More DHCP servers for different networks

apitsos · November 29, 2022, 6:37pm

Hi there,

I have the following problem to solve. I want to have two different networks in order to provide a completely different subnet on guest wireless. Our MikroTik router is a CCR1016-12S-1S+ and the wireless network is consisted by a TP-Link Omada OC200 Wi-Fi controller and 7x TP-Link EAP245 Wi-Fi Access Points.

here is the configuration. Currently there are 4 physical ports on the Mikrotik firewall that are member of a bridge, called “LAN-Bridge” and they are connected to 4 switches (in different floors of the building), via fiber optic cables and SFP Transceivers. I also have created two VLAN interfaces under Bridge ports, the vlan1 and vlan4, trying to handle the two different DHCP servers/subnets/pools, configured also in Mikrotik.

In the TP-Link controller I have created two Wi-Fi networks. The first one works fine, as it utilizes the VLAN 1, which is the default one, but the second one, which is configured on VLAN 4 is not retrieving IPs. I have to note that the switch ports where the Access Points and the Controller are trunked already, because the same setup was before with another router which is recently replaced by the Mikrotik.

I searched the Forums and I could find this post (http://forum.mikrotik.com/t/how-to-run-several-dhcps-over-vlans/110201/1), but it didn’t really help me, as there was a mess, when tried to assign the IP on the vlan1, instead of the “LAN-Bridge”.

I don’t know how could I make trunk on the ports or on the Bridge, in order to allow traffic on both VLANs and have the 4 physical ports on a bridge, where two different DHCP servers would be able to assign IPs, based on the VLAN.

I would appreciate here any help from anyone who has understood the case and has the experience to provide me accurate information or sample of configuration, in order to understand how should I configure this router.

Thanks a lot in advance all that will be bothered to give me an answer.

With kind regards,
Angelos Pitsos

sindy · November 29, 2022, 7:18pm

A quick guess is that you haven’t completely grasped the VLAN settings in RouterOS yet and there is a missing step. But to know for sure, we need to see the export of your router configuration (see my automatic signature for a hint). It is also a good idea to remove the serial number and eventual login names to services before posting the export.

apitsos · November 29, 2022, 7:49pm

Hi @sindy!

Thanks a lot for your answer. Here is my configuration. I believe there are some scraps in it, just ignore them.

# nov/29/2022 20:39:45 by RouterOS 7.6
# software id = EKRJ-1W8Q
#
# model = CCR1016-12S-1S+
# serial number = XXXXXXXXXXX
/interface bridge
add arp=proxy-arp name=LAN-Bridge
add arp=proxy-arp name=br16
/interface ethernet
set [ find default-name=sfp1 ] name="sfp1 (WAN)"
set [ find default-name=sfp2 ] disabled=yes name="sfp2 (WAN-LTE)"
set [ find default-name=sfp3 ] name="sfp3 (LAN1)"
set [ find default-name=sfp4 ] name="sfp4 (LAN2)"
set [ find default-name=sfp5 ] name="sfp5 (LAN3)"
set [ find default-name=sfp6 ] name="sfp6 (LAN4)"
set [ find default-name=sfp12 ] name="sfp12 (Management)"
/interface pppoe-client
add add-default-route=yes disabled=no interface="sfp1 (WAN)" name=\
    XXX user=XXX@XXX.XX
/interface wireguard
add listen-port=51922 mtu=1420 name=wireguard-XXX-XX
/interface vlan
add interface=LAN-Bridge name=eth2-vl16 vlan-id=4
add interface=LAN-Bridge name=vlan1 vlan-id=1
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="Subnet 192.168.1.0/24" name=dhcp ranges=\
    192.168.1.120-192.168.1.239
add comment="Subnet 192.168.2.0/24" name=WLAN-GUEST-DCHP ranges=\
    192.168.2.10-192.168.2.250
add comment="Subnet 192.168.5.0/24 (VPN)" name=VPN-Pool ranges=\
    192.168.5.2-192.168.5.250
add name=vl16 ranges=192.168.16.10-192.168.16.249
/ip dhcp-server
add address-pool=dhcp interface=LAN-Bridge name=192.168.1.120-239
add address-pool=vl16 interface=br16 name=vl16
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add dns-server=192.168.1.2 local-address=192.168.5.1 name=VPN remote-address=\
    VPN-Pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=LAN-Bridge interface="sfp3 (LAN1)"
add bridge=LAN-Bridge interface="sfp4 (LAN2)"
add bridge=LAN-Bridge interface="sfp5 (LAN3)"
add bridge=LAN-Bridge interface="sfp6 (LAN4)"
add bridge=LAN-Bridge interface=vlan1
add bridge=LAN-Bridge disabled=yes interface=*11 pvid=4
add bridge=LAN-Bridge interface=eth2-vl16
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=LAN-Bridge tagged=*11 vlan-ids=4
add bridge=LAN-Bridge tagged=*12 vlan-ids=5
add bridge=LAN-Bridge vlan-ids=1
/interface list member
add interface=LAN-Bridge list=LAN
add interface="sfp1 (WAN)" list=WAN
add interface=XX-XXX list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set authentication=mschap2 certificate=XXX-XX-FW01 default-profile=VPN pfs=\
    yes
/interface wireguard peers
add allowed-address=192.168.5.2/32 comment="0001 (XXX XXX)" interface=\
    wireguard-XXX-XX public-key=\
    "XXXXXXXX"
add allowed-address=192.168.5.253/32 comment="0252 (XXXX01)" interface=\
    wireguard-XXX-XX public-key=\
    "XXXXXXXX"
add allowed-address=192.168.5.3/32 comment="0002 (XXX XXX)" \
    interface=wireguard-XXX-XX public-key=\
    "XXXXXXXX"
/ip address
add address=192.168.178.22/24 comment=WAN-LTE interface="sfp2 (WAN-LTE)" \
    network=192.168.178.0
add address=192.168.90.1/24 comment=Management interface="sfp12 (Management)" \
    network=192.168.90.0
add address=192.168.1.24/24 comment=LAN interface=LAN-Bridge network=\
    192.168.1.0
add address=192.168.2.1/24 interface=*11 network=192.168.2.0
add address=192.168.5.1/24 comment=VPN disabled=yes interface=LAN-Bridge \
    network=192.168.5.0
add address=192.168.5.1/24 interface=wireguard-XXX-XX network=192.168.5.0
add address=192.168.16.1/24 interface=eth2-vl16 network=192.168.16.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface="sfp2 (WAN-LTE)"
add interface=sfpplus1
/ip dhcp-server
add address-pool=WLAN-GUEST-DCHP interface=*11 name=192.168.2.0/24
/ip dhcp-server lease
add address=192.168.1.220 client-id=1:90:9:d0:18:bb:29 mac-address=\
    90:09:D0:18:BB:29 server=192.168.1.120-239
add address=192.168.1.230 client-id=1:90:9:d0:18:bb:34 mac-address=\
    90:09:D0:18:BB:34 server=192.168.1.120-239
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2 domain=XXXXXXX.local \
    gateway=192.168.1.24 wins-server=192.168.1.2
add address=192.168.2.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.2.1
add address=192.168.16.0/21 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.16.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=XX.XXXXXXXXXX.XX list=Authorized_IPs
add address=192.168.1.0/24 list=Internal_Networks
add address=192.168.2.0/24 list=Internal_Networks
/ip firewall filter
add action=accept chain=input comment="Allow established connections" \
    connection-state=established
add action=accept chain=input comment="Allow related connections" \
    connection-state=related
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow limited pings" limit=\
    50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment=\
    "Access WebFig & WinBox Management interface" dst-address=192.168.90.1 \
    dst-port=80,443,8291 protocol=tcp
add action=accept chain=input comment=\
    "Access WebFig & WinBox LAN interface list" dst-address=192.168.1.24 \
    dst-port=80,443,8291 protocol=tcp
add action=accept chain=input comment=\
    "Access Webfig & WinBox on any interface from Authorized IPs" dst-port=\
    80,443,8291 protocol=tcp src-address-list=Authorized_IPs
add action=accept chain=input comment="Access SSTP connections from WAN" \
    dst-port=443 log=yes log-prefix=SSTP-Input protocol=tcp
add action=accept chain=input comment="Custom SSH port for secure shell" \
    dst-address=192.168.1.24 dst-port=2202 protocol=tcp
add action=accept chain=input comment="Allow local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=accept chain=input comment="Access Wireguard VPN" dst-port=51922 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Block DNS request from WAN" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop any TCP port left OPEN" protocol=\
    tcp
add action=drop chain=input comment="Drop any UDP port left OPEN" protocol=\
    udp
add action=drop chain=input comment="Drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow established connections" \
    connection-state=established
add action=accept chain=forward comment="Allow related connections" \
    connection-state=related
add action=accept chain=forward comment="Allow all inbound traffic from VPN su\
    bnet (192.168.5.0/24) to LAN-Bridge (192.168.1.0/24)" disabled=yes \
    dst-address=192.168.1.0/24 src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow all inbound traffic from LAN-Br\
    idge (192.168.1.0/24) to VPN subnet (192.168.5.0/24)" disabled=yes \
    dst-address=192.168.5.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop invalid connections" \
    connection-state=invalid log=yes log-prefix=Drop-invalid-Input
add action=drop chain=forward comment="Block Bogon IP Addresses" src-address=\
    0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=accept chain=forward comment="Allow limited pings" limit=\
    50/5s,2:packet protocol=icmp
add action=drop chain=forward comment="Drop excess pings" protocol=icmp
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 Web Surfing (HTTP & HTTPS)" dst-address=\
    0.0.0.0/0 dst-port=80,443 protocol=tcp src-address-list=Internal_Networks
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 DNS & NTP (TCP)" dst-address=0.0.0.0/0 \
    dst-port=53,123 protocol=tcp src-address-list=Internal_Networks
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 DNS & NTP (UDP)" dst-address=0.0.0.0/0 \
    dst-port=53,123 protocol=udp src-address-list=Internal_Networks
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 Email communication" dst-address=0.0.0.0/0 \
    dst-port=465,587,25,993,995,110,143 protocol=tcp src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=0.0.0.0/0 dst-port=25 protocol=\
    udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow FTP connections" dst-address=\
    0.0.0.0/0 dst-port=20,21,990,6000-6100 protocol=tcp src-address=\
    192.168.1.0/24
add action=accept chain=forward comment=\
    "Allow 3CX SBC communicating with our hosted 3CX PBX" dst-address=\
    XXX.XXX.XXX.XXX dst-port=5090,5001 protocol=tcp
add action=accept chain=forward dst-address=XXX.XXX.XXX.XXX dst-port=5090 \
    protocol=udp
add action=accept chain=forward comment=\
    "Allow 3CX Web Clients communicating with our hosted 3CX PBX" \
    dst-address=XXX.XXX.XXX.XXX dst-port=9000-10999 protocol=udp
add action=accept chain=forward comment="Allow 3CX Tunnels" dst-port=\
    5090,5001 protocol=tcp
add action=accept chain=forward dst-port=5090 protocol=udp
add action=accept chain=forward comment="Allow Speedtest" dst-port=8080 \
    protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow HBCI chip card" dst-port=3000 \
    protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow WhatsApp calls" dst-port=\
    5222,5223 log-prefix=WhatApp-Calls protocol=tcp src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-port=3478 log-prefix=WhatApp-Calls \
    protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow Wi-Fi calling" dst-port=\
    500,4500,16384-49327 log-prefix=WiFi-Calling protocol=udp
add action=accept chain=forward comment="Allow custom RDP for Angelos" \
    dst-port=25581 protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop all outbound traffic" \
    dst-address=0.0.0.0/0 log-prefix=Drop-All-Outbound src-address=\
    192.168.1.0/24
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="VPN with Road Warriors" disabled=yes \
    dst-address=192.168.5.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat comment="VPN with Road Warriors" disabled=yes \
    dst-address=192.168.1.0/24 src-address=192.168.5.0/24
add action=accept chain=dstnat comment="VPN with Road Warriors" disabled=yes \
    dst-address=192.168.5.0/24 src-address=192.168.1.0/24
add action=accept chain=dstnat comment="VPN with Road Warriors" disabled=yes \
    dst-address=192.168.1.0/24 src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.1.0/24" \
    ipsec-policy=out,none out-interface=XX-XXXXXX src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.2.0/24" \
    ipsec-policy=out,none out-interface=XX-XXXXXX src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.3.0/24" \
    ipsec-policy=out,none out-interface=XX-XXXXXX src-address=\
    192.168.3.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.4.0/24" \
    ipsec-policy=out,none out-interface=XX-XXXXXX src-address=\
    192.168.4.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.5.0/24" \
    ipsec-policy=out,none src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="masquerade for all networks" \
    ipsec-policy=out,none
add action=masquerade chain=srcnat disabled=yes out-interface=\
    "sfp2 (WAN-LTE)"
add action=netmap chain=dstnat dst-address=192.168.1.0/24 src-address=\
    192.168.5.0/24 to-addresses=192.168.1.0/24
add action=dst-nat chain=dstnat comment=\
    "RDP_PC-IT-Werkstatt from Authorized_IPs" dst-port=34350 in-interface=\
    XX-XXXXXX log=yes log-prefix=RDP_PC-IT-Werkstatt_Public protocol=tcp \
    src-address-list=Authorized_IPs to-addresses=192.168.1.204 to-ports=3389
add action=dst-nat chain=dstnat comment=ownCloud dst-address=85.220.191.10 \
    dst-port=80 log=yes log-prefix=ownCloud protocol=tcp to-addresses=\
    192.168.1.237 to-ports=80
add action=dst-nat chain=dstnat comment=ownCloud dst-address=85.220.191.10 \
    dst-port=443 log=yes log-prefix=ownCloud protocol=tcp to-addresses=\
    192.168.1.237 to-ports=443
add action=dst-nat chain=dstnat comment="SSH to ownCloud" dst-port=2202 \
    in-interface-list=WAN log=yes log-prefix=ownCloud protocol=tcp \
    to-addresses=192.168.1.237 to-ports=22
/ip route
add comment="WAN (LTE)" disabled=yes distance=2 dst-address=0.0.0.0/0 \
    gateway=192.168.178.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2202
/lcd
set backlight-timeout=never default-screen=stats
/lcd interface
set sfpplus1 disabled=yes
set sfp7 disabled=yes
set sfp8 disabled=yes
set sfp9 disabled=yes
set sfp10 disabled=yes
set sfp11 disabled=yes
/ppp secret
add disabled=yes name=XXXXXXXX profile=VPN service=sstp
add disabled=yes name=XXXX01 profile=VPN service=sstp
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=XXX-XX-FW01
/system ntp client
set enabled=yes
/system ntp client servers
add address=de.pool.ntp.org

sindy · November 29, 2022, 7:55pm

/interface bridge vlan remove [find where vlan-ids=5]
/interface bridge vlan set [find where vlan-ids=4] tagged=LAN-Bridge,sfp3,sfp4,sfp5,sfp6

sindy · November 29, 2022, 8:01pm

And then, attach the IP address and DHCP server to the vlan interface eth2-vl16 (which I would rename to LAN-Bridge.guest.4) instead of *11 (which stands for a removed interface).

apitsos · November 29, 2022, 10:43pm

Hi @sindy,

I would like to thank you very much for your support. As I said previously, there were such a lot of garbage in my configuration, because I tried the example of the other guy (the link I put on my first post). Therefore I was very confused and I couldn’t get what you suggested, because your suggestion was most probably based on interfaces that were not mine.

For this reason, I would kindly ask you to check again my request, based on the below configuration and let me know what is needed to be done.

# nov/29/2022 23:30:08 by RouterOS 7.6
# software id = EKRJ-1W8Q
#
# model = CCR1016-12S-1S+
# serial number = XXXXXXXXXXX
/interface bridge
add arp=proxy-arp name=LAN-Bridge
/interface ethernet
set [ find default-name=sfp1 ] name="sfp1 (WAN)"
set [ find default-name=sfp2 ] disabled=yes name="sfp2 (WAN-LTE)"
set [ find default-name=sfp3 ] name="sfp3 (LAN1)"
set [ find default-name=sfp4 ] name="sfp4 (LAN2)"
set [ find default-name=sfp5 ] name="sfp5 (LAN3)"
set [ find default-name=sfp6 ] name="sfp6 (LAN4)"
set [ find default-name=sfp12 ] name="sfp12 (Management)"
/interface pppoe-client
add add-default-route=yes disabled=no interface="sfp1 (WAN)" name=\
    MK-XXXXXXXXXXX user=XXXXXXXXXXX@XXXX.XX
/interface wireguard
add listen-port=51922 mtu=1420 name=wireguard-XXX-XX
/interface vlan
add interface=LAN-Bridge name=vlan1 vlan-id=1
add interface=LAN-Bridge name=vlan4 vlan-id=4
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="Subnet 192.168.1.0/24" name=dhcp ranges=\
    192.168.1.120-192.168.1.239
add comment="Subnet 192.168.2.0/24" name=WLAN-GUEST-DCHP ranges=\
    192.168.2.10-192.168.2.250
add comment="Subnet 192.168.5.0/24 (VPN)" name=VPN-Pool ranges=\
    192.168.5.2-192.168.5.250
add name=vl16 ranges=192.168.16.10-192.168.16.249
/ip dhcp-server
add address-pool=dhcp interface=LAN-Bridge name=192.168.1.120-239
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add dns-server=192.168.1.2 local-address=192.168.5.1 name=VPN remote-address=\
    VPN-Pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=LAN-Bridge interface="sfp3 (LAN1)"
add bridge=LAN-Bridge interface="sfp4 (LAN2)"
add bridge=LAN-Bridge interface="sfp5 (LAN3)"
add bridge=LAN-Bridge interface="sfp6 (LAN4)"
add bridge=LAN-Bridge interface=vlan1
add bridge=LAN-Bridge interface=vlan4 pvid=4
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=LAN-Bridge tagged=\
    "LAN-Bridge,sfp3 (LAN1),sfp4 (LAN2),sfp5 (LAN3),sfp6 (LAN4)" vlan-ids=4
add bridge=LAN-Bridge vlan-ids=1
/interface list member
add interface=LAN-Bridge list=LAN
add interface="sfp1 (WAN)" list=WAN
add interface=MK-XXXXXXXXXXX list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set authentication=mschap2 certificate=XXX-XX-FW01 default-profile=VPN pfs=\
    yes
/interface wireguard peers
add allowed-address=192.168.5.2/32 comment="0001 (Angelos Pitsos)" interface=\
    wireguard-XXX-XX public-key=\
    "XXXXXXXX"
add allowed-address=192.168.5.253/32 comment="0252 (Test01)" interface=\
    wireguard-XXX-XX public-key=\
    "XXXXXXXX"
add allowed-address=192.168.5.3/32 comment="0002 (Raffaela Steiner)" \
    interface=wireguard-XXX-XX public-key=\
    "XXXXXXXX"
/ip address
add address=192.168.178.22/24 comment=WAN-LTE interface="sfp2 (WAN-LTE)" \
    network=192.168.178.0
add address=192.168.90.1/24 comment=Management interface="sfp12 (Management)" \
    network=192.168.90.0
add address=192.168.1.24/24 comment=LAN interface=LAN-Bridge network=\
    192.168.1.0
add address=192.168.2.1/24 interface=*11 network=192.168.2.0
add address=192.168.5.1/24 comment=VPN disabled=yes interface=LAN-Bridge \
    network=192.168.5.0
add address=192.168.5.1/24 interface=wireguard-XXX-XX network=192.168.5.0
add address=192.168.16.1/24 interface=vlan4 network=192.168.16.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface="sfp2 (WAN-LTE)"
add interface=sfpplus1
/ip dhcp-server
add address-pool=WLAN-GUEST-DCHP interface=*11 name=192.168.2.0/24
/ip dhcp-server lease
add address=192.168.1.220 client-id=1:90:9:d0:18:bb:29 mac-address=\
    XX:XX:XX:XX:XX:XX server=192.168.1.120-239
add address=192.168.1.230 client-id=1:90:9:d0:18:bb:34 mac-address=\
    XX:XX:XX:XX:XX:XX server=192.168.1.120-239
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2 domain=xxxxxxx.local \
    gateway=192.168.1.24 wins-server=192.168.1.2
add address=192.168.2.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.2.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=hq.planettechnologies.eu list=Authorized_IPs
add address=192.168.1.0/24 list=Internal_Networks
add address=192.168.2.0/24 list=Internal_Networks
/ip firewall filter
add action=accept chain=input comment="Allow established connections" \
    connection-state=established
add action=accept chain=input comment="Allow related connections" \
    connection-state=related
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow limited pings" limit=\
    50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment=\
    "Access WebFig & WinBox Management interface" dst-address=192.168.90.1 \
    dst-port=80,443,8291 protocol=tcp
add action=accept chain=input comment=\
    "Access WebFig & WinBox LAN interface list" dst-address=192.168.1.24 \
    dst-port=80,443,8291 protocol=tcp
add action=accept chain=input comment=\
    "Access Webfig & WinBox on any interface from Authorized IPs" dst-port=\
    80,443,8291 protocol=tcp src-address-list=Authorized_IPs
add action=accept chain=input comment="Access SSTP connections from WAN" \
    dst-port=443 log=yes log-prefix=SSTP-Input protocol=tcp
add action=accept chain=input comment="Custom SSH port for secure shell" \
    dst-address=192.168.1.24 dst-port=2202 protocol=tcp
add action=accept chain=input comment="Allow local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=accept chain=input comment="Access Wireguard VPN" dst-port=51922 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Block DNS request from WAN" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop any TCP port left OPEN" protocol=\
    tcp
add action=drop chain=input comment="Drop any UDP port left OPEN" protocol=\
    udp
add action=drop chain=input comment="Drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow established connections" \
    connection-state=established
add action=accept chain=forward comment="Allow related connections" \
    connection-state=related
add action=accept chain=forward comment="Allow all inbound traffic from VPN su\
    bnet (192.168.5.0/24) to LAN-Bridge (192.168.1.0/24)" disabled=yes \
    dst-address=192.168.1.0/24 src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow all inbound traffic from LAN-Br\
    idge (192.168.1.0/24) to VPN subnet (192.168.5.0/24)" disabled=yes \
    dst-address=192.168.5.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop invalid connections" \
    connection-state=invalid log=yes log-prefix=Drop-invalid-Input
add action=drop chain=forward comment="Block Bogon IP Addresses" src-address=\
    0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=accept chain=forward comment="Allow limited pings" limit=\
    50/5s,2:packet protocol=icmp
add action=drop chain=forward comment="Drop excess pings" protocol=icmp
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 Web Surfing (HTTP & HTTPS)" dst-address=\
    0.0.0.0/0 dst-port=80,443 protocol=tcp src-address-list=Internal_Networks
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 DNS & NTP (TCP)" dst-address=0.0.0.0/0 \
    dst-port=53,123 protocol=tcp src-address-list=Internal_Networks
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 DNS & NTP (UDP)" dst-address=0.0.0.0/0 \
    dst-port=53,123 protocol=udp src-address-list=Internal_Networks
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 Email communication" dst-address=0.0.0.0/0 \
    dst-port=465,587,25,993,995,110,143 protocol=tcp src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=0.0.0.0/0 dst-port=25 protocol=\
    udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow FTP connections" dst-address=\
    0.0.0.0/0 dst-port=20,21,990,6000-6100 protocol=tcp src-address=\
    192.168.1.0/24
add action=accept chain=forward comment=\
    "Allow 3CX SBC communicating with our hosted 3CX PBX" dst-address=\
    XXX.XXX.XXX.XXX dst-port=5090,5001 protocol=tcp
add action=accept chain=forward dst-address=XXX.XXX.XXX.XXX dst-port=5090 \
    protocol=udp
add action=accept chain=forward comment=\
    "Allow 3CX Web Clients communicating with our hosted 3CX PBX" \
    dst-address=XXX.XXX.XXX.XXX dst-port=9000-10999 protocol=udp
add action=accept chain=forward comment="Allow 3CX Tunnels" dst-port=\
    5090,5001 protocol=tcp
add action=accept chain=forward dst-port=5090 protocol=udp
add action=accept chain=forward comment="Allow Speedtest" dst-port=8080 \
    protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow HBCI chip card" dst-port=3000 \
    protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow WhatsApp calls" dst-port=\
    5222,5223 log-prefix=WhatApp-Calls protocol=tcp src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-port=3478 log-prefix=WhatApp-Calls \
    protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow Wi-Fi calling" dst-port=\
    500,4500,16384-49327 log-prefix=WiFi-Calling protocol=udp
add action=accept chain=forward comment="Allow custom RDP for Angelos" \
    dst-port=25581 protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop all outbound traffic" \
    dst-address=0.0.0.0/0 log-prefix=Drop-All-Outbound src-address=\
    192.168.1.0/24
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="VPN with Road Warriors" disabled=yes \
    dst-address=192.168.5.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat comment="VPN with Road Warriors" disabled=yes \
    dst-address=192.168.1.0/24 src-address=192.168.5.0/24
add action=accept chain=dstnat comment="VPN with Road Warriors" disabled=yes \
    dst-address=192.168.5.0/24 src-address=192.168.1.0/24
add action=accept chain=dstnat comment="VPN with Road Warriors" disabled=yes \
    dst-address=192.168.1.0/24 src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.1.0/24" \
    ipsec-policy=out,none out-interface=MK-XXXXXXXXXXX src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.2.0/24" \
    ipsec-policy=out,none out-interface=MK-XXXXXXXXXXX src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.3.0/24" \
    ipsec-policy=out,none out-interface=MK-XXXXXXXXXXX src-address=\
    192.168.3.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.4.0/24" \
    ipsec-policy=out,none out-interface=MK-XXXXXXXXXXX src-address=\
    192.168.4.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.5.0/24" \
    ipsec-policy=out,none src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="masquerade for all networks" \
    ipsec-policy=out,none
add action=masquerade chain=srcnat disabled=yes out-interface=\
    "sfp2 (WAN-LTE)"
add action=netmap chain=dstnat dst-address=192.168.1.0/24 src-address=\
    192.168.5.0/24 to-addresses=192.168.1.0/24
add action=dst-nat chain=dstnat comment=\
    "RDP_PC-IT-Werkstatt from Authorized_IPs" dst-port=34350 in-interface=\
    MK-XXXXXXXXXXX log=yes log-prefix=RDP_PC-IT-Werkstatt_Public protocol=tcp \
    src-address-list=Authorized_IPs to-addresses=192.168.1.166 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP_XXX-XX-HV02 from Authorized_IPs" \
    dst-port=34351 in-interface=MK-XXXXXXXXXXX log=yes log-prefix=\
    RDP_XXX-XX-HV02 protocol=tcp src-address-list=Authorized_IPs \
    to-addresses=192.168.1.5 to-ports=3389
add action=dst-nat chain=dstnat comment=ownCloud dst-address=85.220.191.10 \
    dst-port=80 log=yes log-prefix=ownCloud protocol=tcp to-addresses=\
    192.168.1.237 to-ports=80
add action=dst-nat chain=dstnat comment=ownCloud dst-address=85.220.191.10 \
    dst-port=443 log=yes log-prefix=ownCloud protocol=tcp to-addresses=\
    192.168.1.237 to-ports=443
add action=dst-nat chain=dstnat comment="SSH to ownCloud" dst-port=2202 \
    in-interface-list=WAN log=yes log-prefix=ownCloud protocol=tcp \
    to-addresses=192.168.1.237 to-ports=22
/ip route
add comment="WAN (LTE)" disabled=yes distance=2 dst-address=0.0.0.0/0 \
    gateway=192.168.178.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2202
/lcd
set backlight-timeout=never default-screen=stats
/lcd interface
set sfpplus1 disabled=yes
set sfp7 disabled=yes
set sfp8 disabled=yes
set sfp9 disabled=yes
set sfp10 disabled=yes
set sfp11 disabled=yes
/ppp secret
add disabled=yes name=apitsos profile=VPN service=sstp
add disabled=yes name=test01 profile=VPN service=sstp
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=XXX-XX-FW01
/system ntp client
set enabled=yes
/system ntp client servers
add address=de.pool.ntp.org

But please note that I am getting now a red entry in DHCP server. Not sure why that happened. It wasn’t like that before.

Thank you very much in advance for your time. It is much appreciated.

With kind regards,
Angelos Pitsos

sindy · November 30, 2022, 11:47am

This may help understand the bridge settings.

apitsos · November 30, 2022, 3:20pm

Hi Sindy!

Thanks a lot for the tip. I will need some time to check all these and I will come back in case I need further assistance.

I appreciate much your help.

With kind regards,
Angelos Pitsos

apitsos · December 5, 2022, 9:50pm

Hello!

I finally managed to fix the problem. The problem was finally in the switches and not in the router. The switches were configured with having trunk ports on VLAN 4 that I wanted, but unfortunately the uplink ports were not configured with the correct VLAN IDs.

I would like to thank you very much Sindy for the help you provided!

With kind regards,
Angelos Pitsos