Hi, I’m setting up new home network with vlans, first time using it. Now I’ve set up 6 VLANs and the idea is that vlan50 will be my main home network and management vlan for wired devices on ports 3-6 and vlan60 for iot devices, and all VLANs 10,20,30,40,50,60 will be on trunk ports 1-2 for 2 tp-link omada APs, and ports 7,8 and usb will be uplink wan ports, its kind of working but my problem is that I don’t know how to efficently allow internet connectivity for all vlans (its working with this config), but drop access to other vlans and block access to router itself withou losing wan connectivity, and this is my main issue.
Can somebody please review this configuration and suggest some security and performance improvements?
I hope that my intention is clear enough.
Ty
Your config is understandable but a network diagram with trunk and access ports is highly advisable because on some ports which claim to be access ones there aren’t any visible PVIDs
You made the error of having a bridge subnet, get rid of it and assign another VLAN. Due to this you failed to clearly identify this other subnet which seems to be at least intended for ports 4,5,6 and sfp-sfpplus1 ???
You also seem to be adding WAN ports to the Bridge which is not usually required in most scenarios.
You also do not seem to know how to use vlans properly when it comes to /interface bridge ports and /interface bridge vlans.
You have duplicate pools, both pokucni and pool6 are identical???
If vlan50 is home then WTF is 192.168.88 subnet?? Should I assume this is for the admin only???
Why if there are six vlans now ( seven when you remove bridge from doing anything directly with a subnet and assign a vlan to .88) do you have 8 pools??
(four for apartments 1-4, one home, one iot,)
Vlans required because the ISP provides connectivity via a VLAN do NOT require pools, servers, gateways etc…
Bridge ports should EITHER be in one of three formats
access port (going to dumb device)
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=X pvid=YY
trunk port (going to smart device)
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=A
Hybrid port (rare going to device such ad voip phone or unifi ap)
add bridge=bridge interface=B pvid=ZZ
Change detect internet TO: none
Dont think you quite understand firewall rules yet. What is the purpose of the first rule given the third rule.
add action=accept chain=input in-interface=vlan50-home-lan
add action=drop chain=input disabled=yes in-interface-list=guest-vlan
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
IF not using IPV6 suggest disabling and removing any associated lists and filter rules
Suggest reading the following link first to help understand where I am coming from.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Feel free to ask questions but it would be premature for me to comment on the file as its to full of basic errors at the moment, so more understanding is required.
Hi, thanks for pointing me to that topic about VLANs, I’ve already read it before but not very carefully obviously, I think that now I have basic understanding of VLANs, the way I’ve set it before was working but I felt it was wrong, that’s why I’ve asked here. Previous setup was mainly defconf with added VLANs (early alpha ver.), that’s why it was so full of every kind of s**t in it 
.
Is this now attached export at least little bit better, and is solid foundation for fine tuning the setup, I know I need to narrow down ADMIN right rules to some /29 subnet?
ISP provides connectivity via roof 5g device/antena with dhcp server and the router inside for home network and phone port, I’ve found that their vlans are 100 and 101 for internet and phone and moved their router downstream on Mikrotik ether6 for phone connection and its working this way. Also tried to make that router part of my network to use it at as a dump switch or bring internet connectivity to it and make separate network (guest wifi maybe, any use case considering I have to have it plugged in for phone connection) but could’t find a way, probably need to setup some kind of server on that port (some advice on that would be great?).
You also seem to be adding WAN ports to the Bridge which is not usually required in most scenarios.
WAN ports to the Bridge, don’t know where I did that?
Please comment and suggest
Ty
config2.rsc (13.2 KB)
Remove router serial number from posted configs.
Just to be clear, do you have two lines coming from the ISP device and plugged into the router
One for internet and your router gets an IP address on the 100 subnet? and the other for Telephone
OR
You have one line coming from the ISP device and from this you want to use one DHCP from the ISP for the routerv100 to give the router its WANIP, and then also send v101 to ether6 for phone distribution.
I will assume the latter is correct.
However, its not clear to me what is going on for ether8, is that your ISP incoming traffic?
If ether6 is going to phone distribution what device is connected to ether6 that can read vlan tags and then distribute phone traffic?
What is on ether1,ether2,ether7 ???
I have one line from ISP device carrying vlan 100internet and 101phone connected to ether8 on Mikrotik, that line is bound with MAC address of ISPs inside router (or its working just as switch I don’t know) and that’s why I’ve set custom MAC on ether8 , I moved that inside ISPs router downstream behind Mikrotik on ether6 and that device can read vlan tags and then distribute phone traffic unaware of Mikrotik in between. So yes ISP incoming traffic is on ether8. Everything is working fine with this setup,now I want, if its possible, to use that ISP inside router for something else not just phone distribution since I need it for phone I tought of using it as part of my network as dump switch or bring up the internet connection on it somehow (spoof it that it thinks its still connected to that ISP device on the roof directly), I like fiddling with this stuff, don’t we all here? I’ve managed to bring it online I think (led indicator online was lit when I created second vlan100 interface under ether6, also tried to create dhcp server on it) but connecting laptop to one of its ports couldn’t get IP, maybe I need some dhcp relay pointing to that other device? But this isn’t something I couldn’t live without;) Hope I manged to describe it understandably, maybe I could draw a diagram if not?
Considering other ports, ether7 is for WAN failover connection, there I’ll plug little portable wifi AP https://www.protis.hr/products/details/airlive-nmini-worlds-smallest-300mbps-wirelessn-miniap-2t2r-mimo-11b-g-n-radio-ap/39873 in wisp mode so when I turn on hotspot on my phone its connection is auto distributed to home network (I have this in my current setup with MT HEX S as router). Ether1 and 2 are going to 2 Tp-link VLAN aware wifi APs.
Another thing I was planning was to use Mikrotik radius server for wifi users ppsk authorization (vlan aware, one ssid > multiple vlans), but I don’t think MT radius support it?
Hope I shed some light on it?
Remove router serial number from posted configs.
Ty, I tought hide-sensitive on export removes ALL sensitive?
hide sensitive was valid for ver6 not ver7.
- One bridge, add both ISP vlans to the single bridge!
- Recommend changing ether8 to an EDGE port to avoid potential interference.
- Pools rationalized ( 7,9 duplicates) plus only 6 vlans so only 6 Pools.
- The APs should also have the home vlan unless nobody at home is allowed wifi
plus of course the AP should get its IP address on the trusted subnet. - There is no point to VLAN interface list, its a duplicate of LAN list!
- Are you sure on Wireguard peers the endpoint port is the same? ( probably as they have diff addresses, I changed interface port on router wireguard as they are for the most part meaningless)
- Dont forget to tag the bridge itself
- WHY /29 for the four apartment vlans?? It only provide 5 useable IPs for each subnet ? Since your pools match I suppose its what you want.
- I understand why you have an IP address for the backup wan on ether7. BUT DHCP server makes no sense, so removed… it may be my lack of understanding of how it works though
10./ Static DNS to .88 not helpful and removed. - Dont understand any of your debrid rules and thus removed. Good idea to clamp for mtu on both of the third party VPNs,
I provided two examples to use as one may work better than the other… - Also dumped the raw rules. Best if you explain what you are trying to accomplish to sort out ideal config
- Your routing appears confused including duplicate routes, but probably just me. What IPs need to go out wireguard and do you know which wireguard.
SUMMARY: unable to complete analysis without a detailed requirements discussion on how one expects users to use the various WANS ( primary, wireguard1, wireguard 2 and of course backup ).
In some way, via IPs one has to identify which IPs ( source of traffic ) are going out which WAN, by IP, by firewall address list, by subnet.
There may be specific WANIPs ( does not include ones own generally speaking so I am talking for www traffic ) which can also provide some guidance.
…
# model = RB5009UPr+S+
# serial number =
/interface bridge
add admin-mac=78:9A:18:72:36:7E auto-mac=no comment=defconf name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether8 ] mac-address=C0:D7:AA:16:A2:B0
/interface wireguard
add listen-port=51020 mtu=1420 name=Surfshark_Beograd
add listen-port=51080 mtu=1420 name=Surfshark_London
/interface vlan
add comment=apartman1 interface=bridge name=vlan10-app1 vlan-id=10
add comment=apartman2 interface=bridge name=vlan20-app2 vlan-id=20
add comment=apartman3 interface=bridge name=vlan30-app3 vlan-id=30
add comment=apartman4 interface=bridge name=vlan40-soba vlan-id=40
add comment=home-lan-pokucni interface=bridge name=vlan50-home-lan vlan-id=50
add comment=home-lan-iot_&_guest_wifi interface=bridge name=vlan60-iot \
vlan-id=60
add comment=t-com_internet_vlan interface=bridge name=vlan100-internet \
vlan-id=100
add comment=T-com_telefon_vlan interface=bridge name=vlan101-telefon vlan-id=\
101
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=10.10.10.2-10.10.10.6
add name=dhcp_pool3 ranges=10.20.20.2-10.20.20.6
add name=dhcp_pool4 ranges=10.30.30.2-10.30.30.6
add name=dhcp_pool5 ranges=10.40.40.2-10.40.40.6
add name=dhcp_pool6 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool7 ranges=10.60.60.2-10.60.60.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=vlan10-app1 lease-time=15m name=dhcp1
add address-pool=dhcp_pool3 interface=vlan20-app2 lease-time=15m name=dhcp2
add address-pool=dhcp_pool4 interface=vlan30-app3 lease-time=15m name=dhcp3
add address-pool=dhcp_pool5 interface=vlan40-soba lease-time=15m name=dhcp4
add address-pool=dhcp_pool6 interface=vlan50-home-lan lease-time=23h59m59s \
name=dhcp5
add address-pool=dhcp_pool7 interface=vlan60-iot lease-time=23h59m59s name=\
dhcp6
/routing table
add disabled=no fib name=use_Surfshark_bg
add disabled=no fib name=use_Surfshark_London
add disabled=no fib name=use_T-Com_5g
/user-manager profile
add name=pokucni-home name-for-users=home-lan validity=unlimited
/user-manager user
add name=pokucni-home-lan
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment=AP1
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2 comment=AP2
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=50
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=50
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6 comment="VOIP trunk"
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=50
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether8 comment="trunk from ISP" edge=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=10,20,30,40,60
add bridge=bridge tagged=bridge,ether1,ether2 untagged=ether3,ether4,ether5,sfp-sfpplus1 vlan-ids=50
add bridge=bridge tagged=bridge,ether8 vlan-ids=100
add bridge=bridge tagged=bridge,ether8,ether6 vlan-ids=101
/interface detect-internet
set detect-interface-list=none
/interface list member
add interface=vlan100-internet list=WAN
add interface=vlan101-telefon list=WAN
add interface=ether8 list=WAN
add interface=ether7 list=WAN
add interface=Surfshark_Beograd list=WAN
add interface=Surfshark_London list=WAN
add interface=vlan10-app1 list=LAN
add interface=vlan20-app2 list=LAN
add interface=vlan30-app3 list=LAN
add interface=vlan40-soba list=LAN
add interface=vlan50-home-lan list=LAN
add interface=vlan60-iot list=LAN
add comment=admin-VLAN interface=vlan50-home-lan list=ADMIN
/interface ovpn-server server
add mac-address=FE:EF:53:F5:A3:AD name=ovpn-server1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=rs-beg.prod.surfshark.com \
endpoint-port=51820 interface=Surfshark_Beograd name=wg-beograd \
persistent-keepalive=30s public-key="====="
add allowed-address=0.0.0.0/0 endpoint-address=uk-lon.prod.surfshark.com \
endpoint-port=51820 interface=Surfshark_London name=wg-london \
persistent-keepalive=30s public-key="-----"
/ip address
add address=10.14.0.2/24 comment=VPN-bg interface=Surfshark_Beograd network=\
10.14.0.0
add address=10.14.0.2/24 comment=VPN-lon interface=Surfshark_London network=\
10.14.0.0
add address=192.168.2.1/24 comment=wisp-AIRLIVE interface=ether7 network=\
192.168.2.0
add address=10.10.10.1/29 comment=apartman1 interface=vlan10-app1 network=\
10.10.10.0
add address=10.20.20.1/29 comment=apartman2 interface=vlan20-app2 network=\
10.20.20.0
add address=10.30.30.1/29 comment=apartman3 interface=vlan30-app3 network=\
10.30.30.0
add address=10.40.40.1/29 comment=apartman4-soba interface=vlan40-soba \
network=10.40.40.0
add address=192.168.0.1/24 comment=home-lan-pokucni interface=vlan50-home-lan \
network=192.168.0.0
add address=10.60.60.1/24 comment=iot-home interface=vlan60-iot network=\
10.60.60.0
/ip dhcp-client
add add-default-route=no comment=T-Com_5g interface=vlan100-internet script=":\
if (\$bound=1) do={\
\n/ip route add distance=1 gateway=\$\"gateway-address\" routing-table=use\
_T-Com_5g comment=\"T-Com_5g\"\
\n/ip route set [find comment=\"T-Com_5g-main\"] gateway=\$\"gateway-addre\
ss\"\
\n/ip route set [find comment=\"recursive-T-Com_5g\"] gateway=\$\"gateway-\
address\"\
\n/file print file=(\"5g-gw.txt\")\
\n:delay 3\
\n/file set contents=\$\"gateway-address\" (\"5g-gw.txt\")\
\n} else={\
\n/ip route remove [/ip route find comment=\"T-Com_5g\"]\
\n}" use-peer-dns=no
/ip dhcp-server network
add address=10.10.10.0/29 dns-server=192.168.0.1 gateway=10.10.10.1
add address=10.20.20.0/29 dns-server=192.168.0.1 gateway=10.20.20.1
add address=10.30.30.0/29 dns-server=192.168.0.1 gateway=10.30.30.1
add address=10.40.40.0/29 dns-server=192.168.0.1 gateway=10.40.40.1
add address=10.60.60.0/24 dns-server=192.168.0.1 gateway=10.60.60.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=149.154.159.92,162.252.172.57,1.1.1.1
/ip firewall address-list { use static dhcp leases }
add address=192.168.0.A list=Authorized comment="admin desktop"
add address=192.168.0.B list=Authorized comment="admin laptop"
add address=192.168.0.C list=Authorized comment="admin laptop wifi"
add address=192.168.0.D list=Authorized comment="admin smartphone/ipad wifi"
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept ADMIN to all" in-interface-list=ADMIN src-address=Authorized
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { insert this rule here but as last rule to avoid getting locked out }
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access to LAN" in-interface-list=ADMIN src-address-list=Authorized
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop everything else"
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=Surfshark_Beograd passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward new-mss=1380 out-interface=Surfshark_London protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
UNKNOWN PURPOSES
/ip service
set www-ssl disabled=no
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop
/radius
add address=127.0.0.1 comment=wifi-authentification service=dhcp,dot1x
/radius incoming
set accept=yes
/routing rule
UNKNOWN PURPOSES
/system clock
set time-zone-name=Europe/Zagreb
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=ADMIN
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
/tool netwatch
add comment=T-Com_5g_check disabled=no down-script="" host=8.8.8.8 \
http-codes="" packet-size=64 test-script="" type=icmp up-script=""
/user-manager
set certificate=*0 enabled=yes
/user-manager router
add address=192.168.0.75 name=omada-controller
/user-manager user-profile
add profile=pokucni-home user=pokucni-home-lan