New CCR2004 Config - Did I miss anything?

jpeppard · June 8, 2024, 10:13pm

Hi All! First post here, I am not a total newbie to ROS but it is a complex (and satisfying!) beast to master.
I recently upgraded to a CCR2004, started over with fresh config and added VLANs in my home lab network.

Below is the “final” config, everything seems to be working. I am posting here to ask if anyone more experienced can see any glaring security/config issues that I missed.

I am able to saturate my 2Gig google fiber connection with ~20% CPU which I think is within expected range on this hardware.

The only follow up on my list currently is cleaning up the interface lists as they are messy. While configuring I went back and forth on which lists to include/not include the DMZ VLAN.

Also wanted to give a shout out to Wilmer Almazan’s channel on youtube, no idea if he is active on the forums. His video tied all the concepts together for me to implement VLANs.

# 2024-06-08 16:00:08 by RouterOS 7.15
# software id = **ELIDED**
#
# model = CCR2004-16G-2S+
# serial number = **ELIDED**
/interface bridge
add name=RouterBridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="FRACTAL IPMI"
set [ find default-name=ether2 ] comment="FRACTAL PROX MGMT"
set [ find default-name=ether3 ] comment="CRS310 MGMT"
set [ find default-name=ether4 ] comment="Jun Switch MGMT"
set [ find default-name=ether5 ] comment="Desktop Spare"
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] comment=WAN
set [ find default-name=sfp-sfpplus2 ] comment="CRS310 Switch"
/interface wireguard
add listen-port=13231 mtu=1280 name=homeGuard
/interface vlan
add interface=RouterBridge name=VLAN-10-CLIENT vlan-id=10
add interface=RouterBridge name=VLAN-20-WIFI vlan-id=20
add interface=RouterBridge name=VLAN-30-SERVER vlan-id=30
add interface=RouterBridge name=VLAN-40-DMZ vlan-id=40
add interface=RouterBridge name=VLAN-99-MGMT vlan-id=99
/interface list
add name=WAN
add name=LAN
add name=MGMT
add name=DMZ
add name=SERVER
add include=DMZ,LAN,MGMT,SERVER name=Internal
add name=LANNoDMZ
/ip pool
add name=MGMT-POOL ranges=10.218.99.15-10.218.99.254
add name=CLIENT-POOL ranges=10.218.10.2-10.218.10.254
add name=WIFI-POOL ranges=10.218.20.2-10.218.20.254
add name=SERVER-POOL ranges=10.218.30.20-10.218.30.254
add name=DMZ-POOL ranges=10.218.40.2-10.218.40.254
/ip dhcp-server
add address-pool=CLIENT-POOL interface=VLAN-10-CLIENT lease-time=10m name=\
    CLIENT-DHCP
add address-pool=WIFI-POOL interface=VLAN-20-WIFI lease-time=10m name=\
    WIFI-DHCP
add address-pool=SERVER-POOL interface=VLAN-30-SERVER lease-time=10m name=\
    SERVER-DHCP
add address-pool=DMZ-POOL interface=VLAN-40-DMZ lease-time=10m name=DMZ-DHCP
add address-pool=MGMT-POOL interface=VLAN-99-MGMT lease-time=10m name=\
    MGMT-DHCP
/port
set 0 name=serial0
set 1 name=serial1
/routing pimsm instance
add disabled=no name=pimsm-instance1 vrf=main
/interface bridge port
add bridge=RouterBridge interface=sfp-sfpplus2
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=99
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=99
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=99
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=99
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=99
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=99
add bridge=RouterBridge frame-types=admit-only-vlan-tagged interface=ether16
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=RouterBridge tagged=RouterBridge,sfp-sfpplus2,ether16 vlan-ids=10
add bridge=RouterBridge tagged=RouterBridge,sfp-sfpplus2,ether16 untagged=\
    ether1,ether2,ether3,ether4,ether5 vlan-ids=99
add bridge=RouterBridge tagged=RouterBridge,sfp-sfpplus2,ether16 vlan-ids=20
add bridge=RouterBridge tagged=RouterBridge,sfp-sfpplus2 vlan-ids=30
add bridge=RouterBridge tagged=RouterBridge,sfp-sfpplus2 vlan-ids=40
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=VLAN-99-MGMT list=MGMT
add disabled=yes interface=ether2 list=MGMT
add disabled=yes interface=ether3 list=MGMT
add disabled=yes interface=ether4 list=MGMT
add disabled=yes interface=ether5 list=MGMT
add interface=VLAN-10-CLIENT list=LAN
add interface=VLAN-20-WIFI list=LAN
add interface=VLAN-30-SERVER list=SERVER
add interface=VLAN-40-DMZ list=DMZ
add interface=homeGuard list=Internal
add interface=VLAN-10-CLIENT list=LANNoDMZ
add interface=VLAN-20-WIFI list=LANNoDMZ
add interface=VLAN-30-SERVER list=LANNoDMZ
add interface=VLAN-99-MGMT list=LANNoDMZ
/interface wireguard peers
add allowed-address=10.219.0.4/32 comment=IPAD interface=homeGuard name=peer3
add allowed-address=10.219.0.5/32 comment=MACBOOK interface=homeGuard name=\
    peer4
add allowed-address=10.219.0.3/32 interface=homeGuard name=peer2
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether15 \
    network=192.168.88.0
add address=10.218.10.1/24 interface=VLAN-10-CLIENT network=10.218.10.0
add address=10.218.20.1/24 interface=VLAN-20-WIFI network=10.218.20.0
add address=10.218.30.1/24 interface=VLAN-30-SERVER network=10.218.30.0
add address=10.218.40.1/24 interface=VLAN-40-DMZ network=10.218.40.0
add address=10.218.99.1/24 interface=VLAN-99-MGMT network=10.218.99.0
add address=10.219.0.1/24 interface=homeGuard network=10.219.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server lease
**ELIDED**
/ip dhcp-server network
add address=10.218.10.0/24 gateway=10.218.10.1
add address=10.218.20.0/24 gateway=10.218.20.1
add address=10.218.30.0/24 gateway=10.218.30.1
add address=10.218.40.0/24 gateway=10.218.40.1
add address=10.218.99.0/24 gateway=10.218.99.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="Accept established, related" \
    connection-state=established,related
add action=drop chain=input comment="Drop invalid input" connection-state=\
    invalid
add action=accept chain=input comment="Allow WireGuard from WAN" dst-port=\
    13231 protocol=udp
add action=accept chain=input comment="Allow WireGuard Input" in-interface=\
    homeGuard src-address=10.219.0.0/24
add action=accept chain=input comment="Allow input from MGMT" \
    in-interface-list=MGMT
add action=accept chain=input comment="Allow DNS from all internal" dst-port=\
    53 in-interface-list=Internal protocol=udp
add action=accept chain=input comment="Allow DNS from all internal" dst-port=\
    53 in-interface-list=Internal protocol=tcp
add action=drop chain=input comment="Drop all other Input"
add action=fasttrack-connection chain=forward comment="FAST TRACK FORWARD" \
    connection-mark=!guard connection-state=established,related,untracked \
    hw-offload=yes
add action=accept chain=forward comment="Forward Established and Tracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid forward" \
    connection-state=invalid
add action=accept chain=forward comment="Allow MGMT to ALL Internal" \
    in-interface-list=MGMT out-interface-list=Internal
add action=accept chain=forward comment="PLEX Forward to DMZ" dst-port=32400 \
    in-interface=sfp-sfpplus1 protocol=tcp
add action=accept chain=forward comment="Allow DMZ Docker to access NFS" \
    dst-address=10.218.30.5 src-address=10.218.40.3
add action=accept chain=forward comment="Allow Apple Tv from WIFI" \
    dst-address=10.218.10.6 in-interface=VLAN-20-WIFI
add action=accept chain=forward comment="Allow Apple Tv to reach Plex DMZ" \
    dst-address=10.218.40.3 src-address=10.218.10.6
add action=accept chain=forward comment="Allow Internal Clients to Plex DMZ" \
    dst-address=10.218.40.3 in-interface-list=LANNoDMZ
add action=accept chain=forward comment="WireGuard to LAN" in-interface=\
    homeGuard out-interface-list=Internal
add action=accept chain=forward comment="WireGuard to LAN" in-interface=\
    homeGuard out-interface-list=WAN
add action=accept chain=forward comment="Allow internal clients to internet" \
    connection-state=new in-interface-list=Internal out-interface-list=WAN
add action=drop chain=forward comment="Drop All Other Forward" \
    connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=32400 in-interface=sfp-sfpplus1 \
    protocol=tcp to-addresses=10.218.40.3 to-ports=32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing pimsm interface-template
add disabled=no instance=pimsm-instance1 interfaces=VLAN-20-WIFI,VLAN-40-DMZ \
    source-addresses=10.218.20.6
/system clock
set time-zone-name=America/Denver
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server ping
set enabled=no

anav · June 11, 2024, 1:02am

Wilmer is decent, we usually quote: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Missing Frame Types
add bridge=RouterBridge interface=sfp-sfpplus2

Missing ingress-filtering=yes ALL the bridge ports.

Missing interface bridge vlan entry for ether6 on vlan-id=99 ??

Not required: ( covered by vlan 99 as a member - realize they are disabled but why keep dead code lying around, get rid of it.)
add disabled=yes interface=ether2 list=MGMT
add disabled=yes interface=ether3 list=MGMT
add disabled=yes interface=ether4 list=MGMT
add disabled=yes interface=ether5 list=MGMT

Would simplify (need to see firewall rules first …in progress

/interface list
add name=WAN
add name=LAN
add name=MGMT

/interface list member
add interface=sfp-sfpplus1 list=WAN

add interface=VLAN-99-MGMT list=MGMT
add interface=homeGuard list=MGMT

add interface=VLAN-10-CLIENT list=LAN
add interface=VLAN-20-WIFI list=LAN
add interface=VLAN-30-SERVER list=LAN
add interface=VLAN-40-DMZ list=LAN
add interface=VLAN-99-MGMT list=LAN
add interface=homeGuard list=LAN

Firewall rules to match:

/ip firewall address-list ( I put in subnets for expediency but you could use the individual IPs - specific wireguard admin IPs, and specific admin vlan99 IPs static dhcp lease )
add address=10.218.99.0/24 list=Authorized
add address=10.219.0.0/24 list=Authorized

/ip firewall filter
{default rules to keep}
add action=accept chain=input comment=“Accept established, related”
connection-state=established,related**,untracked**
add action=drop chain=input comment=“Drop invalid input” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
{admin rules}
add action=accept chain=input comment=“WireGuard handshake” dst-port=13231 protocol=udp
add action=accept chain=input comment=“Admin access” in-interface-list=MGMT src-address**=Authorized**
add action=accept chain=input comment=“Allow users to DNS” dst-port=
53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow users to DNS” dst-port=
53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“Drop all other Input”
++++++++++++++++++++++++++++
{default rules to keep}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“Forward Established,Tracked and Untracked”
connection-state=established,related**,untracked**
add action=drop chain=forward comment=“Drop invalid forward”
connection-state=invalid
{admin rules}
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow MGMT to All VLANS
in-interface-list=MGMT out-interface-list=LAN src-address=Authorized
add action=accept chain=forward comment=“Allow DMZ Docker to access NFS”
dst-address=10.218.30.5 src-address=10.218.40.3
add action=accept chain=forward comment=“Allow Apple Tv from WIFI”
dst-address=10.218.10.6 in-interface=VLAN-20-WIFI
add action=accept chain=forward comment=“Allow LAN to Plex DMZ”
dst-address=10.218.40.3 in-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop All Other Forward”

YOU WILL NOTE I have completely removed thee LANNoDMZ interface list and the apple to plex rule as not required.
Lets review the logic.
a. you created an interface list to exclude the DMZ vlan.
b. you have a PLEX on the DMZ that you allow apple TV to access.
c. then you have an illogical rule, only allow non DMZ vlans to reach DMZ vlan. FOR WHAT POINT?
The plex vlan already has access to its own subnet via layer 2. So you are not really excluding anybody and its a waste of a rule.

As soon as you realize that its simple to let the LAN access the plex dmz, then there is no need for the apple TV to reach plex because its
included in the LAN allow rule ( or as you had originally LANNoDMZ!

This rule is a DSTNAT rule and should not be in forward chain thus removed). I included the necessary single rule for all port forwardings to occur. Individual rules belong in ip firewall nat. You also have a mostly correct dstnat rule already in place.
add action=accept chain=forward comment=“PLEX Forward to DMZ” dst-port=32400
in-interface=sfp-sfpplus1 protocol=tcp

Destination NAT RULE…
If all your DSTNAT traffic comes from external users the dstnat rule works. Similarly if all your LAN users are using the direct LANIP of the Plex server.. However if any of your users on the vlans are accessing the server by DYNDNS URL ( or my netname ) then it needs to change to:

WHERE
/ip firewall address-list
add address=DYNDNS URL or my netname list=MyWAN
add action=dst-nat chain=dstnat dst-port=32400 dst-address-list=MyWAN
protocol=tcp to-addresses=10.218.40.3 to-ports=32400

ADD:
/ip neighbor discovery-settings
set discover-interface-list=MGMT

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

jpeppard · June 11, 2024, 4:23pm

Thanks very much Anav, I have edited the firewall rules to reflect.

Is there any issue in allowing ICMP to the router from WAN? My thought process was not being pingable increases security as I am not known as a host on the internet (except for 32400 plex port, so maybe ICMP doesn’t matter with this exposed).

anav · June 11, 2024, 9:00pm

No there is no issue and its included in the MT default rules.
In fact, its quite handy for testing for various things and in some cases is used by the router.