Trying RB450Gx4 from HEX, VLAN Issues??

anav · January 5, 2019, 3:43pm

Before I get into that, for anyone that is interested - recent 1gig service acquisition, on the provider to provider speed check roughly 900-800 on the 450 and 500-300 on the hex. Real world speed tests, outside the provider yield on average 750-450 for the 450 and 300 - 150 for the hex. Curious as to why all the up tests are slower than the down tests.

Okay when I substitute the RB450 in for the HEX, after doing ROS notepadd++ comparisons, same 6.43.8 firmware, the VLANS dont work.
Same Firewall Rules for vlans and everything. The RB has more firewall rules but I disabled anything different to ensure an apples to apples comparison.
Results were any lan vlan, or wifi vlan showed connected but unable to gain access to the internet. Very weird!

Is there a difference on how these two units would handle VLANs??

Jotne · January 5, 2019, 3:58pm

posting your config would help for us to investigate.

mkx · January 5, 2019, 4:18pm

RB450Gx4 is much more powerful than RB750Gr3, according to official test results it should be around 3-times as fast.

Re VLANs: if done with bridge vlan, both should be fine. In theory RB450Gx4 has waaay better switch chip (same as hAP ac2), but I believe that said switch chip has some nasty bugs, while switch chip in RB750Gr3 reportedly doesn’t support VLANs in hardware. Due to better interconnection between ether ports and CPU the RB750Gr3 should be better VLAN switch …

Re UL vs DL: is that straight IP connectivity (i.e. DHCP client on WAN port) or is there any kind of a tunnel involved?

anav · January 5, 2019, 4:34pm

Hi Jotne, I dont really see the point of posting two configs that I have already checked via notepadd ++ comparison but may concede LOL.
What I can say is that its very hard at home to switch routers out because I have 3 disparate groups using their computers for work and the mayhem it causes is not funny.

What I will point out is that there are no issue with the regular PCs attached OR, the WLANS on my two capAC2s (the ones not on VLANs).
Since the firewall rules are the same and the bridge rules are the same on the two routers, I am focussing at the moment on what is different on how the two devices approach vlans and bridges??
I tried setting ingress filtering on the bridge (on and off) and that seems to make no difference on the hex or the RB450. I disabled all fw rules except the very basic ones… accept traffic drop traffic, allow admin to router, allow lan and vlans to internet etc… no difference.

Why would the LAN work and the VLANS not work is the question.

Please find below the configs. If you need verbose on any particular section please let me know!

The HEX, werkin grate!!

# jan/05/2019 12:39:16 by RouterOS 6.43.8
# model = RouterBOARD 750G r3
/interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
set [ find default-name=ether1 ] comment=Port1 name=Eastlink_eth1 speed=\
    100Mbps
set [ find default-name=ether2 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether3 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether4 ] comment=LAN2-DMZ speed=100Mbps
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=HomeBridge \
    protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=HomeBridge name=Guests_WIFI-v200 vlan-id=200
add interface=HomeBridge name=MediaStreaming_V40 vlan-id=40
add interface=HomeBridge name=NAS_V33 vlan-id=33
add interface=HomeBridge name=TheoVLAN vlan-id=666
add interface=HomeBridge name=VideoCamVLAN vlan-id=99
add interface=HomeBridge name=Wifi-SDevices_cap1 vlan-id=30
add interface=HomeBridge name=Wifi_SDevices_cap2 vlan-id=45
add interface=Bell_eth5 name=vlanbell vlan-id=35
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=ether4 lease-time=1d name=DMZ_server
/ip pool
add name=dhcp-HomeLAN ranges=192.168.0.33-192.168.0.150
add name=dhcp_DMZ ranges=192.168.2.2-192.168.2.100
add name=dhcp_SDcap1 ranges=192.168.30.5-192.168.30.20
add name=dhcp_MB ranges=192.168.40.5-192.168.40.20
add name=dhcp_WIFI_T&B ranges=192.168.100.5-192.168.100.50
add name=dhcp_WIFI_Guests ranges=192.168.200.5-192.168.200.100
add name=dhcp_SDcap2 ranges=192.168.45.5-192.168.45.30
add name=Theo_pool ranges=192.168.66.5-192.168.66.10
add name=VCAM_pool ranges=192.168.99.5-192.168.99.15
add name=NAS_pool ranges=192.168.33.5-192.168.33.15
/ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=HomeBridge lease-time=1d \
    name=HoMeLAN
add address-pool=dhcp_SDcap1 disabled=no interface=Wifi-SDevices_cap1 \
    lease-time=1d name=SmartDServer1
add address-pool=dhcp_MB disabled=no interface=MediaStreaming_V40 lease-time=\
    1d name=Media_Server
add address-pool=dhcp_WIFI_T&B disabled=no interface=GuestWifi_T&B_V100 \
    lease-time=1d name="Wifi-Guests T&B_Server"
add address-pool=dhcp_WIFI_Guests disabled=no interface=Guests_WIFI-v200 \
    lease-time=1d name=Wifi_Guests
add address-pool=dhcp_SDcap2 disabled=no interface=Wifi_SDevices_cap2 \
    lease-time=1d name=SmartD_Server2
add address-pool=Theo_pool disabled=no interface=TheoVLAN lease-time=1d name=\
    TheoServer
add address-pool=VCAM_pool disabled=no interface=VideoCamVLAN lease-time=1d \
    name=VCAM_Server
add address-pool=NAS_pool disabled=no interface=NAS_V33 lease-time=1d name=\
    NAS_server
/interface bridge port
add bridge=HomeBridge comment=defconf interface=ether2
add bridge=HomeBridge comment=defconf interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no icmp-rate-limit=100 rp-filter=loose
/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether3,ether2 vlan-ids=\
    100,30,45,200,99,40,33,666
/interface list member
add comment=defconf interface=Eastlink_eth1 list=WAN
add interface=vlanbell list=WAN
add interface=ether4 list=LAN
add comment=defconf interface=HomeBridge list=LAN
add interface=GuestWifi_T&B_V100 list=LAN
add interface=Wifi-SDevices_cap1 list=LAN
add interface=Wifi_SDevices_cap2 list=LAN
add interface=Guests_WIFI-v200 list=LAN
add interface=TheoVLAN list=LAN
add interface=VideoCamVLAN list=LAN
add interface=MediaStreaming_V40 list=LAN
add interface=NAS_V33 list=LAN
/ip address
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0
add address=192.168.0.1/24 interface=HomeBridge network=192.168.0.0
add address=192.168.100.1/24 interface=GuestWifi_T&B_V100 network=\
    192.168.100.0
add address=192.168.200.1/24 interface=Guests_WIFI-v200 network=192.168.200.0
add address=192.168.30.1/24 interface=Wifi-SDevices_cap1 network=192.168.30.0
add address=192.168.40.1/24 interface=MediaStreaming_V40 network=192.168.40.0
add address=192.168.45.1/24 interface=Wifi_SDevices_cap2 network=192.168.45.0
add address=192.168.66.1/24 interface=TheoVLAN network=192.168.66.0
add address=192.168.99.1/24 interface=VideoCamVLAN network=192.168.99.0
add address=192.168.33.1/24 interface=NAS_V33 network=192.168.33.0
/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname,clientid \
    disabled=no interface=Eastlink_eth1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease

/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222
/ip firewall address-list

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE" log-prefix=\
    "INPUT DROP ALL"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "Drop invalid/malformed packets" connection-state=invalid \
    log-prefix=INVALID
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
    HomeBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN \
add action=accept chain=forward comment="ENABLE DMZ to WAN" in-interface=\
    ether4 out-interface-list=WAN
add action=accept chain=forward comment="ENABLE VLAN100 to WAN" in-interface=\
    GuestWifi_T&B_V100 out-interface-list=WAN
add action=accept chain=forward comment="ENABLE VLAN30 to WAN" in-interface=\
    Wifi-SDevices_cap1 out-interface-list=WAN
add action=accept chain=forward comment="ENABLE VLAN45 to WAN" in-interface=\
    Wifi_SDevices_cap2 out-interface-list=WAN
add action=accept chain=forward comment="ENABLE VLAN200 to WAN" in-interface=\
    Guests_WIFI-v200 out-interface-list=WAN
add action=accept chain=forward comment="ENABLE VLAN666 to WAN" in-interface=\
    TheoVLAN log-prefix=TheoTraffic out-interface-list=WAN
add action=accept chain=forward comment="ENABLE VLAN99 to WAN" in-interface=\
    VideoCamVLAN out-interface-list=WAN
add action=accept chain=forward comment="ENABLE VLAN40 to WAN" in-interface=\
    MediaStreaming_V40 out-interface-list=WAN
add action=accept chain=forward comment="ENABLE VLAN33 to WAN" in-interface=\
    NAS_V33 out-interface-list=WAN
add action=accept chain=forward comment=\
    "Allow Port Forwarding -  DSTNAT" connection-nat-state=dstnat
add action=accept chain=forward comment=Admin_for_Septic dst-address=\
    192.168.2.0/24 in-interface=HomeBridge src-address=192.168.X.XX
add action=accept chain=forward comment="Admin_To_VLANS (except Theo)" \
    dst-address-list=VLANS-theo in-interface=HomeBridge log=yes log-prefix=\
    "Admin to VLANS" src-address=192.168.0.39
add action=drop chain=forward comment=\
    "DROP ALL other  FORWARD traffic" log-prefix="FORWARD DROP ALL"

/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN Users" \
    ipsec-policy=out,none out-interface=Eastlink_eth1
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN USERS" \
    out-interface=vlanbell
add action=dst-nat chain=dstnat comment=Orenco_TCP dst-port=\
    --,---,----,------,------ in-interface-list=WAN log=yes protocol=tcp \
    src-address-list=Septic_Technicians to-addresses=192.168.X.XX
add action=dst-nat chain=dstnat comment=Orenco_UDP dst-port=\
        --,---,----,------,------  in-interface-list=WAN log=yes protocol=udp \
    src-address-list=Septic_Technicians to-addresses=192.168.X.XX
add action=dst-nat chain=dstnat comment=Solar_TCP disabled=yes dst-port=yy \
    in-interface-list=WAN log=yes protocol=tcp src-address-list=Solar_City \
    to-addresses=192.168.y.yy
add action=dst-nat chain=dstnat comment=Solar_UDP disabled=yes dst-port=yy \
    in-interface-list=WAN log=yes protocol=udp src-address-list=Solar_City \
    to-addresses=192.168.y.yy
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
    tcp src-address-list=!VLAN_Interfaces
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
    udp src-address-list=!VLAN_Interfaces
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes sip-direct-media=no sip-timeout=55m
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=2 gateway=8.8.4.4
add check-gateway=ping distance=3 gateway=208.67.220.220
add distance=10 gateway=ISPEastlinkgateway
add distance=2 dst-address=8.8.4.4/32 gateway=vlanbellgateway scope=10
add comment=Email_bypass distance=1 dst-address=24.222.0.20/32 gateway=\
  ISPEastlinkgateway
add distance=3 dst-address=208.67.220.220/32 gateway=vlanbellgateway1 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.X/ port=??
set api disabled=yes
set winbox address=192.168.X port=??
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Halifax
/system ntp client
set enabled=yes server-dns-names=time.nrc.ca,time,nrc.chu.ca
/system resource irq rps
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

…

The RB450Gx4 funky vlan performance???
You will note a bunch of FW rules that have to do with layer7 programming.
They should not interfere but I did test with all the associated fw rules disabled, with no change in outcome.
…

# jan/04/2019 09:35:46 by RouterOS 6.43.8
# model = RB450Gx4
/interface bridge
add admin-mac=6 auto-mac=no comment=defconf \
    ingress-filtering=yes name=HomeBridge protocol-mode=none vlan-filtering=\
    yes
/interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
set [ find default-name=ether1 ] comment=Port1 name=Eastlink_eth1 speed=\
    100Mbps
set [ find default-name=ether2 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether3 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether4 ] comment=LAN2-DMZ speed=100Mbps
/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=HomeBridge name=Guests_WIFI-v200 vlan-id=200
add interface=HomeBridge name=MediaStreaming_V40 vlan-id=40
add interface=HomeBridge name=NAS_V33 vlan-id=33
add interface=HomeBridge name=TheoVLAN vlan-id=666
add interface=HomeBridge name=VideoCamVLAN vlan-id=99
add interface=HomeBridge name=Wifi-SDevices_cap1 vlan-id=30
add interface=HomeBridge name=Wifi_SDevices_cap2 vlan-id=45
add interface=Bell_eth5 name=vlanbell vlan-id=35
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-HomeLAN ranges=192.168.0.33-192.168.0.150
add name=dhcp_DMZ ranges=192.168.2.2-192.168.2.100
add name=dhcp_SDcap1 ranges=192.168.30.5-192.168.30.20
add name=dhcp_MB ranges=192.168.40.5-192.168.40.20
add name=dhcp_WIFI_T&B ranges=192.168.100.5-192.168.100.50
add name=dhcp_WIFI_Guests ranges=192.168.200.5-192.168.200.100
add name=dhcp_SDcap2 ranges=192.168.45.5-192.168.45.30
add name=Theo_pool ranges=192.168.66.5-192.168.66.10
add name=VCAM_pool ranges=192.168.99.5-192.168.99.15
add name=NAS_pool ranges=192.168.33.5-192.168.33.15
/ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=HomeBridge lease-time=1d \
    name=HoMeLAN
add address-pool=dhcp_SDcap1 disabled=no interface=Wifi-SDevices_cap1 \
    lease-time=1d name=SmartDServer1
add address-pool=dhcp_MB disabled=no interface=MediaStreaming_V40 lease-time=\
    1d name=Media_Server
add address-pool=dhcp_WIFI_T&B disabled=no interface=GuestWifi_T&B_V100 \
    lease-time=1d name="Wifi-Guests T&B_Server"
add address-pool=dhcp_WIFI_Guests disabled=no interface=Guests_WIFI-v200 \
    lease-time=1d name=Wifi_Guests
add address-pool=dhcp_SDcap2 disabled=no interface=Wifi_SDevices_cap2 \
    lease-time=1d name=SmartD_Server2
add address-pool=Theo_pool disabled=no interface=TheoVLAN lease-time=1d name=\
    TheoServer
add address-pool=VCAM_pool disabled=no interface=VideoCamVLAN lease-time=1d \
    name=VCAM_Server
add address-pool=NAS_pool disabled=no interface=NAS_V33 lease-time=1d name=\
    NAS_server
add address-pool=dhcp_DMZ disabled=no interface=ether4 lease-time=1d name=\
    DMZ_server
/interface bridge port
add bridge=HomeBridge comment=defconf interface=ether2
add bridge=HomeBridge comment=defconf interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set allow-fast-path=no icmp-rate-limit=100 rp-filter=loose
/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether3,ether2 vlan-ids=\
    100,30,45,200,666,99,40,33
/interface list member
add comment=defconf interface=Eastlink_eth1 list=WAN
add interface=vlanbell list=WAN
add interface=ether4 list=LAN
add interface=HomeBridge list=LAN
add interface=GuestWifi_T&B_V100 list=LAN
add interface=Wifi-SDevices_cap1 list=LAN
add interface=Wifi_SDevices_cap2 list=LAN
add interface=Guests_WIFI-v200 list=LAN
add interface=TheoVLAN list=LAN
add interface=VideoCamVLAN list=LAN
add interface=MediaStreaming_V40 list=LAN
add interface=NAS_V33 list=LAN
/ip address
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0
add address=192.168.0.1/24 interface=HomeBridge network=192.168.0.0
add address=192.168.100.1/24 interface=GuestWifi_T&B_V100 network=\
    192.168.100.0
add address=192.168.200.1/24 interface=Guests_WIFI-v200 network=192.168.200.0
add address=192.168.30.1/24 interface=Wifi-SDevices_cap1 network=192.168.30.0
add address=192.168.40.1/24 interface=MediaStreaming_V40 network=192.168.40.0
add address=192.168.45.1/24 interface=Wifi_SDevices_cap2 network=192.168.45.0
add address=192.168.66.1/24 interface=TheoVLAN network=192.168.66.0
add address=192.168.99.1/24 interface=VideoCamVLAN network=192.168.99.0
add address=192.168.33.1/24 interface=NAS_V33 network=192.168.33.0
/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname,clientid \
    disabled=no interface=Eastlink_eth1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface=vlanbell use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease

/ip dhcp-server network
add address=192.168.0.0/24 comment=HomeDHCP dns-server=192.168.0.1 gateway=\
    192.168.0.1
add address=192.168.2.0/24 comment=DMZLan_Network dns-server=192.168.2.1 \
    gateway=192.168.2.1
add address=192.168.30.0/24 comment=SmartDevices_cap1 dns-server=192.168.30.1 \
    gateway=192.168.30.1
add address=192.168.33.0/24 comment="NAS dhcp" dns-server=192.168.33.1 \
    gateway=192.168.33.1
add address=192.168.40.0/24 comment=MediaBoxes dns-server=192.168.40.1 \
    gateway=192.168.40.1
add address=192.168.45.0/24 comment=SmartDevices_Cap2 dns-server=192.168.45.1 \
    gateway=192.168.45.1
add address=192.168.66.0/24 comment="DHCP for THeo" dns-server=192.168.66.1 \
    gateway=192.168.66.1
add address=192.168.99.0/24 comment=VideoSurv dns-server=192.168.99.1 \
    gateway=192.168.99.1
add address=192.168.100.0/24 comment=Guests_T&B dns-server=192.168.100.1 \
    gateway=192.168.100.1
add address=192.168.200.0/24 comment="Wifi_Guests- RM" dns-server=\
    192.168.200.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.4.4,8.8.8.8,208.67.220.220,208.67.222.222

/ip firewall filter

add action=accept chain=input comment="Accept Established DNS - UDP" \
    connection-state=established port=53 protocol=udp
add action=accept chain=input comment="Accept Established DNS - TCP" \
    connection-state=established port=53 protocol=tcp
add chain=input comment="Accept to established connections" \
    connection-state=established protocol=tcp
add chain=input comment="Accept to related connections" \
    connection-state=related protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=adminaccess
add action=drop chain=input comment="Drop anything else!"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, " connection-state=\
    established,related
add action=drop chain=forward comment="Drop external DNS - UDP" \
    dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=forward comment="Drop external DNS - TCP" \
    dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward comment=\
    "Drop invalid/malformed packets" connection-state=invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
    HomeBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN
add action=accept chain=forward comment="ENABLE DMZ to WAN" in-interface=\
    ether4 out-interface-list=WAN 
add action=accept chain=forward comment="ENABLE VLAN100 to WAN" in-interface=\
    GuestWifi_T&B_V100 out-interface-list=WAN 
add action=accept chain=forward comment="ENABLE VLAN30 to WAN" in-interface=\
    Wifi-SDevices_cap1 out-interface-list=WAN
add action=accept chain=forward comment="ENABLE VLAN45 to WAN" in-interface=\
    Wifi_SDevices_cap2 out-interface-list=WAN
add action=accept chain=forward comment="ENABLE VLAN200 to WAN" in-interface=\
    Guests_WIFI-v200 out-interface-list=WAN 
add action=accept chain=forward comment="ENABLE VLAN666 to WAN" in-interface=\
    TheoVLAN log-prefix=TheoTraffic out-interface-list=WAN 
add action=accept chain=forward comment="ENABLE VLAN99 to WAN" in-interface=\
    VideoCamVLAN out-interface-list=WAN 
add action=accept chain=forward comment="ENABLE VLAN40 to WAN" in-interface=\
    MediaStreaming_V40 out-interface-list=WAN 
add action=accept chain=forward comment="ENABLE VLAN33 to WAN" in-interface=\
    NAS_V33 out-interface-list=WAN 
add action=accept chain=forward comment=\
    " Allow Port Forwarding -  DSTNAT" connection-nat-state=dstnat
add action=accept chain=forward comment=Admin_for_Septic dst-address=\
    192.168.x in-interface=HomeBridge src-address=192.168.x.xx
add action=accept chain=forward comment="Admin_To_VLANS (except Theo)" \
    dst-address=!192.168.66.0/24 dst-address-list=VLAN_Interfaces \
    in-interface=HomeBridge log=yes log-prefix="Admin to VLANS" src-address=\
    192.168.x.xx
add action=drop chain=forward comment=\
    "DROP ALL other  FORWARD traffic" log=yes log-prefix=\
    "FORWARD DROP ALL"
add action=drop chain=output comment="Drop Access to WebUI" protocol=\
    tcp src-port=80
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN Users" \
    ipsec-policy=out,none out-interface=Eastlink_eth1
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN USERS" \
    out-interface=vlanbell
add action=dst-nat chain=dstnat comment=Orenco_TCP dst-port=\
    -,-- in-interface-list=WAN log=yes protocol=tcp \
    src-address-list=Septic_Technicians to-addresses=192.168.y.yy
add action=dst-nat chain=dstnat comment=Orenco_UDP dst-port=\
    -,--,--- in-interface-list=WAN log=yes protocol=udp \
    src-address-list=Septic_Technicians to-addresses=192.168.y.yy
add action=dst-nat chain=dstnat comment=Solar_TCP dst-port=zz \
    in-interface-list=WAN log=yes protocol=tcp src-address-list=Solar_City \
    to-addresses=192.168.z.zz
add action=dst-nat chain=dstnat comment=Solar_UDP dst-port=zz \
    in-interface-list=WAN log=yes protocol=udp src-address-list=Solar_City \
    to-addresses=192.168.z.zz
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
    tcp src-address-list=!VLAN_Interfaces
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
    udp src-address-list=!VLAN_Interfaces

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes sip-direct-media=no sip-timeout=55m
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=2 gateway=8.8.4.4 target-scope=30
add check-gateway=ping distance=3 gateway=208.67.220.220 target-scope=30
add distance=10 gateway=ispgateway target-scope=30
add distance=2 dst-address=8.8.4.4/32 gateway=ispgateway
add comment=Email_bypass distance=1 dst-address=24.222.0.20/32 gateway=\
  ispgateway
add distance=3 dst-address=208.67.220.220/32 gateway=ispgateway
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.x port=??
set api disabled=yes
set winbox address=192.168.xport=??
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Halifax

/system ntp client
set enabled=yes server-dns-names=time.nrc.ca,nrc.chu.ca
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Jotne · January 5, 2019, 6:25pm

I did just reply on auto, was not awake

anav · January 6, 2019, 6:33pm

Still unable to deploy the RB450gx4 due to weird VLAN shenanigans ???

Started from scratch works great