Hello,
I’m trying to upgrade to ROS 7 and migrate my ROS 6 settings, I set up successfully (I think) the new network because it’s working, but could someone criticize my setting, what could be better or more efficient.
Hardware:
1 router (RB5009)
1 cap (hap ax2)
1 server (linux)
Idea:
- Create 3 separate networks (LAN, SERVER, GUEST)
LAN: for all local host in household
SERVER: this is a test server with VPN (VPN configured in linux not in ROS, so it’s only be needed to isolate from LAN)
GUEST: simple isolated guest network, only need to access to internet - Setup Wifi Wave2 with CAPsMAN (now only one CAP is connected, but I have 5 for roaming)
Settings:
# RouterOS 7.10.2
# model = RB5009UG+S+
/interface bridge
add ingress-filtering=no name=DEFAULT-BRIDGE vlan-filtering=yes
/interface vlan
add interface=DEFAULT-BRIDGE name=vlan10 vlan-id=10
add interface=DEFAULT-BRIDGE name=vlan20 vlan-id=20
add interface=DEFAULT-BRIDGE name=vlan30 vlan-id=30
/interface wifiwave2 channel
add disabled=no frequency=2300-7300 name=5GHz width=20/40/80mhz
add disabled=no frequency=2300-7300 name=2GHz width=20/40mhz
/interface wifiwave2 datapath
add disabled=no name=VLAN10 vlan-id=10
add disabled=no name=VLAN30 vlan-id=30
/interface wifiwave2 security
add authentication-types=wpa3-psk disabled=no name=WPA3 wps=disable
add authentication-types=wpa2-psk disabled=no name=WPA2 wps=disable
add authentication-types=wpa2-psk disabled=no name=GUEST wps=disable
/interface wifiwave2 configuration
add country="United States" disabled=no name=HOME-5GHz security=WPA3 ssid=HOME-5GHz
add country="United States" datapath=VLAN10 disabled=no name=HOME-2GHz security=WPA2 ssid=HOME-2GHz
add country="United States" datapath=VLAN30 disabled=no name=GUEST security=WPA2 GUEST ssid=GUEST
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=DEFAULT-BRIDGE name=dhcp1
add address-pool=dhcp_pool1 interface=vlan10 name=dhcp2
add address-pool=dhcp_pool2 interface=vlan20 name=dhcp3
add address-pool=dhcp_pool3 interface=vlan30 name=dhcp4
/interface bridge port
add bridge=DEFAULT-BRIDGE interface=sfp-sfpplus1
add bridge=DEFAULT-BRIDGE interface=ether2 pvid=20
add bridge=DEFAULT-BRIDGE interface=ether3
add bridge=DEFAULT-BRIDGE interface=ether4
add bridge=DEFAULT-BRIDGE interface=ether5
add bridge=DEFAULT-BRIDGE interface=ether6
add bridge=DEFAULT-BRIDGE interface=ether7
add bridge=DEFAULT-BRIDGE interface=ether8
/interface bridge vlan
add bridge=DEFAULT-BRIDGE tagged=DEFAULT-BRIDGE untagged=ether2 vlan-ids=20
add bridge=DEFAULT-BRIDGE tagged=DEFAULT-BRIDGE,ether8 vlan-ids=10
add bridge=DEFAULT-BRIDGE tagged=DEFAULT-BRIDGE,ether8 vlan-ids=30
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=HOME-5GHz supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=HOME-2GHz slave-configurations=GUEST supported-bands=2ghz-n
/ip address
add address=192.168.1.1/24 interface=DEFAULT-BRIDGE network=192.168.1.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.1.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.1.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=forward in-interface=vlan10 out-interface=!ether1
add action=drop chain=forward in-interface=vlan20 out-interface=!ether1
add action=drop chain=forward in-interface=vlan30 out-interface=!ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
Thank You so much