Several isolated networks

RouterOS Beginner Basics
1

Hello everybody. I am new to Mikrotik and would be very grateful for any help. We have a Routerboard 2011UiAS running the latest OS. Our Mikrotik guru quit a while ago, and a few days ago the Routerboard crashed for mysterious reasons. It looked good, but didn’t put any traffic through, did not allow logins through winbox and was not detected in winbox “neighbourhood”. So I did a full reset. Everything worked after a very basic configuration, but it has no security at all (everybody can see everybody).
This is what I need:
-ETH1: Internet comes into ETH1 and should have static IP and gateway towards the ISP modem.
–IP: 193.90.223.118
–Gateway: 193.90.223.117
–DNS: 193.75.75.193, 193.75.75.75 and 192.168.7.1
–ETH2: is connected to a switch with two office computers. Any recommendation to use dynamic over static IP for the two computers? Any advantage of disabling DHCP? If DHCP is used, IP range is not important, but for example 192.168.1.2-254.
–ETH3: is connected to a Amplifi HD mesh network (for guests in the restaurant). IP is not important, but for example 192.168.2.1.
–ETH4: is connected to a POS (point of sale) system. Must have static IP 192.168.7.1.

So far so good. Seems to work fine. I’ve attached the “export hide-sensitive” so you can see my settings.

First question is, should i use bridge or router mode? At the moment it is router mode (the only I could manage to work). I tried bridge, but it didn’t allow me to put in the static IPs I needed for my ISP.
What’s the advantage of bridge over router and vice versa?
I also need to hide each net from each other. All should have internet access, but none of them should see each other. Could someone help me? As good security as possible. And please keep in mind, I’m very fresh in networking. Any explanation and perhaps together with terminal commands to configure would be most appreciated.

Here is the “export hide-sensitive”:
export hide-sensitive.txt (4.39 KB)

2

You definitely need some firewall forwarding rules. If guest can reach the POS system… You are going to be looking at some fines.

Also it looks like all the ports are bridged… That would cause issues with the multiple IP addresses.

3

Hi.
I always have a block filter rule to block all that is not allowed.
In this environment, I would configure in router modem:

  • delete interfaces eth1 to eth4 from bridge
  • nat
    src-nat on outgoing interface eth1
  • filter rules
    accept from eth2 to eth1
    accept from eth3 to eth1
    accept from eth4 to eth1
    drop all

If you want more security, in accept rules you can specify src-address.

Without dhcp you have to known network address and network mask. It is more secure than autoconfiguration network with dhcp server.

What do gurus think about?

4

The following example puts the work stuff on a bridge and makes use of HW offloading. The guest wifi is by itself on ether3.
Thus the guest wifi is blocked from the work stuff at layer two by bridge separation and the forward rules drop everything so the router will not route between the work bridge and the guest wifi.
I hope this gets you pretty close. The DNS setup basically ensures (forces) that the LAN gateways are used by all users 192.168.1.1, 192.168.7.1 and 192.168.2.1 respectively and these will default to the DNS servers from your ISP.

First you cant go wrong following this link as a general guide!!
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
Its thorough. I have tweaked the firewall rules the way I prefer them.

interface bridge
add admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment=“TrustedBridge” name=WorkBridge

/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_gjest
set [ find default-name=ether4 ] name=eth4_gastrofix

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp-WorkLAN ranges=192.168.1.10-192.168.1.254
add name=dhcp-GuestLAN ranges=192.168.2.2-192.168.2.254
add name=dhcp-POS_LAN ranges=192.168.7.20-192.168.7.254

/ip dhcp-server
add address-pool=dhcp-WorkLAN disabled=no interface=WorkBridge name=
Work_Server
add address-pool=dhcp-GuestLAN disabled=no interface=ether3 name=Guest_Server
add address-pool=dhcp-POS_LANE disabled=no interface=WorkBridge name=
POS_Server

/interface bridge port
add bridge=WorkBridge comment=“TrustedInterface” interface=eth2_kontor hwoffload=yes
add bridge=WorkBridge comment=“TrustedInterface” interface=eth4_gastrofix hwoffload=yes

/ip neighbor discovery-settings
set discover-interface-list=none

/interface list member
add comment=defconf interface=eth1_WAN list=WAN
add interface=WorkBridge list=LAN
add interface=ether3 list=LAN

/ip address
add address=192.168.1.1/24 interface=WorkBridge network=192.168.1.0
add address=192.168.2.1/24 interface=eth3_gjest network=192.168.2.0
add address=192.168.7.1/24 interface=WorkBridge network=192.168.7.0

/dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname,clientid interface=eth1_WAN

/ip dns
set allow-remote-requests=yes

/ip firewall filter
{INPUT}
add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“Admin Access to Router” source-address-list=AdminAccess *****
add actopm=accept chain=input comment+“allow LAN to DNS-TCP” protocol=tcp dstport=53 in-interface-list=LAN
add action=accept chain=input comment=“allow LAN to DNS-UDP” protocol=udp dstport=53 in-interface-list=LAN
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“Drop All Else”
{FORWARD}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=accept chain=forward comment=“Allow Traffic to Internet (WORK)” in-interface=WorkBridge out-interface=WAN source address=192.168.1.10-192.168.1.254
add action=accept chain=forward comment=“Allow Traffic to Internet (POS)” in-interface=WorkBridge out-interface=WAN source address=192.168.7.2-192.168.7.254
add action=accept chain=forward comment=“Allow Traffic to Internet (GuestWIFI)” in-interface=ether3 out-interface=WAN source address=192.168.2.2-192.168.2.254
add action=accept chain=forward comment=“Allow Port Fowarding if required” connection-nat-state=dstnat
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=log log=yes prefix=“SHOW ALL ELSE DROPPED” comment=“Help adjust blocked traffic log”
add action=drop chain=forward comment=“DROP All Else”

/ip firewall address list ****
add address=192.168.1.2 list=AdminAccess (admin PC on work network for example) and add more PCs you use as required OR
add address=192.168.1.0/24 list=AdminAccess (all PCs on work network can access router)

/ip firewall nat
add action=masquerade chain=srcnat comment=“SNAT for WORK” out-interface=WAN in-interface=WorkBridge
add action=masquerade chain=scrnat comment=“SNAT FOR GUEST WIFI” out-Interface=WAN in-inteface=ether3
add action=redirect chain=dstnat comment=“Force Users to Router DNS -TCP” protocol-tcp dstport=53
add action=redirect chain=dstnat comment=“Force Users to Router DNS -UDP” protocol-udp dstport=53

/ip route
add dstaddress=0.0.0.0/0 gateway=193.90.223.117 distance=1

NOTE in WINBOX settings also limit winbox access to limited number of IPs…

NOTE if you want to drop BOGONS, the list of non legitimate networks as stated in the link above NOT IN INTERNET… do it in raw.
Create the necessary bogon list via:

/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
add address=192.168.0.0/16 list=bogons ****************************** REMOVE THIS ONE AS ITS BEING USED ON YOUR NETWORK>
add address=10.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/4 list=bogons
add address=198.18.0.0/15 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=100.64.0.0/10 list=bogons
add address=240.0.0.0/4 list=bogons
add address=192.88.99.0/24 list=bogons

/ip raw
add chain=prerouting action=drop source-address-list=bogons comment=“Drop all non-internet networks”

5

Thanks guys. You’ve been a great help. I’ll set it up this way and see how it works out.

How do I set up for remote access over the internet to the routerboard through winbox (from home)? There seems to be a number of ways, but what’s the most secure which works with the above setup I now have. (I don’t have a static IP at home). I’m currently using teamviewer to the office computer with winbox, but sometimes the network card in the office computer don’t wake up (requires a complete shutdown, not even a restart wakes it).

6

The only method I would consider safe is a VPN connection to the router and then use winbox.

7

You could also implement a port-knocking that adds your current IP address in the VPN white list for some time, and thus even VPN connection could be allowed to a certain addresses within predefined amount of time.

8

Interesting way of adding an IP to an existing FW rule. Great tis unlikely that someone port knocks your router in the right sequence but the port knocking is done in the clear.
However, I still prefer to make a VPN connection and use winbox from there.
What the OP wants/is willing to do is up to him/her…

9

I tried the config suggested by anav. but none of the computers have internet. Some commands in the script fails and I figured out most of the typos, but there are a few I can’t figure out.
I’ve updated the script with my corrections. I’ve put a comment (error message from winbox) before each command that fails:

/interface bridge
add admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment=“TrustedBridge” name=WorkBridge

/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_gjest
set [ find default-name=ether4 ] name=eth4_gastrofix

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp-WorkLAN ranges=192.168.1.10-192.168.1.254
add name=dhcp-GuestLAN ranges=192.168.2.2-192.168.2.254
add name=dhcp-POS_LAN ranges=192.168.7.20-192.168.7.254

/ip dhcp-server
add address-pool=dhcp-WorkLAN disabled=no interface=WorkBridge name=Work_Server
add address-pool=dhcp-GuestLAN disabled=no interface=eth3_gjest name=Guest_Server
#failure: server or relay with such interface already exists:
add address-pool=dhcp-POS_LAN disabled=no interface=WorkBridge name=POS_Server
/interface bridge port
add bridge=WorkBridge comment=“TrustedInterface” interface=eth2_kontor
add bridge=WorkBridge comment=“TrustedInterface” interface=eth4_gastrofix
#Here is disconnects (OK)

/ip neighbor discovery-settings
set discover-interface-list=none

/interface list member
add comment=defconf interface=eth1_WAN list=WAN
add interface=WorkBridge list=LAN
add interface=eth3_gjest list=LAN

/ip address
add address=192.168.1.1/24 interface=WorkBridge network=192.168.1.0
add address=192.168.2.1/24 interface=eth3_gjest network=192.168.2.0
add address=192.168.7.1/24 interface=WorkBridge network=192.168.7.0

/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname,clientid interface=eth1_WAN

/ip dns
set allow-remote-requests=yes

/ip firewall filter
#{INPUT}
add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“Admin Access to Router” src-address-list=AdminAccess
add action=accept chain=input comment=“allow LAN to DNS-TCP” protocol=tcp dst-port=53 in-interface-list=LAN
add action=accept chain=input comment=“allow LAN to DNS-UDP” protocol=udp dst-port=53 in-interface-list=LAN
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“Drop All Else”
#{FORWARD}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
#input does not match any value of interface:
add action=accept chain=forward comment=“Allow Traffic to Internet (WORK)” in-interface=WorkBridge out-interface=WAN src-address=192.168.1.10-192.168.1.254
#input does not match any value of interface:
add action=accept chain=forward comment=“Allow Traffic to Internet (POS)” in-interface=WorkBridge out-interface=WAN src-address=192.168.7.2-192.168.7.254
#input does not match any value of interface:
add action=accept chain=forward comment=“Allow Traffic to Internet (GuestWIFI)” in-interface=ether3 out-interface=WAN src-address=192.168.2.2-192.168.2.254
add action=accept chain=forward comment=“Allow Port Fowarding if required” connection-nat-state=dstnat
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
#expected end of command (line 1 column 24):
add action=log log=yes prefix=“SHOW ALL ELSE DROPPED” comment=“Help adjust blocked traffic log”
add action=drop chain=forward comment=“DROP All Else”

/ip firewall address-list
#admin PC on work network (and add more PCs you use as required)
add address=192.168.1.2 list=AdminAccess
#OR all PCs on work network can access router:
#add address=192.168.1.0/24 list=AdminAccess

/ip firewall nat
#input does not match any value of interface:
add action=masquerade chain=srcnat comment=“SNAT for WORK” out-interface=WAN in-interface=WorkBridge
#input does not match any value of interface:
add action=masquerade chain=scrnat comment=“SNAT FOR GUEST WIFI” out-interface=WAN in-interface=eth3_gjest
add action=redirect chain=dstnat comment=“Force Users to Router DNS -TCP” protocol=tcp dst-port=53
add action=redirect chain=dstnat comment=“Force Users to Router DNS -UDP” protocol=udp dst-port=53

/ip route
add dst-address=0.0.0.0/0 gateway=193.90.223.117 distance=1

/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
#add address=192.168.0.0/16 list=bogons ****************************** REMOVE THIS ONE AS ITS BEING USED ON YOUR NETWORK>
add address=10.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/4 list=bogons
add address=198.18.0.0/15 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=100.64.0.0/10 list=bogons
add address=240.0.0.0/4 list=bogons
add address=192.88.99.0/24 list=bogons

/ip firewall raw
add chain=prerouting action=drop src-address-list=bogons comment=“Drop all non-internet networks”



I then tried testing different commands, to no avail:

/ip firewall nat> add action=masquerade chain=srcnat comment=“SNAT for WORK” out-interface-list=WAN in-interface=WorkBridge
failure: incoming interface matching not possible in output and postrouting chains
/ip firewall nat> add action=masquerade chain=srcnat comment=“SNAT for WORK” out-interface-list=WAN in-interface=WorkBridge
failure: incoming interface matching not possible in output and postrouting chains
/ip firewall nat> add action=masquerade chain=srcnat comment=“SNAT for WORK” out-interface-list=WAN in-interface-list=WorkBridge
input does not match any value of interface-list


Any help guys?

10

It looks like you’ve assigned several IP networks to the same WorkBridge.

/ip dhcp-server
add address-pool=dhcp-WorkLAN disabled=no > interface=WorkBridge > name=Work_Server
add address-pool=dhcp-GuestLAN disabled=no interface=eth3_gjest name=Guest_Server
#failure: server or relay with such interface already exists:
add address-pool=dhcp-POS_LAN disabled=no > interface=WorkBridge > name=POS_Server

/ip address
add address=192.168.1.1/24 > interface=WorkBridge > network=192.168.1.0
add address=192.168.2.1/24 interface=eth3_gjest network=192.168.2.0
add address=192.168.7.1/24 > interface=WorkBridge > network=192.168.7.0

Do devices receive correct Ip configurations as you expected?

11

I will look at this later today to see where I steered you wrong.

12

Thanks. I appreciate it :slight_smile:

13

Changes NOT required
/interface bridge
add admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment=“TrustedBridge” name=WorkBridge

/interface bridge port
add bridge=WorkBridge comment=“TrustedInterface” interface=eth2_kontor hwoffload=yes
add bridge=WorkBridge comment=“TrustedInterface” interface=eth4_gastrofix hwoffload=yes

/interface list member
add comment=defconf interface=eth1_WAN list=WAN
add interface=WorkBridge list=LAN
add interface=eth3_gjest list=LAN

Changes Required…

In this order…

/ip pool
add name=WorkLAN_pool ranges=192.168.1.10-192.168.1.254
add name=GuestLAN_pool ranges=192.168.2.2-192.168.2.254
add name=POSLAN_pool ranges=192.168.7.20-192.168.7.254

/ip address
add address=192.168.1.1/24 interface=eth2_kontor=192.168.1.0
add address=192.168.2.1/24 interface=eth3_gjest network=192.168.2.0
add address=192.168.7.1/24 interface=eth4_gastrofix network=192.168.7.0

/ip dhcp-server
add address-pool=WorkLAN_pool disabled=no interface=eth2_kontor name=Office_Server
add address-pool=GuestLAN_pool disabled=no interface=eth3_gjest name=Guest_Server
add address-pool=POSLAN_pool disabled=no interface=eth4_gastrofix name=POS_Server

FORWARD CHAIN
add action=accept chain=forward comment=“Allow Office and POS Traffic to Internet” in-interface=WorkBridge out-interface=WAN

add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=log chain=forward comment=“Show ALL Else Dropped” log=yes log-prefix=“FORWARD DROP-All Else”
add action=drop chain=forward comment=“DROP ALL Else”


/ip firewall nat
add action=masquerade chain=srcnat comment=“Source_NAT for All Users” ipsec-policy=out,none out-interface=WAN

14

I was a bit confused about the last updated script. Some parts from the initial script you first sent me was missing so I wasn’t sure if I should incude the missing parts or not. I tried both, but nothing worked. I’ve played around with it quite a bit, but can’t seem to get it working. Several error messages (see comments in script below) and no internet. Since DHCP server isn’t running, my office computer also can’t get a valid IP. I tried static (192.168.1.10 and gateway 192.168.1.1, DNS 193.75.75.193 (from my ISP)). I can ping the routerboard, but no internet.

We actually don’t need DHCP. The guest router (UniFi Amplifi HD on eth3) can be put in router mode (is now in bridge mode), the two office computers can have static IP, and POS system has it’s own UniFi Security Gateway with a running DHCP. That might make it much simpler and more secure. Same IPs as before, but office computers 1 and 2 can have 192.168.1.10 and 192.168.1.11.

I have included the complete script (what I believe is the complete(?) script).
If you have the possibility to help me more, please include the complete script (to setup a reset routerboard with no default configuration)


/interface bridge
add admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment=“TrustedBridge” name=WorkBridge

/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_gjest
set [ find default-name=ether4 ] name=eth4_gastrofix

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface bridge port
add bridge=WorkBridge comment=“TrustedInterface” interface=eth2_kontor hw=yes
add bridge=WorkBridge comment=“TrustedInterface” interface=eth4_gastrofix hw=yes
#here it kills winbox connection, all ok after manual re-connect.

/ip neighbor discovery-settings
set discover-interface-list=none

/interface list member
add interface=eth1_WAN list=WAN
add interface=WorkBridge list=LAN
add interface=eth3_gjest list=LAN

/ip pool
add name=WorkLAN_pool ranges=192.168.1.10-192.168.1.254
add name=GuestLAN_pool ranges=192.168.2.2-192.168.2.254
add name=POSLAN_pool ranges=192.168.7.20-192.168.7.254

/ip address
add address=192.168.1.1/24 interface=eth2_kontor network=192.168.1.0
add address=192.168.2.1/24 interface=eth3_gjest network=192.168.2.0
add address=192.168.7.1/24 interface=eth4_gastrofix network=192.168.7.0

/ip dhcp-server
#failure: can not run on slave interface (works if I put for example ether7, 8 or something, but not 2 and 4. Also works on eth3_gjest but that is already running for name=Guest_Server):
add address-pool=WorkLAN_pool disabled=no interface=eth2_kontor name=Office_Server
add address-pool=GuestLAN_pool disabled=no interface=eth3_gjest name=Guest_Server
#failure: can not run on slave interface:
add address-pool=POSLAN_pool disabled=no interface=eth4_gastrofix name=POS_Server
/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname,clientid interface=eth1_WAN

/ip dns
set allow-remote-requests=yes

/ip firewall filter
#{INPUT}
add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“Admin Access to Router” src-address-list=AdminAccess
add action=accept chain=input comment=“allow LAN to DNS-TCP” protocol=tcp dst-port=53 in-interface-list=LAN
add action=accept chain=input comment=“allow LAN to DNS-UDP” protocol=udp dst-port=53 in-interface-list=LAN
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“Drop All Else”
#{FORWARD}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=accept chain=forward comment=“Allow Office and POS Traffic to Internet” in-interface=WorkBridge out-interface=WAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=log chain=forward comment=“Show ALL Else Dropped” log=yes log-prefix=“FORWARD DROP-All Else”
add action=drop chain=forward comment=“DROP ALL Else”
#input does not match any value of interface:
add action=accept chain=forward comment=“Allow Traffic to Internet (GuestWIFI)” in-interface=eth3_gjest out-interface=WAN src-address=192.168.2.2-192.168.2.254
add action=accept chain=forward comment=“Allow Port Fowarding if required” connection-nat-state=dstnat
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
#expected end of command (line 1 column 24):
add action=log log=yes prefix=“SHOW ALL ELSE DROPPED” comment=“Help adjust blocked traffic log”
add action=drop chain=forward comment=“DROP All Else”

/ip firewall address-list
#admin PC on work network (and add more PCs you use as required)
add address=192.168.1.10 list=AdminAccess
add address=192.168.1.11 list=AdminAccess
#OR all PCs on work network can access router:
#add address=192.168.1.0/24 list=AdminAccess

/ip firewall nat
#input does not match any value of interface:
add action=masquerade chain=srcnat comment=“Source_NAT for All Users” ipsec-policy=out,none out-interface=WAN
add action=redirect chain=dstnat comment=“Force Users to Router DNS -TCP” protocol=tcp dst-port=53
add action=redirect chain=dstnat comment=“Force Users to Router DNS -UDP” protocol=udp dst-port=53

/ip route
add dst-address=0.0.0.0/0 gateway=193.90.223.117 distance=1

/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
#add address=192.168.0.0/16 list=bogons ****************************** REMOVE THIS ONE AS ITS BEING USED ON YOUR NETWORK>
add address=10.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/4 list=bogons
add address=198.18.0.0/15 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=100.64.0.0/10 list=bogons
add address=240.0.0.0/4 list=bogons
add address=192.88.99.0/24 list=bogons

/ip firewall raw
add chain=prerouting action=drop src-address-list=bogons comment=“Drop all non-internet networks”

15

Well I am used to a HEX router and the configuration works… not sure whats up with router board but on the hex I dont have a master or slave problem as its old news… gone and replaced by newer mechanisms.

I am not sure why it is not accepting the dhcp-server rules for office_server and POS_server ???

Try this for the firewall rule
add action=accept chain=forward comment=“Allow GuestWifi to internet” in-interface=eth3_gjest out-inteface=WAN

Try this for the log rule (it seems to be missing the chain entry)
add action=log chain=forward comment=“Show ALL Else Dropped” log=yes
log-prefix=“FORWARD DROP-All Else”

16

Because your ports are added into bridge.

/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_gjest
set [ find default-name=ether4 ] name=eth4_gastrofix

/interface bridge port
add bridge=WorkBridge comment="TrustedInterface" interface=eth2_kontor hw=yes
add bridge=WorkBridge comment="TrustedInterface" interface=eth4_gastrofix hw=yes

And in this case DHCP server has to be setup on a “master” interface. Which is exactly the Bridge itself. This is why you get errors in Dhcp server (1st and 3rd entry).

/ip dhcp-server
#failure: can not run on slave interface (works if I put for example ether7, 8 or something, but not 2 and 4. Also works on eth3_gjest but that is already running for name=Guest_Server):
add address-pool=WorkLAN_pool disabled=no interface=eth2_kontor name=Office_Server
add address-pool=GuestLAN_pool disabled=no interface=eth3_gjest name=Guest_Server
#failure: can not run on slave interface:
add address-pool=POSLAN_pool disabled=no interface=eth4_gastrofix name=POS_Server

The same can be said regarding IP addresses (1st and 3rd entry). Those should be assigned to bridge.

/ip address
add address=192.168.1.1/24 interface=eth2_kontor network=192.168.1.0
add address=192.168.2.1/24 interface=eth3_gjest network=192.168.2.0
add address=192.168.7.1/24 interface=eth4_gastrofix network=192.168.7.0

Take a look at the following thread DHCP Server on bridged interface.

17

Chiverel I was extrapolating from my setup.
I have one bridge with two ports and one DHCP server on the bridge and a separate LAN off the bridge.

Since I had associated my DHCP server to cover off both ports I associated the DHCP server interface with the Bridge.
I made the obvious mistake the first time of trying to have essentially two DHCP servers associated with the bridge interface in the definition for the OP in this thread and of course that didnt work. So I thought, there should be no issue with having a DCHP server work with interface ether2 and another DHCP server work with ether4, with their own IP pools and addresses on their own and not try to have two dhcp servers associated with the bridge directly
I then associated the interfaces with the bridge, so in effect I tried to separate them out.

What you are saying is that I cannot do that at all and the lack of flexibility is annoying LOL. whaddya mean I cant make up the rules !!
Most importantly i apologize for leading the op astray!.

THIS IS WHY WE NEED A REAL USER MANUAL for dummies like me. For instance this is quote that should be in the user guide.

“Once you create a bridge, all services (DHCP, PPPoE, etc) and IP assigments should be done on top of that bridge and not to any port belonging to it; as all added ports are now in layer 2, you can consider they to be an standalone port.”

So basically, we cannot have the office LAN and the POS LAN on the same bridge. We can only have ONE DHCP SERVER and ONE IP NETWORK, although one can break up attribution of private IPs within the same subnet by using different pools, it adds complication and I am assuming the office PCs and POS units have to remain on the ip structure they are currently using.
The question becomes, where do you want maximum speed and maximum security.
I would put the POS machines on the bridge and have the other two as normal interface LANs…

Try this…

/interface bridge
add admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment="SalesBridge" name=POSBridge

/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_gjest
set [ find default-name=ether4 ] name=eth4_gastrofix

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface bridge port
add bridge=POSBridge comment="TrustedInterface" interface=eth4_gastrofix hw=yes

/ip neighbor discovery-settings
set discover-interface-list=none

/interface list member
add interface=eth1_WAN list=WAN
add interface=POSBridge list=LAN
add interface=eth2_kontor=LAN
add interface=eth3_gjest list=LAN

/ip pool
add name=WorkLAN_pool ranges=192.168.1.10-192.168.1.254
add name=GuestLAN_pool ranges=192.168.2.2-192.168.2.254
add name=POSLAN_pool ranges=192.168.7.20-192.168.7.254

/ip address
add address=192.168.1.1/24 interface=eth2_kontor network=192.168.1.0
add address=192.168.2.1/24 interface=eth3_gjest network=192.168.2.0
add address=192.168.7.1/24 interface=POSBridge network=192.168.7.0

/ip dhcp-server
add address-pool=WorkLAN_pool disabled=no interface=eth2_kontor name=Office_Server
add address-pool=GuestLAN_pool disabled=no interface=eth3_gjest name=Guest_Server
add address-pool=POSLAN_pool disabled=no interface=POSBridge name=POS_Server

/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname,clientid interface=eth1_WAN

/ip dns
set allow-remote-requests=yes

/ip firewall filter
#{INPUT}
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Admin Access to Router" src-address-list=AdminAccess  ******
add action=accept chain=input comment="allow LAN to DNS-TCP" protocol=tcp dst-port=53 in-interface-list=LAN
add action=accept chain=input comment="allow LAN to DNS-UDP" protocol=udp dst-port=53 in-interface-list=LAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop All Else"
#{FORWARD}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="POS Traffic to Internet" in-interface=POSBridge out-interface=WAN
add action=accept chain=forward comment="Office Traffic to Internet" in-interface=eth2_kontor out-interface=WAN
add action=accept chain=forward comment="Guest Wifi Traffic to Internet" in-interface=eth3_gjest out-interface=WAN
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=log chain=forward comment="Show ALL Else Dropped" log=yes log-prefix="FORWARD DROP-All Else"
add action=drop chain=forward comment="DROP ALL Else"

Make sure you create an address list for admin access to the router as per the input chain rule. *****
(admin PC on work network (and add more PCs you use as required)
/ip firewall address-list 
add address=192.168.1.10 list=AdminAccess
add address=192.168.1.11 list=AdminAccess
#OR all PCs on work network can access router:
#add address=192.168.1.0/24 list=AdminAccess

/ip firewall nat
add action=masquerade chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface=WAN
add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" protocol=tcp dst-port=53
add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" protocol=udp dst-port=53

/ip route
add dst-address=0.0.0.0/0 gateway=193.90.223.117 distance=1

/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
#add address=192.168.0.0/16 list=bogons ***** REMOVE THIS ONE AS ITS BEING USED ON YOUR NETWORK>
add address=10.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/4 list=bogons
add address=198.18.0.0/15 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=100.64.0.0/10 list=bogons
add address=240.0.0.0/4 list=bogons
add address=192.88.99.0/24 list=bogons

/ip firewall raw
add chain=prerouting action=drop src-address-list=bogons comment="Drop all non-internet networks"

Last note: As the admin you want to be able to access the router. The other question is do you want to be able to access the Guest WIFI LAN or the POS sale LAN.
IF so you will need a forward rule lets say after the DSTNAT Rule. I will assume you have a PC on the office LAN.

/ip firewall filter
add action=accept chain=forward comment="Admin Access to POS LAN"  dest-address=192.168.7.2-192.168.7.254 in-interface=eth2_kantor source-address-list=AdminAccess
add action=accept chain=forward comment="Admin Access to Guest Wifi" dest-address=192.168.2.2-192.168.2.254 in-interface=eth2_kantor source-address-list=AdminAccess
18

I played around a bit today, and managed to get internet with my office computers by removing the DHCP and bridge stuff in the router. Not sure if that was the best way but we don’t need DHCP.
The Gastrofix (POS router ifself) connected to eth4 should have IP 192.168.7.1 (the router itself). I am not sure what IP eth4_gastrofix should have then?
Also, did I do it right when removing all DHCP and bridges?
Are the firewall settings good? It is important that each net don’t see each other (only have access to internet). At the moment I can ping 192.168.7.1 (probably the routerboard port, not the POS router itself since I did not set the port up correctly?).


This works, at least for the office computers. Any ideas?


/interface bridge
add admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment=“TrustedBridge” name=WorkBridge

/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_gjest
set [ find default-name=ether4 ] name=eth4_gastrofix

/interface list
add name=WAN
add name=LAN

/ip neighbor discovery-settings
set discover-interface-list=none

/interface list member
add interface=eth1_WAN list=WAN
add interface=eth2_kontor list=LAN
add interface=eth3_gjest list=LAN
add interface=eth4_gastrofix list=LAN

/ip address
add address=193.90.223.118/24 interface=eth1_WAN network=193.90.223.0
add address=192.168.1.1/24 interface=eth2_kontor network=192.168.1.0
add address=192.168.2.1/24 interface=eth3_gjest network=192.168.2.0
add address=192.168.7.1/24 interface=eth4_gastrofix network=192.168.7.0

/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193,192.168.7.1

/ip firewall filter
#{INPUT}
add action=accept chain=input comment=“accept established,related” connection-state=established,related
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“Admin Access to Router” src-address-list=AdminAccess
add action=accept chain=input comment=“allow LAN to DNS-TCP” protocol=tcp dst-port=53 in-interface-list=LAN
add action=accept chain=input comment=“allow LAN to DNS-UDP” protocol=udp dst-port=53 in-interface-list=LAN
add action=accept chain=input comment=“accept ICMP” protocol=icmp
add action=drop chain=input comment=“Drop All Else”
#{FORWARD}
add action=fasttrack-connection chain=forward comment=“fasttrack” connection-state=established,related
add action=accept chain=forward comment=“accept established,related” connection-state=established,related
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=accept chain=forward comment=“Allow all LAN (Office, Guest and POS) Traffic to Internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“accept out ipsec policy” ipsec-policy=out,ipsec
add action=log chain=forward comment=“Show ALL Else Dropped” log=yes log-prefix=“FORWARD DROP-All Else”
add action=drop chain=forward comment=“DROP ALL Else”
add action=accept chain=forward comment=“Allow Traffic to Internet (GuestWIFI)” in-interface=eth3_gjest out-interface=eth1_WAN src-address=192.168.2.2-192.168.2.254
add action=accept chain=forward comment=“Allow Port Fowarding if required” connection-nat-state=dstnat
add action=accept chain=forward comment=“accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“accept out ipsec policy” ipsec-policy=out,ipsec
add action=drop chain=forward comment=“DROP All Else”

/ip firewall address-list
add address=192.168.1.0/24 list=AdminAccess

/ip firewall nat
add action=masquerade chain=srcnat comment=“Source_NAT for All Users” ipsec-policy=out,none out-interface=eth1_WAN
add action=redirect chain=dstnat comment=“Force Users to Router DNS -TCP” protocol=tcp dst-port=53
add action=redirect chain=dstnat comment=“Force Users to Router DNS -UDP” protocol=udp dst-port=53

/ip route
add dst-address=0.0.0.0/0 gateway=193.90.223.117 distance=1

/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
add address=10.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/4 list=bogons
add address=198.18.0.0/15 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=100.64.0.0/10 list=bogons
add address=240.0.0.0/4 list=bogons
add address=192.88.99.0/24 list=bogons

/ip firewall raw
add chain=prerouting action=drop src-address-list=bogons comment=“Drop all non-internet networks”

\

By the way, the problem with firewall rules was non matching in- and out-interface. Either select port and port or list and list:
add action=accept chain=forward comment=“Allow all LAN (Office, Guest and POS) Traffic to Internet” in-interface-list=LAN out-interface-list=WAN
-or-
add action=accept chain=forward comment=“Allow all LAN (Office, Guest and POS) Traffic to Internet” in-interface=eth2_kontor out-interface=eth1_WAN
-not-
add action=accept chain=forward comment=“Allow all LAN (Office, Guest and POS) Traffic to Internet” in-interface-list=LAN out-interface=eth_WAN
Hope this helps for others with same problem.

19

You did well. As all ethernet ports will connect to different IP subnets, you should not connect ethernet ports to common bridge. And if you don’t want to join two or more interfaces (ethernet ports, wlan, …) to the same L2 (ethernet) network, you don’t have to use bridge at all and all the config should be done directly on the physical interface.

If a aprticular device on Gastrofix LAN uses IP address of 192.168.7.1, then eth4_gastrofix definitely needs something else from address range 192.168.7.x. Any address that is not used will do. However, you will need to review configuration of “Gastrofix (POS router ifself)” to make sure it knows to use MT with IP 192.168.7.x as default gateway (if that subnet needs access to internet).

Firewall rule

add action=accept chain=forward comment="Allow Traffic to Internet (GuestWIFI)" in-interface=eth3_gjest out-interface=eth1_WAN src-address=192.168.2.2-192.168.2.254

seems to be redundant as internet access for guests should be covered by rule

add action=accept chain=forward comment="Allow all LAN (Office, Guest and POS) Traffic to Internet" in-interface-list=LAN out-interface-list=WAN

earlier in the rule list (eth3_gjest is member of LAN interface list).

20

/ip firewall layer7-protocol
add name=facebook regexp=“^.+(facebook.com).$"
add name=“youtube block” regexp="^.+(facebook.com|youtube).$”
add name=“allow web” regexp=“^.+(gmail.com|yahoo|hotmail).*$”

Above Rule is not working, i have testing a lots of time but it only block the face book if i select action accept its not work for specific IP Please help
Reply if you have required more detail