After dragging my feet for a year, I am finally getting ready to cut over to the RB5009 routerboard model. I flashed it to ros7.4. My question is, can I just carry the VLAN config over as is, or do I have to start all over? Since it has a different chip in it from the old router.
I know tdw helped me a ton a few years back when I configured the hAP-ac2 router, so hoping I can just move the config over.
I ask the question, as I know the RB5009 has a different switch chip in it, so I would think I may need to change some of the configuration entries? Thought I would ask before I break it lol
There is no difference in settings for VLAN filtering at the bridge level. In your case, another switch chip model will not affect. The only thing is, that there is no Wi-Fi on the new router, so the settings will need to be changed a little.
(1) This is not required as the vlans are already captured under VLAN interface list and thus the LAN list has no value, add interface=bridge list=LAN. Since you failed to provide firewall rules, you may need to change any interface lists with the word LAN to VLAN.
(2) Minor point but I always add untagged to my /interface bridge vlan settings so that I can cross check with the /interface bridge port settings
Thanks for the replies, yes I should have clarified I will be changing the wlan interfaces since those will be on another device, not to mention the port configuration. I will spin up capsman when I get to that step as I add more AP’s.
For a bit of clarity, here are the firewall rules.
Your rules dont make much sense to me and so many basic rules are missing. If this is not a public IP facing router and you have one in between then okay…
here is a different organized take on it…
These are duplicate and dont understand without the context of the rest of the config but seem out of place…
The only reason to let a local subnet access to the INPUT CHAIN is to config the router, it is NOT needed to enter a VPN tunnel!! add action=accept chain=input comment=“Allow VPN traffic” src-address=192.168.5.0/24
add action=accept chain=forward comment=“Allow VPN to forward” src-address=192.168.5.0/24??
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp { blocking ICMP is not helpful }
add action=accept chain=input dst-port=1194 log=yes log-prefix=_ovpn protocol=tcp src-port=“” { assuming this is required currently for vpn to work ?)
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=accept chain=input comment=“Allow MGMT Full Access” in-interface-list=MGMT
add action=accept chain=input in-interface-list=VLAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=VLAN dst-port=53 protocol=udp
add action=drop chain=input comment=“Drop all else”
{Forward Chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward
Without seeing the corresponding address list, I left these two rules out as I suspect they are not required. add action=drop chain=forward comment=“CobaltStrike Block - Engress” src-address-list=CobaltStrike
add action=drop chain=forward comment=“CobaltStrike - Block Ingress” dst-address-list=CobaltStrike??
Remember with a drop all rule, all traffic is blocked from WAN to LAN and thus you only have to worry about LAN to WAN traffic.
From the above we allow subnet to internet traffic VLAN to WAN in the above rules. Do you have concerns about individual users in the VLANs having access to the internet???
I have the VPN rules as I do (not so much anymore) on occasion have to access it remote, over vpn tunnel. No firewall in front of it, and it is public facing. The network list is a block list, as per a requirement that was in place at one point. No concerns about VLANs, but at one point I did have some IoT devices that I was blocking access to WAN, and certain users when it was used as a DR site in my old job.
I will clean things up when I stand up the new router. My main concern was the VLAN config stuff as it tends to throw me off, and I do not keep up on best practices so to speak.
Understood but more often than naught, one cannot speak to proper config in isolation as the moving parts are integrated, bridge, firewall, routing etc…
Yes indeed. When I get the new config together I will share more detail, as always I appreciate the input from committed Mikrotik helpers like you Anav. Thank you!
Please modify your response to the following…
"I appreciate the input from committed Mikrotik helpers like you Anav.
a. no expert thats for sure, I have just bumbled my way through many configs and have sorted a few things out and actually know very little of MT or networking, beyond a bare bones amount.
b. committed because I should be in a white four padded room, but yes I do spend much time here.
c. helping others out of their frustration and hopefully to learn a few things along the way is the goal
I would be remiss to point out that there are others here who I rely on to help out (keep me honest) and they are truly experts…sindy, sob, mkx, rextended, and others…too numerous to mention.
Where I fit in is relating to the common man (not an IT nerd LOL) and hopefully providing some digestible support.
hehe I can relate! I run MT gear in production in some high dollar deployments, yet I know so little about the tech behind what makes it all tick. But I still appreciate the input from others like you. I spend all day on cisco gear, F5, A10 and other big dollar devices, but I still love and rely on mikrotik for most my own needs.