Hello Mikrotik Experts,
I am kindly asking for some advice from an expert. I am not a networking expert. During the last few weeks I have played around with my CRS125&326 for my home network. I am using Router OS 6.42 to get benefit from the new hardware bridge implementation.
I was able to setup some VLANs for traffic isolation. Hopefully I did it correctly.
Within my network the VLAN1 is untagged on the bridges and AP uplinks for Management purposes. All other VLANs are tagged on the AP uplinks and the link between both switches.
Below you can see my topology. I have removed the devices like PCs and NAS boxes and some other devices which are assigned to dedicated ports. These devices are distributed over the different VLANs. These ports receive the VLAN traffic without VLAN tags
Here are questions:
- With the RouterOS tool “Bandwidth Test” I am able to push around 480Mbps between Ether5 and Ether1 with default setting of the tool (udp traffice single direction). At this load the tool “Profile” shows on “cpu0” a load of 98-100%. This happens on both CRS. Is this normal? I thought that the new hardware implementation of the bridge ensures almost switching speed without utilization of the cpu0 is possible. Is my configuration bad or do I have a misunderstanding of what the bridge implementation offers me?
- How can I improve the setup to get more throughput with lower cpu utilization?
- My firewall config is not finalized. I want to protect my internet interface as good as possible against attacks from the internet. What should I change and add to my rules?
I want to archive full internal network segment separation with some minor exceptions:
a. The Printer should be accessible from Office network
b. The Management network should be isolated without internet access nor access from other VLANs
c. All other VLANs can access the Internet - If you see any obvious configuration issues I would highly appreciate if you can share it with me
- Later on I want to have some tracking of traffic when and which device is causing how much traffic…. (potentially also limiting with Mangle)
I have read many posts over the last few weeks in this forum which helped me so far but now I have decided to register here and to ask my questions because I am looking on a second opinion.
My config looks like this:
CRS326
# jan/22/2018 20:46:33 by RouterOS 6.42rc9#
# model = CRS326-24G-2S+
/interface bridge
add name=br1 vlan-filtering=yes
/interface vlan
add interface=br1 name=br1-vlan10 vlan-id=10
add interface=br1 name=br1-vlan19 vlan-id=19
add interface=br1 name=br1-vlan20 vlan-id=20
add interface=br1 name=br1-vlan30 vlan-id=30
add interface=br1 name=br1-vlan40 vlan-id=40
add interface=br1 name=br1-vlan50 vlan-id=50
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool10 ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool30 ranges=192.168.30.100-192.168.30.254
add name=dhcp_pool40 ranges=192.168.40.100-192.168.40.254
add name=dhcp_pool19 ranges=192.168.19.100-192.168.19.200
add name=dhcp_pool50 ranges=192.168.50.100-192.168.50.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=br1 lease-time=1h name=\
dhcp_VLAN1
add address-pool=dhcp_pool10 disabled=no interface=br1-vlan10 lease-time=1h \
name=dhcp_VLAN10
add address-pool=dhcp_pool19 disabled=no interface=br1-vlan19 lease-time=1h \
name=dhcp_VLAN19
add address-pool=dhcp_pool20 disabled=no interface=br1-vlan20 lease-time=1h \
name=dhcp_VLAN20
add address-pool=dhcp_pool30 disabled=no interface=br1-vlan30 lease-time=1h \
name=dhcp_VLAN30
add address-pool=dhcp_pool40 disabled=no interface=br1-vlan40 lease-time=1h \
name=dhcp_VLAN40
add address-pool=dhcp_pool50 disabled=no interface=br1-vlan50 lease-time=1h \
name=dhcp_VLAN50
/interface bridge port
add bridge=br1 comment="Management Port" interface=ether2
add bridge=br1 comment="Unused & configured for VLAN10" interface=ether10 pvid=\
10
add bridge=br1 comment="Ruckus R310 Erdgeschoss" interface=ether3
add bridge=br1 comment="Ruckus R310 Obergeschoss" interface=ether4
add bridge=br1 comment="Uplink to CRS125 (access to all VLANs)" interface=\
ether5
add bridge=br1 comment="HP LaseJet Pro 400" interface=ether6 pvid=10
add bridge=br1 comment="Apple TV" interface=ether7 pvid=10
add bridge=br1 comment="Apple Timecapsual" interface=ether8 pvid=10
add bridge=br1 comment="Ninas Radio" interface=ether19 pvid=40
add bridge=br1 comment="Sony TV Wohnzimmer" interface=ether20 pvid=40
add bridge=br1 comment="Vaillant ecoPower (Private LAN)" interface=ether23 \
pvid=19
add bridge=br1 comment="Vaillant VPN (private Interface LAN1) " interface=\
ether24 pvid=19
add bridge=br1 comment="Vaillant VPNbox ( public LAN2 )" interface=ether22 \
pvid=50
/interface bridge vlan
add bridge=br1 comment=\
"VLAN1 Management VLAN fpr Network devices like routers, switches, APs" \
untagged=br1,ether2,ether3,ether4,ether5 vlan-ids=1
add bridge=br1 comment="VLAN10 Home / Privat LAN " tagged=\
br1,ether3,ether4,ether5 untagged=ether6,ether7,ether8,ether9,ether10 \
vlan-ids=10
add bridge=br1 comment="VLAN20 Office LAN" tagged=br1,ether3,ether4,ether5 \
untagged=ether14 vlan-ids=20
add bridge=br1 comment="VLAN30 Gaeste WLAN" tagged=br1,ether3,ether4,ether5 \
vlan-ids=30
add bridge=br1 comment="VLAN 40 fuer INternet Radios / TV usw." tagged=br1 \
untagged=ether19,ether20 vlan-ids=40
add bridge=br1 comment="VLAN19 BHKW internes Netz zwischen ecoPower und VPNbox L\
AN1 (linker Port) -- VPN box erforder 192.168.19.0 Netz! GW ist 192.168.19.1\
\_-->VPNbox LAN1" tagged=br1 untagged=ether23,ether24 vlan-ids=19
add bridge=br1 comment="VLAN50 Vaillant Public (VPN)" tagged=br1 untagged=\
ether22 vlan-ids=50
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=192.168.10.1/24 interface=br1-vlan10 network=192.168.10.0
add address=192.168.19.254/24 interface=br1-vlan19 network=192.168.19.0
add address=192.168.30.1/24 interface=br1-vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=br1-vlan40 network=192.168.40.0
add address=192.168.50.1/24 interface=br1-vlan50 network=192.168.50.0
add address=192.168.20.1/24 interface=br1-vlan20 network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no \
use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.10.101 mac-address=88:1F:A1:2B:EE:E8 server=dhcp_VLAN10
add address=192.168.10.100 always-broadcast=yes client-id=1:24:be:5:ed:6d:1b \
mac-address=24:BE:05:ED:6D:1B server=dhcp_VLAN10
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.19.0/24 gateway=192.168.19.254
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
add address=192.168.40.0/24 gateway=192.168.40.1 netmask=24
add address=192.168.50.0/24 gateway=192.168.50.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.1.10-192.168.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=192.168.10.10-192.168.10-254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=\
established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input in-interface=!ether1 protocol=icmp
add action=drop chain=input in-interface=ether1
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8888
set winbox address=192.168.1.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard settings
set boot-os=router-os
/tool e-mail
set address=173.194.77.108 from=xxxx@gmail.com password=yyyyyyyyy \
port=587 user=xxxxxx@gmail.com
/tool graphing interface
add
/tool graphing resource
add
On CRS125 the config looks like this:
# jan/22/2018 20:59:30 by RouterOS 6.42rc11
#
# model = CRS125-24G-1S
/interface bridge
add name=br1 vlan-filtering=yes
/interface vlan
add interface=br1 name=br1-vlan10 vlan-id=10
add interface=br1 name=br1-vlan19 vlan-id=19
add interface=br1 name=br1-vlan20 vlan-id=20
add interface=br1 name=br1-vlan30 vlan-id=30
add interface=br1 name=br1-vlan40 vlan-id=40
add interface=br1 name=br1-vlan50 vlan-id=50
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br1 interface=ether1
add bridge=br1 interface=ether2
add bridge=br1 interface=ether10 pvid=10
add bridge=br1 interface=ether3 pvid=10
add bridge=br1 interface=ether4 pvid=10
add bridge=br1 interface=ether5 pvid=10
add bridge=br1 interface=ether6 pvid=10
add bridge=br1 interface=ether7 pvid=10
add bridge=br1 interface=ether8 pvid=10
add bridge=br1 interface=ether9 pvid=10
add bridge=br1 interface=ether18 pvid=20
add bridge=br1 interface=ether12 pvid=20
/interface bridge vlan
add bridge=br1 comment="VLAN10 Home / Private LAN" tagged=br1,ether1,ether2 \
untagged=ether5,ether14 vlan-ids=10
add bridge=br1 comment="VLAN20 Office LAN" tagged=br1,ether1 untagged=\
ether12,ether18 vlan-ids=20
add bridge=br1 tagged=br1,ether1 vlan-ids=30
add bridge=br1 tagged=br1,ether1 untagged=ether14 vlan-ids=40
add bridge=br1 tagged=br1,ether1 untagged=ether19 vlan-ids=19
add bridge=br1 tagged=br1,ether1 untagged=ether15 vlan-ids=50
add bridge=br1 untagged=br1,ether1,ether2 vlan-ids=1
/ip address
add address=192.168.1.5/24 interface=ether1 network=192.168.1.0
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Berlin
Best regards,
Andreas
