Installed a RB5009UG to replace a Peplink. So far, I’ve had all kinds of problems.
I can’t reach the management interface on any other VLAN than VLAN 1. I’ve tried the mac address and IP in Winbox, it times out.
Same with the DNS service. It just times out. I’ve had to resort to host files on certain computers to continue to work.
I also have problems with OpenVPN, but I’ll post in a separate post since I need to download the config with the openvpn info.
config:
# may/11/2024 15:24:40 by RouterOS 7.8
# software id = **ELIDED**
#
# model = RB5009UG+S+
# serial number = *********
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface vlan
add interface=bridge name=DMZ vlan-id=9
add interface=bridge name=Guest vlan-id=8
add interface=bridge name=IOT vlan-id=6
add interface=bridge name=MGT vlan-id=2
add interface=bridge name=PLC vlan-id=10
add interface=bridge name=Servers vlan-id=3
add interface=bridge name=Workstations vlan-id=4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.90.1.50-10.90.1.100
add name=dhcp_pool2 ranges=10.90.2.10-10.90.2.100
add name=dhcp_pool3 ranges=10.90.40.10-10.90.40.100
add name=dhcp_pool4 ranges=10.90.10.100-10.90.10.150
add name=dhcp_pool5 ranges=10.90.60.10-10.90.60.100
add name=dhcp_pool6 ranges=10.90.80.10-10.90.80.20
add name=dhcp_pool7 ranges=10.250.1.10-10.250.1.20
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge lease-time=5h name=dhcp1
add address-pool=dhcp_pool2 interface=MGT lease-time=5h name=dhcp2
add address-pool=dhcp_pool3 interface=Workstations lease-time=5h name=dhcp3
add address-pool=dhcp_pool4 interface=Servers lease-time=5h name=dhcp4
add address-pool=dhcp_pool5 interface=IOT lease-time=5h name=dhcp5
add address-pool=dhcp_pool6 interface=Guest lease-time=5h name=dhcp6
add address-pool=dhcp_pool7 interface=PLC lease-time=5h name=dhcp7
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=4
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5,ether7,ether8,ether6 untagged=ether2 \
vlan-ids=2
add bridge=bridge tagged=bridge,ether6,ether7,ether8,ether5 vlan-ids=3
add bridge=bridge tagged=bridge,ether5,ether8,ether7,ether6 untagged=ether3 \
vlan-ids=4
add bridge=bridge tagged=bridge,ether5,ether6,ether7,ether8 vlan-ids=6
add bridge=bridge tagged=ether8,bridge,ether7,ether6,ether5 vlan-ids=8
add bridge=bridge tagged=bridge,ether8,ether7,ether6,ether5 vlan-ids=9
add bridge=bridge tagged=bridge,ether8,ether7,ether6,ether5 vlan-ids=10
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.90.1.101/24 comment=defconf interface=bridge network=10.90.1.0
add address=10.90.40.1/24 interface=Workstations network=10.90.40.0
add address=10.90.10.1/24 interface=Servers network=10.90.10.0
add address=10.90.2.1/24 interface=MGT network=10.90.2.0
add address=10.90.80.1/24 interface=Guest network=10.90.80.0
add address=10.90.90.1/24 interface=DMZ network=10.90.90.0
add address=10.90.60.1/24 interface=IOT network=10.90.60.0
add address=10.250.1.1/24 interface=PLC network=10.250.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.90.1.0/24 dns-server=10.90.1.101,8.8.8.8 domain=domain.com \
gateway=10.90.1.101
add address=10.90.2.0/24 dns-server=10.90.1.101,8.8.8.8 domain=domain.com \
gateway=10.90.2.1
add address=10.90.10.0/24 dns-server=10.90.1.101,8.8.8.8 domain=\
domain.com gateway=10.90.10.1
add address=10.90.40.0/24 dns-server=10.90.1.101,8.8.8.8 domain=\
domain.com gateway=10.90.40.1
add address=10.90.60.0/24 dns-server=8.8.8.8,10.90.1.101 domain=\
domain.com gateway=10.90.60.1
add address=10.90.80.0/24 dns-server=8.8.8.8 domain=domain.com gateway=\
10.90.80.1
add address=10.250.1.0/24 dns-server=10.90.1.101,8.8.8.8 domain=\
domain.com gateway=10.250.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=inside.domain.com
add address=10.90.2.11 name=wlan
add address=10.90.2.11 name=wlan.domain.com
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set winbox address=10.90.1.0/32,10.90.40.0/32
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-autodetect=no time-zone-name=America/Phoenix
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.google.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN