I have a huge request, I don't know what to change, make my firewall listen to me
I used the guide https://itmikrotik.blogspot.com/2019/06 ... using.html
to break 3 Wan networks into Vlan
basically everything works however firewall won't even pass icmp between vlan10 and vlan20.
configuration below
Code: Select all
# sep/12/2021 07:46:22 by RouterOS 6.46.4
# software id = KTHH-8ZXT
#
# model = 2011UiAS
# serial number = 69BB06456CE1
/interface bridge
add fast-forward=no name=bridge-VLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] name=ether3-WAN3
set [ find default-name=ether4 ] comment="# LAN"
/interface vlan
add interface=bridge-VLAN name=vlan10 vlan-id=10
add interface=bridge-VLAN name=vlan11 vlan-id=11
add interface=bridge-VLAN name=vlan12 vlan-id=12
add interface=bridge-VLAN name=vlan20 vlan-id=20
add interface=bridge-VLAN name=vlan21 vlan-id=21
add interface=bridge-VLAN name=vlan22 vlan-id=22
add interface=bridge-VLAN name=vlan30 vlan-id=30
add interface=bridge-VLAN name=vlan31 vlan-id=31
add interface=bridge-VLAN name=vlan32 vlan-id=32
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool1 ranges=10.10.11.2-10.10.11.254
add name=dhcp_pool2 ranges=10.10.12.2-10.10.12.254
add name=dhcp_pool3 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool4 ranges=10.10.21.2-10.10.21.254
add name=dhcp_pool5 ranges=10.10.22.2-10.10.22.254
add name=dhcp_pool6 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool7 ranges=10.10.31.2-10.10.31.254
add name=dhcp_pool8 ranges=10.10.32.2-10.10.32.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10 lease-time=1d name=\
dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan11 lease-time=1d name=\
dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan12 lease-time=1d name=\
dhcp3
add address-pool=dhcp_pool3 disabled=no interface=vlan20 lease-time=1d name=\
dhcp4
add address-pool=dhcp_pool4 disabled=no interface=vlan21 lease-time=1d name=\
dhcp5
add address-pool=dhcp_pool5 disabled=no interface=vlan22 lease-time=1d name=\
dhcp6
add address-pool=dhcp_pool6 disabled=no interface=vlan30 lease-time=1d name=\
dhcp7
add address-pool=dhcp_pool7 disabled=no interface=vlan31 lease-time=1d name=\
dhcp8
add address-pool=dhcp_pool8 disabled=no interface=vlan32 lease-time=1d name=\
dhcp9
/interface bridge port
add bridge=bridge-VLAN hw=no interface=ether4
add bridge=bridge-VLAN hw=no interface=ether5
/ip address
add address=10.0.10.2/24 interface=ether1-WAN1 network=10.0.10.0
add address=10.0.20.2/24 interface=ether2-WAN2 network=10.0.20.0
add address=10.0.30.2/24 interface=ether3-WAN3 network=10.0.30.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.11.1/24 interface=vlan11 network=10.10.11.0
add address=10.10.12.1/24 interface=vlan12 network=10.10.12.0
add address=10.10.20.1/24 interface=vlan20 network=10.10.20.0
add address=10.10.21.1/24 interface=vlan21 network=10.10.21.0
add address=10.10.22.1/24 interface=vlan22 network=10.10.22.0
add address=10.10.30.1/24 interface=vlan30 network=10.10.30.0
add address=10.10.31.1/24 interface=vlan31 network=10.10.31.0
add address=10.10.32.1/24 interface=vlan32 network=10.10.32.0
/ip dhcp-server lease
add address=10.10.10.254 mac-address=74:AC:B9:AB:1E:99 server=dhcp1
add address=10.10.10.50 mac-address=B4:B5:2F:F7:5D:68 server=dhcp1
add address=10.10.20.100 client-id=1:3e:2e:82:6:d1:7a mac-address=\
3E:2E:82:06:D1:7A server=dhcp4
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.11.0/24 gateway=10.10.11.1
add address=10.10.12.0/24 gateway=10.10.12.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.21.0/24 gateway=10.10.21.1
add address=10.10.22.0/24 gateway=10.10.22.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.31.0/24 gateway=10.10.31.1
add address=10.10.32.0/24 gateway=10.10.32.1
/ip dns
set servers=10.10.10.100,1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.10.10.0/24 list=TO-WAN1
add address=10.10.11.0/24 list=TO-WAN1
add address=10.10.12.0/24 list=TO-WAN1
add address=10.10.20.0/24 list=TO-WAN2
add address=10.10.21.0/24 list=TO-WAN2
add address=10.10.22.0/24 list=TO-WAN2
add address=10.10.30.0/24 list=TO-WAN3
add address=10.10.31.0/24 list=TO-WAN3
add address=10.10.32.0/24 list=TO-WAN3
/ip firewall filter
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20 \
protocol=icmp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=TO-WAN1 passthrough=\
yes src-address-list=TO-WAN1
add action=mark-routing chain=prerouting new-routing-mark=TO-WAN2 passthrough=\
yes src-address-list=TO-WAN2
add action=mark-routing chain=prerouting new-routing-mark=TO-WAN3 passthrough=\
yes src-address-list=TO-WAN3
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN1
add action=masquerade chain=srcnat out-interface=ether2-WAN2
add action=masquerade chain=srcnat out-interface=ether3-WAN3
/ip route
add check-gateway=ping distance=1 gateway=10.0.10.1 routing-mark=TO-WAN1
add check-gateway=ping distance=1 gateway=10.0.20.1 routing-mark=TO-WAN2
add check-gateway=ping distance=1 gateway=10.0.30.1 routing-mark=TO-WAN3
add check-gateway=ping distance=1 gateway=10.0.10.1
add check-gateway=ping distance=1 gateway=10.0.20.1
add check-gateway=ping distance=1 gateway=10.0.30.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=HomeKit
Thank you for your help