Update to my prior post on CCR2004 Firewall

RouterOS Beginner Basics
1

I mistakenly pasted my PDF file instead of text file. Here is the proper text file of my firewall configuration. I need help getting this config trimmed down so that I can begin adding VLANS.

My CCR 2004-1G-12S+2XS.txt (3.5 KB)

1 Like
2

complete config required minus router serial number, any public WANIP information, keys, dhcp lease lists.

3

I will do that today

4

My-CCR2004.rsc (5.9 KB)

Here is my full config. My goal is to add several VLAN’s to segment my network. This is not in production at this time so I am open do do anything necessary.

5

Too many basic A-B-C errors,
like giving 192.168.1.x to both the WAN and the MGMT port,
the firewall is NOT the default one (by default in this model it might not be there, I know)

The only correct thing is to use ether1 only for MGMT

6

I changed the MGMT port to 10.10.10.1/26 This is like I said a test setup is what I am using at the moment.

7

What are the A-B-C errors?

8

A:

add address=192.168.1.0/24 interface="ether1 Mgmt" network=192.168.1.0

https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=192..168.1.0&ctype=ipv4&x=Calculate

.0 address is not used normally, the range of usable IP's starts with .1.

9

Thank You

11

First thing I would do is get rid of any cuteness, like a a bridge name in quotes. Keep quotes for text comments less confusing to read and troubleshoot. Case in point next line is comment management port in quotes which is appropriate.

Next no clue why you use quotes to name an interface and name it LAN, when clearly you have only one address for the Bridge and no address for this separate LAN sfp+2, ???

you have many weird non typical settings like
/ip settings
set accept-source-route=yes

What is this for???
Why is your management port ether1, on the same subnet as your WAN connection???
Why do you have a dhcp client set for your WAN when you already have an address for the WAN listed??
What prompted you to adopt icmp rules silliness……….?
Default NAT rule has been changed and is now incomplete…
where is your interface list and interface list members

12

@anav
Now, now, if you start like this the English alphabet letters won't be enough ...
:rofl:

13

dont-get-me_started

14

Thank you for your wisdom and understanding of my problem. I nam going to wipe it and start with the basics. You are a great help to this forum.

15

He just used more words to describe what I had written as summary:

16

You will have to meow louder as I only have one good ear!

1 Like