Latelly I tried to divide my network into vlans. After a lot of struggling I cannot make my vlans work correctlly. Wifi vlan in capsman is working but have issues with one on physical port:
2011UiAS (fw) --ether4(vlan id:2)-- tp-link switch ------ server
Intefaces:
Code: Select all
/interface bridge
add fast-forward=no name=bridge-appliances
add fast-forward=no name=bridge-guest
add fast-forward=no name=bridge-iot
add fast-forward=no name=bridge-trunk
add fast-forward=no name=bridge-wlan
add admin-mac=E4:8D:8C:1D:0D:45 auto-mac=no comment=defconf fast-forward=no name=bridge1
add fast-forward=no name=ovpn-bridge protocol-mode=none
add fast-forward=no name=trunk-appliances
add fast-forward=no name=wlan-appliances-bridge1 protocol-mode=stp
add fast-forward=no name=wlan-bridge1 protocol-mode=stp
add fast-forward=no name=wlan-guest-bridge1
/interface ethernet
set [ find default-name=ether1 ] comment="Fiber device / INTERNET"
set [ find default-name=ether2 ] comment="IDS mirror of ether3" name=ether2-master
set [ find default-name=ether3 ] comment=switch
set [ find default-name=ether4 ] comment=trunk
set [ find default-name=ether5 ] comment=ap_gora
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] comment=gw_lte
set [ find default-name=ether8 ] comment=ap_piwnica
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] comment="ap_ogr\F3d"
/interface vlan
add interface=ether5 name=vlan-ap_gora vlan-id=6
add interface=wlan-appliances-bridge1 name=vlan-appliances vlan-id=6
add interface=wlan-guest-bridge1 name=vlan-guest vlan-id=20
add interface=wlan-appliances-bridge1 name=vlan-iot vlan-id=12
add interface=ether4 name=vlan-trunk-appliances vlan-id=6
add interface=ether4 name=vlan-trunk-servers vlan-id=2
add interface=wlan-bridge1 name=vlan-wlan vlan-id=11
/interface ethernet switch
set 0 mirror-source=ether3 mirror-target=ether2-master
set 1 mirror-source=ether7 mirror-target=ether6-master
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2-master
add bridge=bridge1 comment=defconf interface=ether6-master
add bridge=bridge1 comment=defconf hw=no interface=sfp1
add bridge=bridge1 disabled=yes interface=ether1
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge-appliances interface=vlan-appliances
add bridge=bridge-iot interface=vlan-iot
add bridge=bridge-appliances interface=vlan-ap_gora
add bridge=bridge-wlan interface=vlan-wlan
add bridge=bridge-guest interface=vlan-guest
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge1 list=discover
add interface=wlan-bridge1 list=discover
add interface=wlan-guest-bridge1 list=discover
add interface=wlan-appliances-bridge1 list=discover
add interface=ovpn-bridge list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
Code: Select all
/ip firewall address-list
add list=Blocked
/ip firewall filter
add action=drop chain=input comment="Suricata: Block bad actors" src-address-list=Blocked
add action=drop chain=forward comment="Drop any traffic going to bad actors based on Suricata" \
dst-address-list=Blocked
add action=add-dst-to-address-list address-list=test-facebook address-list-timeout=1m chain=\
forward comment=Test content=*facebook.com disabled=yes protocol=tcp src-address=\
192.168.1.0/24
add action=drop chain=forward comment="Isolate guest wlan" in-interface=bridge-guest \
out-interface=!ether1
add action=drop chain=forward comment="Isolate guest wlan" in-interface=!ether1 out-interface=\
bridge-guest
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=\
established,related
add action=accept chain=input dst-port=1194 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=drop chain=forward disabled=yes in-interface=bridge-appliances out-interface=\
bridge-iot
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
established,related
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.9.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.12.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.11.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.6.0/24
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=\
192.168.1.100 to-ports=443
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp to-addresses=\
192.168.1.100 to-ports=22
