If you have time, review my configuration

RouterOS General
1

been a user of this forum for a long time and I don’t think I ever asked this. :open_mouth:
this is home user scenario

I setup every device on my network to use the dns / ntp server of the router
I control which group of device OR device have access to each other or the web
I don’t use fast track on the firewall yet since the router can handle everything so far without it

I have a feeling that even if it work, my vlan is weirdly done? (tag vs untag)

I removed static lease for dhcp server, address list for firewall and ntp server that I use

the network diagram, the # at the end is the vlan
Network Diag.PNG

/interface bridge
add name=bridge_Vlan protocol-mode=none vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598 mtu=1508 name=ether1-wan poe-out=off
set [ find default-name=ether2 ] l2mtu=1598 name=ether2-pc poe-out=off
set [ find default-name=ether3 ] l2mtu=1598 name=ether3-minipc poe-out=off
set [ find default-name=ether4 ] l2mtu=1598 name=ether4-nas poe-out=off
set [ find default-name=ether5 ] l2mtu=1598 name=ether5-dlink poe-out=off
set [ find default-name=ether6 ] l2mtu=1598 name=ether6-work poe-out=off
set [ find default-name=ether7 ] l2mtu=1598 name=ether7-tv poe-out=off
set [ find default-name=ether8 ] l2mtu=1598 name=ether8-ap
set [ find default-name=sfp-sfpplus1 ] disabled=yes l2mtu=1598

/interface vlan
add interface=ether1-wan mtu=1508 name=vlan-ISP vlan-id=40
add interface=bridge_Vlan name=Vlan_primary vlan-id=10
add interface=bridge_Vlan name=Vlan_minipc vlan-id=20
add interface=bridge_Vlan name=Vlan_ubiquity vlan-id=30
add interface=bridge_Vlan name=Vlan_guest vlan-id=50
add interface=bridge_Vlan name=Vlan_dlink vlan-id=60
add interface=bridge_Vlan name=Vlan_camera vlan-id=400
add interface=bridge_Vlan name=Vlan_dummy vlan-id=1337 comment="Used for NTP and DNS query - internal"

/interface list
add name=vlan

/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d

/ip pool
add name=Pool_Guest ranges=192.168.50.2-192.168.50.254

/ip dhcp-server
add address-pool=Pool_Guest interface=Vlan_guest lease-time=31m name=DHCP_Guest
add interface=Vlan_minipc lease-time=41m name=DHCP_Minipc
add interface=Vlan_primary lease-time=43m name=DHCP_Primary

/ppp profile
set *0 use-upnp=no
add change-tcp-mss=yes name=pppoe-profile on-down="/ip firewall address-list remove [find list=external-ip]\r\
    \n" on-up="/ip firewall address-list remove [find list=external-ip] \r\
    \n/ip firewall address-list add list=external-ip address=\$\"local-address\"" use-upnp=no

/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-ISP name=pppoe-ISP profile=pppoe-profile-ISP use-peer-dns=yes

/queue type
add kind=fq-codel name=ethernet-ISP

/queue interface
set ether1-wan queue=ethernet-ISP

/snmp community
set [ find default=yes ] disabled=yes

/interface bridge port
add bridge=bridge_Vlan ingress-filtering=no interface=ether2-pc pvid=10
add bridge=bridge_Vlan ingress-filtering=no interface=ether3-minipc pvid=20
add bridge=bridge_Vlan ingress-filtering=no interface=ether4-nas pvid=70
add bridge=bridge_Vlan ingress-filtering=no interface=ether5-dlink pvid=60
add bridge=bridge_Vlan ingress-filtering=no interface=ether6-work pvid=50
add bridge=bridge_Vlan ingress-filtering=no interface=ether7-tv pvid=10
add bridge=bridge_Vlan ingress-filtering=no interface=ether8-ap pvid=30

/ip firewall connection tracking
set loose-tcp-tracking=no

/ip neighbor discovery-settings
set discover-interface-list=none

/ip settings
set rp-filter=strict

/ipv6 settings
set disable-ipv6=yes

/interface bridge vlan
add bridge=bridge_Vlan tagged=bridge_Vlan,ether8-ap,ether4-nas untagged=ether2-pc vlan-ids=10
add bridge=bridge_Vlan tagged=bridge_Vlan,ether5-dlink,ether4-nas vlan-ids=20
add bridge=bridge_Vlan tagged=bridge_Vlan,ether4-nas vlan-ids=30
add bridge=bridge_Vlan tagged=bridge_Vlan,ether5-dlink vlan-ids=400
add bridge=bridge_Vlan tagged=bridge_Vlan,ether8-ap vlan-ids=50
add bridge=bridge_Vlan tagged=bridge_Vlan untagged=ether5-dlink vlan-ids=60
add bridge=bridge_Vlan tagged=bridge_Vlan,ether4-nas vlan-ids=70


/interface list member
add interface=Vlan_camera list=vlan
add interface=Vlan_dlink list=vlan
add interface=Vlan_guest list=vlan
add interface=Vlan_minipc list=vlan
add interface=Vlan_primary list=vlan
add interface=Vlan_ubiquity list=vlan

/ip address
add address=192.168.10.1/24 interface=Vlan_primary network=192.168.10.0
add address=192.168.20.1/24 interface=Vlan_minipc network=192.168.20.0
add address=192.168.30.1/24 interface=Vlan_ubiquity network=192.168.30.0
add address=192.168.40.1/24 interface=Vlan_camera network=192.168.40.0
add address=192.168.50.1/24 interface=Vlan_guest network=192.168.50.0
add address=192.168.60.1/24 interface=Vlan_dlink network=192.168.60.0
add address=192.168.254.1/24 interface=Vlan_dummy network=192.168.254.0 comment="Used for NTP and DNS query - internal"

/ip cloud
set update-time=no

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.254.1 gateway=192.168.10.1 ntp-server=192.168.254.1
add address=192.168.20.0/24 dns-server=192.168.254.1 gateway=192.168.20.1 ntp-server=192.168.254.1
add address=192.168.50.0/24 dns-server=192.168.254.1 gateway=192.168.50.1 ntp-server=192.168.254.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d

/ip firewall filter
add action=accept chain=input comment="Accept INPUT Established connection" connection-state=established,related,untracked
add action=drop chain=input comment="Drop INPUT invalid connection" connection-state=invalid log-prefix=INVALID
add action=accept chain=input comment="Allow all from that list" src-address-list=support
add action=accept chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment="Allow all vlan to contact the dummy NTP DNS server" dst-address-list=dummy-ntp-dns in-interface-list=vlan
add action=accept chain=forward comment="Accept FORWARD Established connection" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop FORWARD invalid connection" connection-state=invalid log-prefix=INVALID
add action=accept chain=forward comment="Allow all from that list" src-address-list=support
add action=accept chain=forward comment="Allow all ICMP" protocol=icmp
add action=accept chain=forward comment="Allow all forward communication on these port" dst-port=4000,5000,5900 log=yes log-prefix="forwarding port" protocol=tcp
add action=accept chain=forward comment="Allow internet access" out-interface=pppoe-ISP src-address-list=support-MiniPC
add action=accept chain=forward comment="Allow internet access" out-interface=pppoe-ISP src-address-list=support-other
add action=accept chain=forward comment="Allow internet access" dst-port=80 out-interface=pppoe-ISP protocol=tcp src-address-list=support-TV
add action=accept chain=forward comment="Allow internet access" disabled=yes out-interface=pppoe-ISP src-address-list=support-Unifi
add action=accept chain=forward comment="Allow internet access" disabled=yes log=yes out-interface=pppoe-ISP src-address-list=support-Freenas
add action=accept chain=forward comment="Allow connection between these list" dst-address-list=support-CAM src-address-list=support-MiniPC
add action=accept chain=forward comment="Allow connection between these list" dst-address-list=support-MiniPC src-address-list=support-CAM
add action=accept chain=forward comment="Allow connection between these list" dst-address-list=support-Freenas src-address-list=support-CAM
add action=accept chain=forward comment="Allow connection between these list" dst-address-list=support src-address-list=support-TV
add action=accept chain=forward comment="Allow connection between these list" disabled=yes dst-address-list=support-CAM src-address-list=support-temp
add action=accept chain=forward comment="Logic to reduce email spam" dst-port=587 protocol=tcp src-address-list=support-CAM-Drop-Buffer
add action=drop chain=forward comment="Logic to reduce email spam" dst-port=587 log=yes log-prefix="DROP #1 CAM EMAIL" protocol=tcp src-address-list=support-CAM-Drop
add action=add-src-to-address-list address-list=support-CAM-Drop address-list-timeout=2m chain=forward comment="Logic to reduce email spam" dst-port=587 protocol=tcp src-address-list=support-CAM
add action=add-src-to-address-list address-list=support-CAM-Drop-Buffer address-list-timeout=10s chain=forward comment="Logic to reduce email spam" dst-port=587 protocol=tcp src-address-list=support-CAM-Drop
add action=accept chain=forward comment="Allow IP Camera to send email" dst-port=587 protocol=tcp src-address-list=support-CAM
add action=accept chain=output comment="Accept OUTPUT Established connection" connection-state=established,related,untracked
add action=drop chain=output comment="Drop OUTPUT invalid connection" connection-state=invalid log-prefix=INVALID
add action=accept chain=output comment="Allow all ICMP" protocol=icmp
add action=accept chain=output comment="Allow NTP request" dst-address-list=NTP dst-port=123 protocol=udp src-address-list=external-ip src-port=123
add action=accept chain=output comment="Allow DNS request" dst-address-list=DNS dst-port=53 protocol=udp src-address-list=external-ip
add action=accept chain=output comment="Allow DNS request" dst-address-list=DNS dst-port=53 protocol=tcp src-address-list=external-ip
add action=accept chain=output comment="Allow router to update packages" disabled=yes dst-port=80 log=yes protocol=tcp src-address-list=external-ip
add action=drop chain=input comment="Drop INPUT Everything else" log=yes log-prefix="Drop DEFAULT "
add action=drop chain=forward comment="Drop FORWARD Everything else" log=yes log-prefix="Drop DEFAULT "
add action=drop chain=output comment="Drop OUTPUT Everything else" log=yes log-prefix="Drop DEFAULT "

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-ISP

/ip firewall raw
add action=drop chain=prerouting comment="Drop any winbox request" dst-port=8291 log=yes log-prefix="Drop Winbox" protocol=tcp src-address-list=!support
add action=drop chain=prerouting comment="Should not happen, drop and log anyway" log=yes log-prefix="Drop Port 0" protocol=tcp src-port=0
add action=drop chain=prerouting comment="Should not happen, drop and log anyway" dst-port=0 log=yes log-prefix="Drop Port 0" protocol=tcp
add action=drop chain=prerouting comment="Should not happen, drop and log anyway" log=yes log-prefix="Drop Port 0" protocol=udp src-port=0
add action=drop chain=prerouting comment="Should not happen, drop and log anyway" dst-port=0 log=yes log-prefix="Drop Port 0" protocol=udp
add action=drop chain=prerouting comment="Drop rfc1918" in-interface=pppoe-ISP log-prefix=Drop src-address-list=rfc1918
add action=jump chain=prerouting jump-target=ICMP protocol=icmp
add action=jump chain=output jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="ACCEPT FOR MTR" disabled=yes log-prefix="ACCEPT FOR MTR" protocol=icmp
add action=accept chain=ICMP comment="Allow everything for this list" protocol=icmp src-address-list=support
add action=accept chain=ICMP comment="Accept ICMP Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP Time exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP Destination unreachable (Code 0-1)" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP Destination unreachable (Code 3)" icmp-options=3:3 protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP Destination unreachable (Code 4)" icmp-options=3:4 protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP Destination unreachable (Code 10)" icmp-options=3:10 protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP Destination unreachable (Code 13)" icmp-options=3:13 protocol=icmp
add action=drop chain=ICMP comment="Drop ICMP Everything else" log=yes log-prefix="Drop raw" protocol=icmp

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip smb
set allow-guests=no

/ip smb shares
set [ find default=yes ] disabled=yes

/ip ssh
set host-key-size=4096 strong-crypto=yes

/ipv6 firewall filter
add action=drop chain=forward log=yes log-prefix=IPV6
add action=drop chain=input log=yes log-prefix=IPV6
add action=drop chain=output log=yes log-prefix=IPV6

/ipv6 nd
set [ find default=yes ] disabled=yes

/system clock
set time-zone-autodetect=no time-zone-name=America/Montreal

/system identity
set name=RB5009

/system ntp client
set enabled=yes

/system ntp server
set enabled=yes

/system routerboard settings
set silent-boot=yes

/tool bandwidth-server
set enabled=no
2

You will figure it out eventually.
I always use fastrack, and never have used output chain and use the NTP service on the router, without fake vpns…
I rarely ever use raw
I never connect to my router remotely use winbox…
You are not showing the full config and dont work from snippets.
In other words your config is far to advanced for me to comment on.

3

thanks

for these 2 points;
“support” address list is just internal ip address, mostly some ip address in vlan_primary, nothing remotly
like i said in my post I just removed static dhcp lease, firewall address list and ntp server that i used, so it is the full config minus that

4

You can change on “pppoe-profile” all this:

on-down=“[…]” on-up=“[…]”

with just simply set on “address-list” field the value “external-ip”…

5

Personally I would simplify and remove half the bloatware you have going but if it works for you…

6

The death of the router in the event of a DDoS attack:

/ip firewall raw
[...] log=yes [...]

On kernel this is already prevented for ICMP, this is useless:

[...] comment="Accept ICMP Echo request - Avoiding Ping Flood" [...] limit=1,5:packet [...]
7

do you mean vlan or firewall or … ? be more specific please …

the only “bloatware” i can think of is the raw firewall

8

for some reason my pppoe get 2 ip, one local and one remote, if I set that field it pick the wrong one

local = internet ip
remote = no idea what it is, this is the one that get picked up

9

i took the "original" icmp (and others) rules form here RouterOS - RouterOS - MikroTik Documentation

I moved it to the raw and I might have checked log to debug something a long time ago and I forgot to uncheck it

10

Take or leave it, up to you. Just because something is on youtube or elsewhere doesnt make it efficient or effective. Much of the documentation on MT is how to apply functionality not whether its right for you in any particular scenario.
I am a minimalist, efficiently provide the necessary functionality to meet explicitly stated requirements in a secure manner.
Less is more, clarity and brevity!
(unless rextended is buying, and in that case bring out the best wine and keep the courses coming)

11

I’m open to any constructive criticism :sunglasses:

a question that i ask myself, should the dlink be on vlan1 or it own vlan (like now) or with another vlan?
also, the truenas, the port have it own vlan while inside the configuration of truenas I created 2 vlan one for itself and one for a jail for the unifi controller, does it make sense? i’m not so sure

that is why I created the diagram, sometime it help to see what it look like vs how it was implemented

but no wine for me, I’m a beer kind of person

12

That gets to a well understood set of requirements, it sounds like you have some ideas have cobbled together an approach but dont really have a clear idea of what you want to accomplish.

In general, all smart devices, those that can read vlans should get their IP address from the management vlan or trusted vlan.
If there are any untrusted sets of users they should be separated from trusted users and its often a good idea to separate untrusted users from each other if they have separate function, such as IOT device, Media device and guest wifi all separate, from trusted users ( any device which talks to the cloud and is not under your control should be on a separate VLAN from trusted users).

In the case of NAS, assuming you share files with folks there, and there might be some dependencies such as running a unifi controller??
So sorting that particular device out would be paramount.
It should get its IP address and be configurable only on the management vlan.
How many ethernet port does true NAS have and can it read vlan tags?
Does the unifi controller have to be on the same vlan as ubiquite AP vlan ( for management purposes)?

13

In the case the unifi controller / AP they are isolated in their own vlan/subnet and yes I believe they need to be on the same one. I don’t allow internet access because both the controller and AP do a lot of calling home even when settings are turned off. when it’s time to change my wifi, i will get something else but right now everything is under control and working but it’s annoying.
I could turn off the controller but then the AP is doing a lot of “where is my controller!?!” spam on the network. like i said annoying

the computer that run truenas have 2 ethernet port but since my rb5009 is already full, i have to use multiple vlan on one port, truenas can do this, otherwise i would simply use one port for truenas and the other for the controller
the controller is in a “jail” in truenas, i manually update the software/firmware, here i trust truenas to handle the jail (freebsd isolation thing) to make sure it’s truly isolated and that it handle vlan correctly

for truenas itself, it’s a simple NAS and you can check the firewall rule to see what can access it, heavily used by my cameras since they record 24/7 (never trust record on motion sensor, it will miss thing…)

management of both (truenas / unifi) are handle with “support” list, but wait … see that is why it’s good to explain thing, i forgot to put a rule in the firewall to only allow port 80/443 to support list for truenas, which mean that right now my camera could access the management page, going to add that right now :open_mouth:

14

Exact, thanks to let me notice it…