrying the VLANs (VL00, VL10, VL20, VL30)
ether4 - for testing, this was meant to be a VL10 port
ether5-access - get out of jail free port
I changed the routers default subnet of 192.168.88.0/24 to 10.0.0.0/24.

  • Must that remain a subnet or can I flip it to a VLAN? If so, VL00 is hoping to do that.

What doesn’t work at the moment is DHCP on the following:
wifi-access - No DHCP, static IP works
wifi1 & wifi2 - No DHCP
wifi-vl105 & wifi-vl102 - No DHCP
ether4 - no DHCP

Any help there would be handy. I’m hoping at some stage to have different SSIDs for each VLAN served from this router. If I can get wifi-vl10x working, I can manage the rest.

Export of config attached
20231016-02.rsc (10 KB)

13

Are you using two bridges ? From your configuration it seems so.

I will put your configuration here so anybody can see it and maybe help you quicker.

# 1970-01-03 01:33:05 by RouterOS 7.11
# software id = U2BP-38L2
#
# model = C52iG-5HaxD2HaxD
# serial number = ***********
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
add admin-mac=48:A9:8A:9D:25:5B auto-mac=no name=bridge pvid=10 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment=\
    "trunk port, carries VL00, VL10, VL20, and VL30 (TRUNK)"
set [ find default-name=ether4 ] comment="Trying to get VL10 here"
set [ find default-name=ether5 ] comment="MGMT Access Port" name=ether5-mgmt
set [ find default-name=ether1 ] comment="WAN Port" name=wan1
set [ find default-name=ether2 ] comment="WAN Port" name=wan2
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=rad disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=rad disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface vlan
add interface=BR1 name=VL00 vlan-id=100
add interface=BR1 name=VL10 vlan-id=10
add interface=BR1 name=VL20 vlan-id=20
add interface=BR1 name=VL30 vlan-id=30
/interface wifiwave2
add comment=VL10 configuration.mode=ap .ssid=rad10 datapath.vlan-id=10 \
    disabled=no mac-address=4A:A9:8A:9D:25:60 master-interface=wifi2 name=\
    wifi-vl102 security.authentication-types=wpa2-psk,wpa3-psk
add comment=VL10 configuration.mode=ap .ssid=rad10 datapath.vlan-id=10 \
    disabled=no mac-address=4A:A9:8A:9D:25:60 master-interface=wifi1 name=\
    wifi-vl105 security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=ACCESS
add name=VLAN
/interface wifiwave2
add comment="ACCESS - No DHCP" configuration.hide-ssid=no .mode=ap .ssid=\
    radaccess datapath.interface-list=ACCESS disabled=no mac-address=\
    4A:A9:8A:9D:25:5F master-interface=wifi1 name=wifi-mgmt \
    security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=ACCESS-POOL ranges=10.10.10.101-10.10.10.254
add name=VL10_POOL ranges=10.0.10.101-10.0.10.254
add name=VL20_POOL ranges=10.0.20.101-10.0.20.254
add name=VL30_POOL ranges=10.0.30.101-10.0.30.254
/ip dhcp-server
add address-pool=VL10_POOL interface=bridge lease-time=10m name=defconf
add address-pool=ACCESS-POOL interface=ether5-mgmt name=ACCESS-DHCP
add address-pool=VL10_POOL interface=VL10 name=VL10_DHCP
add address-pool=VL20_POOL interface=VL20 name=VL20_DHCP
add address-pool=VL30_POOL interface=VL30 name=VL30_DHCP
/interface bridge port
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=ACCESS
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether3 vlan-ids=10,30,40,100
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether5-mgmt list=ACCESS
add interface=wifi-mgmt list=ACCESS
add interface=wifi1 list=ACCESS
add interface=wifi2 list=ACCESS
add interface=wan1 list=WAN
add interface=wan2 list=WAN
add interface=VL00 list=VLAN
add interface=VL10 list=VLAN
add interface=VL20 list=VLAN
add interface=VL30 list=VLAN
add interface=VL00 list=ACCESS
add interface=wifi-vl102 list=LAN
add interface=wifi-vl105 list=LAN
add interface=VL10 list=LAN
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=10.10.10.1/24 interface=ether5-mgmt network=10.10.10.0
add address=10.0.99.1/24 interface=bridge network=10.0.99.0
add address=10.0.0.1/24 interface=VL00 network=10.0.0.0
add address=10.0.10.1/24 interface=VL10 network=10.0.10.0
add address=10.0.20.1/24 interface=VL20 network=10.0.20.0
add address=10.0.30.1/24 interface=VL30 network=10.0.30.0
/ip dhcp-client
add interface=wan1 use-peer-dns=no use-peer-ntp=no
add interface=wan2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment=Drop
add action=drop chain=forward comment=Drop
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow ether5-access Full Access" \
    in-interface=ether5-mgmt
add action=accept chain=input comment="Allow wifi-mgmt Full Access" \
    in-interface=wifi-mgmt
add action=accept chain=input comment="Allow VL00 Full Access" in-interface=\
    VL00
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
    connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name=radhAPAX2
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=ACCESS
/tool mac-server mac-winbox
set allowed-interface-list=ACCESS
14

Thanks. There were two bridges. Now back to one as it should be.

The goal is for the trunk to be on ether3 and I now trying to get vlan10 with wifi-vl1002 & wifi-vl105 working. When I plug a cable into ether3 or connect to the SSIDs, I don’t get an IP address from the DHCP server for VLAN10. Any idea where I should start looking to find what’s wrong?

# 1970-01-03 18:09:27 by RouterOS 7.11
# software id = U2BP-38L2
#
# model = C52iG-5HaxD2HaxD
# serial number = ***********
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment=\
    "trunk port, carries VL00, VL10, VL20, and VL30 (TRUNK)"
set [ find default-name=ether4 ] comment="Trying to get VL10 here"
set [ find default-name=ether5 ] comment="MGMT Access Port" name=ether5-mgmt
set [ find default-name=ether1 ] comment="WAN Port" name=wan1
set [ find default-name=ether2 ] comment="WAN Port" name=wan2
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=rad \
    datapath.vlan-id=100 disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=rad \
    datapath.vlan-id=100 disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
/interface vlan
add interface=BR1 name=VL00 vlan-id=100
add interface=BR1 name=VL10 vlan-id=10
add interface=BR1 name=VL20 vlan-id=20
add interface=BR1 name=VL30 vlan-id=30
/interface wifiwave2
add comment=VL10 configuration.mode=ap .ssid=rad10 datapath.vlan-id=10 \
    disabled=no mac-address=4A:A9:8A:9D:25:60 master-interface=wifi2 name=\
    wifi-vl102 security.authentication-types=wpa2-psk,wpa3-psk
add comment=VL10 configuration.mode=ap .ssid=rad10 datapath.vlan-id=10 \
    disabled=no mac-address=4A:A9:8A:9D:25:60 master-interface=wifi1 name=\
    wifi-vl105 security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=ACCESS
add name=VLAN
/interface wifiwave2
add comment="ACCESS - No DHCP" configuration.hide-ssid=no .mode=ap .ssid=\
    radaccess datapath.interface-list=ACCESS disabled=no mac-address=\
    4A:A9:8A:9D:25:5F master-interface=wifi1 name=wifi-mgmt \
    security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=ACCESS-POOL ranges=10.10.10.101-10.10.10.254
add name=VL00_POOL ranges=10.0.0.101-10.0.0.254
add name=VL10_POOL ranges=10.0.10.101-10.0.10.254
add name=VL20_POOL ranges=10.0.20.101-10.0.20.254
add name=VL30_POOL ranges=10.0.30.101-10.0.30.254
/ip dhcp-server
add address-pool=ACCESS-POOL interface=ether5-mgmt name=ACCESS-DHCP
add address-pool=VL00_POOL interface=VL00 name=VL00_DHCP
add address-pool=VL10_POOL interface=VL10 name=VL10_DHCP
add address-pool=VL20_POOL interface=VL20 name=VL20_DHCP
add address-pool=VL30_POOL interface=VL30 name=VL30_DHCP
/interface bridge port
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=wifi2 pvid=100
add bridge=BR1 interface=wifi1 pvid=100
add bridge=BR1 interface=ether3 pvid=100
add bridge=BR1 interface=wifi-vl102 pvid=10
add bridge=BR1 interface=wifi-vl105 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=ACCESS
/interface bridge vlan
add bridge=BR1 tagged=ether4 vlan-ids=10
add bridge=BR1 tagged=ether3 vlan-ids=10
add bridge=BR1 tagged=ether3 vlan-ids=20
add bridge=BR1 tagged=ether3 vlan-ids=30
add bridge=BR1 tagged=BR1,ether3 vlan-ids=100
/interface list member
add interface=ether5-mgmt list=ACCESS
add interface=wifi-mgmt list=ACCESS
add interface=wifi1 list=ACCESS
add interface=wifi2 list=ACCESS
add interface=wan1 list=WAN
add interface=wan2 list=WAN
add interface=VL00 list=VLAN
add interface=VL10 list=VLAN
add interface=VL20 list=VLAN
add interface=VL30 list=VLAN
add interface=VL00 list=ACCESS
add interface=wifi-vl102 list=LAN
add interface=wifi-vl105 list=LAN
add interface=VL10 list=LAN
/ip address
add address=10.10.10.1/24 interface=ether5-mgmt network=10.10.10.0
add address=10.0.0.1/24 interface=VL00 network=10.0.0.0
add address=10.0.10.1/24 interface=VL10 network=10.0.10.0
add address=10.0.20.1/24 interface=VL20 network=10.0.20.0
add address=10.0.30.1/24 interface=VL30 network=10.0.30.0
/ip dhcp-client
add interface=wan1 use-peer-dns=no use-peer-ntp=no
add interface=wan2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment=Drop
add action=drop chain=forward comment=Drop
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow ether5-access Full Access" \
    in-interface=ether5-mgmt
add action=accept chain=input comment="Allow wifi-mgmt Full Access" \
    in-interface=wifi-mgmt
add action=accept chain=input comment="Allow VL00 Full Access" in-interface=\
    VL00
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
    connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name=radhAPAX2
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=ACCESS
/tool mac-server mac-winbox
set allowed-interface-list=ACCESS

20231017-01.rsc (9.92 KB)

15

Did you tag your bridge on all VLANs ? I can see only VL100 that is tagged on ether3 and bridge.

16

Thanks. Sorted out the Trunk and it also helped me workout why ether4 wasn’t handing out an IP address for VL10

17

So now everything is working ?

18

My access port, either4, and the wifi ssids all work. Dhcp etc.

Tomorrow when the family is out I’ll plug a wan circuit in and see what blows up.

19

They arrived earlier then… :laughing: :laughing:

Well if you are using default config for wan there shouldn’t be any problems.

20

Yeah, so much for my week off.

Just a plain dhcp connection for the WAN. If I get Internet on the access port then it party time when I plug the trunk I to my existing unfi controlled network and see if I can access the vlans on the existing switches. I’ve set up the vlan IDs on the unifi controller so we’ll see how it goes.