Hello everyone,
I have spent last year figuring out RouterOS caveats and getting things to work as I want. Now that I have politely saved this forum from spamming endless noob questions, I ask you kindly now to evaluate final /export and show me any mistakes or improvements I can make. I want my home network to be bulletproof!
One thing which is still worrying me is the performance of BTH. Bandwidth is really poor, as it struggles to stream a single mp3 off my media server. I am using relay server.
Objectives
-
LAN segmentation
-
- (vlan-ext) separate guest WLAN with internet access
- (vlan-ext) separate guest WLAN with internet access
-
- (vlan-lan) untrusted devices local only but reaching to vlan-net (old android device connecting to media server, ip cams connecting to recorder)
- (vlan-lan) untrusted devices local only but reaching to vlan-net (old android device connecting to media server, ip cams connecting to recorder)
-
- (vlan-iot) iot devices connected to vendor’s cloud
- (vlan-iot) iot devices connected to vendor’s cloud
-
- (vlan-net) trusted devices with (limited) internet access and access to vlan-lan (laptops, smartphones, media server/recorder)
- (vlan-net) trusted devices with (limited) internet access and access to vlan-lan (laptops, smartphones, media server/recorder)
-
- (vlan-kkk) isolated home office hardware with internet access
- (vlan-kkk) isolated home office hardware with internet access
-
- (vlan-mgmt) management local only
-
Home and guest WLAN
-
LAN resources accessible from the Internet
-
No bottlenecks, conflicts, errors, and security issues
Spec is following:
CCR2004-16G
CSS610 connected to sfp1
hAP ax³ powered by CSS610 and managed by CCR2004
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=xxx
/interface wireguard
add comment=back-to-home-vpn listen-port=44184 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge1 name=vlan-ext vlan-id=44
add interface=bridge1 name=vlan-lan vlan-id=55
add interface=bridge1 name=vlan-iot vlan-id=66
add interface=bridge1 name=vlan-net vlan-id=77
add interface=bridge1 name=vlan-kkk vlan-id=88
add interface=bridge1 name=vlan-mgmt vlan-id=99
/interface list
add name=WAN
add name=MGMT
add name=VLAN
/interface wifi channel
add band=5ghz-ax name=channel1
add band=2ghz-ax name=channel2
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1 vlan-id=77
add bridge=bridge1 disabled=no name=datapath2 vlan-id=44
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=sec1 wps=push-button
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=sec2 wps=push-button
/interface wifi configuration
add datapath=datapath1 datapath.vlan-id=77 disabled=no name=home security=sec1 security.connect-priority=0 ssid=xxx tx-power=6
add datapath=datapath2 datapath.vlan-id=44 disabled=no name=ext security=sec2 security.connect-priority=0 ssid=xxx tx-power=6
/interface wifi
# operated by CAP xxx%vlan-mgmt, traffic processing on CAP
add configuration=home disabled=no name=cap-wifi1 radio-mac=xxx
# operated by CAP xxx%vlan-mgmt, traffic processing on CAP
add configuration=ext disabled=no mac-address=xxx master-interface=cap-wifi1 name=cap-wifi1-virtual1
# operated by CAP xxx%vlan-mgmt, traffic processing on CAP
add configuration=home disabled=no name=cap-wifi2 radio-mac=xxx
# operated by CAP xxx%vlan-mgmt, traffic processing on CAP
add configuration=ext disabled=no mac-address=xxx master-interface=cap-wifi2 name=cap-wifi2-virtual1
/ip pool
add name=pool-ext ranges=192.168.44.4-192.168.44.44
add name=pool-lan ranges=192.168.55.5-192.168.55.55
add name=pool-iot ranges=192.168.66.6-192.168.66.66
add name=pool-net ranges=192.168.77.7-192.168.77.77
add name=pool-kkk ranges=192.168.88.88
add name=pool-mgmt ranges=192.168.99.9-192.168.99.99
/ip dhcp-server
add address-pool=pool-ext interface=vlan-ext lease-time=1w name=dhcp-ext
add address-pool=pool-lan interface=vlan-lan lease-time=1w name=dhcp-lan
add address-pool=pool-iot interface=vlan-iot lease-time=1w name=dhcp-iot
add address-pool=pool-net interface=vlan-net lease-time=1w name=dhcp-net
add address-pool=pool-kkk interface=vlan-kkk lease-time=1w name=dhcp-kkk
add address-pool=pool-mgmt interface=vlan-mgmt lease-time=1w name=dhcp-mgmt
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=88
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether11 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether12 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether13 pvid=77
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether14 pvid=66
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether15 pvid=99
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether16 pvid=99
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=MGMT lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=44
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=55
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=66
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=77
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=88
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=99
/interface list member
add interface=pppoe-out1 list=WAN
add interface=vlan-ext list=VLAN
add interface=vlan-lan list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-net list=VLAN
add interface=vlan-kkk list=VLAN
add interface=vlan-mgmt list=MGMT
/interface wifi access-list
add action=accept disabled=no mac-address=xxx vlan-id=55
add action=accept disabled=no mac-address=xxx vlan-id=55
add action=accept disabled=no mac-address=xxx vlan-id=55
add action=accept client-isolation=yes disabled=no mac-address=xxx vlan-id=66
add action=accept disabled=no mac-address=xxx
add action=accept disabled=no mac-address=xxx
add action=accept disabled=no mac-address=xxx
/interface wifi cap
set lock-to-caps-man=no
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces="" package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=home slave-configurations=ext
/ip address
add address=192.168.44.1/24 interface=vlan-ext network=192.168.44.0
add address=192.168.55.1/24 interface=vlan-lan network=192.168.55.0
add address=192.168.66.1/24 interface=vlan-iot network=192.168.66.0
add address=192.168.77.1/24 interface=vlan-net network=192.168.77.0
add address=192.168.88.1/24 interface=vlan-kkk network=192.168.88.0
add address=192.168.99.1/24 interface=vlan-mgmt network=192.168.99.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip cloud back-to-home-users
add allow-lan=yes name=xxx private-key="xxx" public-key="xxx"
/ip dhcp-server network
add address=192.168.44.0/24 gateway=192.168.44.1
add address=192.168.55.0/24 gateway=192.168.55.1
add address=192.168.66.0/24 gateway=192.168.66.1
add address=192.168.77.0/24 gateway=192.168.77.1
add address=192.168.88.0/24 gateway=192.168.88.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=30s servers=1.1.1.3,1.0.0.3 use-doh-server=https://dns.adguard-dns.com/dns-query verify-doh-cert=yes
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=bogus
add address=10.0.0.0/8 comment=RFC6890 list=bogus
add address=100.64.0.0/10 comment=RFC6890 list=bogus
add address=127.0.0.0/8 comment=RFC6890 list=bogus
add address=169.254.0.0/16 comment=RFC6890 list=bogus
add address=172.16.0.0/12 comment=RFC6890 list=bogus
add address=192.0.0.0/24 comment=RFC6890 list=bogus
add address=192.0.2.0/24 comment=RFC6890 list=bogus
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=bogus
add address=192.168.0.0/16 comment=RFC6890 list=bogus
add address=198.18.0.0/15 comment=RFC6890 list=bogus
add address=198.51.100.0/24 comment=RFC6890 list=bogus
add address=203.0.113.0/24 comment=RFC6890 list=bogus
add address=224.0.0.0/4 comment=Multicast list=bogus
add address=240.0.0.0/4 comment=RFC6890 list=bogus
/ip firewall filter
add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all coming from VLAN" in-interface-list=VLAN
add action=drop chain=input comment="drop all coming from WAN" in-interface-list=WAN
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=forward in-interface=vlan-lan out-interface=vlan-net
add action=accept chain=forward in-interface=vlan-net out-interface=vlan-lan
add action=accept chain=forward in-interface=back-to-home-vpn out-interface-list=VLAN
add action=accept chain=forward in-interface-list=VLAN out-interface=back-to-home-vpn
add action=drop chain=forward dst-port=!587 out-interface-list=WAN protocol=tcp src-mac-address=xxx
add action=drop chain=forward dst-port=!123 out-interface-list=WAN protocol=udp src-mac-address=xxx
add action=accept chain=forward in-interface-list=MGMT out-interface-list=VLAN
add action=accept chain=forward in-interface=vlan-iot out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-ext out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-net out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-kkk out-interface-list=WAN
add action=drop chain=forward in-interface-list=VLAN out-interface-list=MGMT
add action=drop chain=forward in-interface=vlan-lan out-interface-list=WAN
add action=drop chain=forward in-interface-list=MGMT out-interface-list=WAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all from WAN which is not public IP" in-interface-list=WAN src-address-list=bogus
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.99.0/24
set ssh address=192.168.99.0/24
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=xxx
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/system scheduler
add interval=1d name=schedule1 on-event=wifi-off policy=read,write start-date=2024-01-01 start-time=01:00:00
add interval=1d name=schedule2 on-event=wifi-on policy=read,write start-date=2024-01-01 start-time=07:00:00
/system script
add dont-require-permissions=no name=wifi-off owner=master policy=read,write source="/interface/wifi/disable cap-wifi1;\
\n/interface/wifi/disable cap-wifi2;"
add dont-require-permissions=no name=wifi-on owner=master policy=read,write source="/interface/wifi/enable cap-wifi1;\
\n/interface/wifi/enable cap-wifi2;"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
there is also extra masquerade rule added automatically by BTH but is not reflected in /export