Layer 3 switch with Mikrotik router

RouterOS General
1

Hello everyone,
right now I have a Mikrotik hAP ac2 router configured as a Router on a Stick with a Cisco WS-C3750G-24PS-S switch. I have a few VLANS (please see the router config attached) for my home lab.

  1. I recently bought a Layer 3 switch ICX6610 and hope to do the VLAN routing on the Switch level (I already created VLANS on the switch with the same VLAN IDs). What is the best way to achieve this?
    Edit: I already set up the Inter VLAN routing as described on this video https://www.youtube.com/watch?v=Q2cGVHsBqd0. but I am not sure if that’s enough. Is there anything I should do from the router side?

  2. I might have to upgrade the router as it only supports gigabit internet, what would be the best bang for the buck router (since I already have an L3 switch), I am open to trying non-Makrotik routers as well.

  3. Do you think I can get away with ISP provided router since the switch has ACL? so I don’t need a fancy router?

/interface bridge
add admin-mac=XXXX auto-mac=no name=bridge
/interface vlan
add interface=bridge name=BASE-99 vlan-id=99
add interface=bridge name=DNS-15 vlan-id=15
add interface=bridge name=Home-40 vlan-id=40
add interface=bridge name=IOT-30 vlan-id=30
add interface=bridge name=IpCameras-10 vlan-id=10
add interface=bridge name=Servers-20 vlan-id=20
/interface ethernet switch port
set 1 vlan-mode=secure
set 2 default-vlan-id=99 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=No-internet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=ioT \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=BASE \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=home \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge name=wlan1-IoT \
    security-profile=ioT ssid=IoT vlan-id=30 vlan-mode=use-tag wps-mode=\
    disabled
set [ find default-name=wlan2 ] country=canada disabled=no installation=\
    indoor mode=ap-bridge security-profile=BASE ssid=Mt-BASE vlan-id=99 \
    vlan-mode=use-tag wps-mode=disabled
add mac-address=XXXX master-interface=wlan2 name=wlan2-home \
    security-profile=home ssid=home vlan-id=40 vlan-mode=use-tag wps-mode=\
    disabled
add mac-address=XXX master-interface=wlan1-IoT name=IpCameras \
    security-profile=ioT ssid=IoT-Cam vlan-id=10 vlan-mode=use-tag wps-mode=\
    disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=IpCameras_POOL ranges=10.0.10.2-10.0.10.254
add name=DNS_POOL ranges=10.0.15.2-10.0.15.254
add name=Servers_POOL ranges=10.0.20.2-10.0.20.254
add name=IOT_POOL ranges=10.0.30.2-10.0.30.254
add name=Home_POOL ranges=10.0.40.2-10.0.40.254
add name=BASE_POOL ranges=10.0.99.2-10.0.99.254
/ip dhcp-server
add address-pool=IpCameras_POOL interface=IpCameras-10 name=IpCameras_DHCP
add address-pool=DNS_POOL interface=DNS-15 name=DNS_DHCP
add address-pool=Servers_POOL interface=Servers-20 name=Servers_DHCP
add address-pool=IOT_POOL interface=IOT-30 name=IOT_DHCP
add address-pool=Home_POOL interface=Home-40 name=Home_DHCP
add address-pool=BASE_POOL interface=BASE-99 name=BASE_DHCP
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan1-IoT pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=IpCameras pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan2-home pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan2 pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=40
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether5,ether3,ether4,switch1-cpu \
    switch=switch1 vlan-id=99
add independent-learning=no ports=ether2,ether5,switch1-cpu switch=switch1 \
    vlan-id=10
add independent-learning=no ports=ether2,ether5,switch1-cpu switch=switch1 \
    vlan-id=20
add independent-learning=no ports=ether2,ether5,switch1-cpu switch=switch1 \
    vlan-id=30
add independent-learning=no ports=ether2,ether5,ether3,ether4,switch1-cpu \
    switch=switch1 vlan-id=40
/interface list member
add interface=ether1 list=WAN
add interface=IpCameras-10 list=VLAN
add interface=DNS-15 list=VLAN
add interface=Servers-20 list=VLAN
add interface=IOT-30 list=VLAN
add interface=Home-40 list=VLAN
add interface=BASE-99 list=VLAN
add interface=BASE-99 list=BASE
add interface=bridge list=VLAN
add interface=IpCameras list=No-internet
add interface=IpCameras-10 list=No-internet
add disabled=yes interface=IpCameras-10 list=BASE
/ip address
add address=10.0.10.1/24 interface=IpCameras-10 network=10.0.10.0
add address=10.0.15.1/24 interface=DNS-15 network=10.0.15.0
add address=10.0.20.1/24 interface=Servers-20 network=10.0.20.0
add address=10.0.30.1/24 interface=IOT-30 network=10.0.30.0
add address=10.0.40.1/24 interface=Home-40 network=10.0.40.0
add address=10.0.99.1/24 interface=BASE-99 network=10.0.99.0

/ip cloud
set ddns-enabled=yes
/ip dhcp-server config
set store-leases-disk=12h

/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.15.0/24 dns-server=10.0.15.1 gateway=10.0.15.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
add address=10.0.99.0/24 dns-server=10.0.99.1 gateway=10.0.99.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
    XXX
/ip dns static
add address=10.0.99.1 name=router
/ip firewall address-list
add address=10.0.99.0/24 list=adminAccess
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=new in-interface=ether1 \
    src-address-list=!adminAccess
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "Allow Base access to all router services" in-interface-list=BASE
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN ICMP Ping" \
    in-interface-list=VLAN protocol=icmp
add action=drop chain=input comment=\
    "block all incoming traffic from the Internet to the IOT-30 interface" \
    in-interface=IOT-30
add action=accept chain=input comment="Allow DNS traffic" disabled=yes \
    dst-port=80,443 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow incoming HTTP and HTTPS traffic (\
    for web browsing) and incoming DNS traffic (for domain name resolution). " \
    disabled=yes dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment=" new firewall rule to block all incoming \
    traffic from the Internet to your internal network. This rule should apply\
    \_to the WAN interface and all of the internal interfaces. You can use the\
    \_following command to create the rule:" disabled=yes in-interface=ether1
add action=accept chain=input comment="Allow VLAN ICMP Ping" disabled=yes \
    dst-address=10.0.10.254 dst-address-list="" src-address=10.0.20.5
add action=drop chain=input comment="Drop all other traffic"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="10 VLAN Internet Access only" \
    connection-state=new in-interface-list=No-internet out-interface-list=\
    VLAN
add action=drop chain=forward comment="IpCamVLAN NO Internet Access" \
    connection-state=new in-interface-list=No-internet log=yes \
    out-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Base to access all VLAN" \
    in-interface=BASE-99 out-interface=all-vlan
add action=accept chain=forward comment="Allow Server access ipcam" \
    dst-address=10.0.10.0/24 src-address=10.0.20.5
add action=accept chain=forward comment="Allow Home access TrueNas" \
    connection-state="" dst-address=10.0.20.10 log=yes src-address=\
    10.0.40.0/24
add action=accept chain=forward comment=\
    "Allow Port Forwarding - DSTNAT - enable if need server" \
    connection-nat-state=dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address=!10.0.20.20 \
    dst-port=53 protocol=udp src-address=!10.0.20.20 to-addresses=10.0.20.20
add action=dst-nat chain=dstnat disabled=yes dst-address=!10.0.20.21 \
    dst-port=53 protocol=tcp src-address=!10.0.20.21 to-addresses=10.0.20.21
add action=masquerade chain=srcnat disabled=yes dst-address=10.0.20.20 \
    dst-port=53 protocol=udp src-address=10.0.99.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=10.0.20.20 \
    dst-port=53 protocol=udp src-address=10.0.20.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=10.0.20.21 \
    dst-port=53 protocol=tcp src-address=10.0.99.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=10.0.20.21 \
    dst-port=53 protocol=tcp src-address=10.0.20.0/24
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" \
    disabled=yes dst-port=53 protocol=udp src-address=!10.0.20.20 to-ports=53
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" \
    disabled=yes dst-port=53 protocol=tcp src-address=!10.0.20.20 to-ports=53
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=XXX \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MikroTik-v8
/system ntp server
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE