{Hi Tallon}
Physically my home network consists of a hex g3 running 6.43.8, two dumb switches, and a unifi AC lite
I started taking the VLAN route because the unifi offered multiple SSIDs but i would need a way to separate the traffic, resulting in VLANs.
Now I want to have a local wifi sharing settings with my wired network, and a kids network so I can control timing and traffic.
I would like there to also be a infrastructure subnet for devices and servers.
I have a setup right now that gives address the way I want, and allows the wired system to connect to the internet; however, I would like to make sure all networks have internet access and that I can see across all networks while keeping them seperate for firewall rules. Well i say all, but I want to make sure I can keep the WiFi traffic from untrusted devics (IoTs) that I have connected to the interent, but not allowed to see the rest of the LAN.
The other thing I would like to do is setup a DMZ VLAN as well, I have a few servers that I want to put there as well as some personal devices to mess with, but this would be over ether 3.
right now eth2 is management port, eth3 is wired network, eth4 is unifi wireless
I could REALLY use some help. I'm starting to chase my tail here. I found enough info that put me on this no bridge path, and reading more about the bridging it seems sloppy.
Please help me out and let me know how wrong I am with a valid setup.
Config:
Code: Select all
#RouterOS 6.43.8
/interface vlan
add interface=ether4 name=Guest_VLAN vlan-id=210
add interface=ether4 name=Kids_VLAN vlan-id=230
add interface=ether4 name=Local_VLAN vlan-id=200
add interface=ether4 name=Untrusted_VLAN vlan-id=220
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=Wired_pool ranges=10.10.20.11-10.10.20.250
add name=Local_pool ranges=10.10.30.11-10.10.30.250
add name=Guest_pool ranges=10.10.40.2-10.10.40.250
add name=Untrusted_pool ranges=10.10.50.31-10.10.50.250
add name=Kids_pool ranges=10.10.60.61-10.10.60.250
/ip dhcp-server
add disabled=no interface=ether2 name=Man_DHCP
add address-pool=Local_pool disabled=no interface=Local_VLAN name=Local_DHCP
add address-pool=Guest_pool disabled=no interface=Guest_VLAN name=Guest_DHCP
add address-pool=Untrusted_pool disabled=no interface=Untrusted_VLAN name=Untrusted_DHCP
add address-pool=Kids_pool disabled=no interface=Kids_VLAN name=Kids_DHCP
add address-pool=Wired_pool disabled=no interface=ether3 name=Wired_DHCP
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=200
add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=210
add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=220
add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=230
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether4 list=LAN
add interface=ether3 list=LAN
add list=LAN
/ip address
add address=10.10.0.1/24 interface=ether2 network=10.10.0.0
add address=10.10.0.1/24 interface=ether3 network=10.10.0.0
add address=10.10.0.1/24 interface=ether4 network=10.10.0.0
add address=10.10.30.1/24 interface=ether3 network=10.10.30.0
add address=10.10.10.1/24 interface=ether3 network=10.10.10.0
add address=10.10.20.1/24 interface=ether3 network=10.10.20.0
add address=10.10.40.1/24 interface=ether3 network=10.10.40.0
add address=10.10.50.1/24 interface=ether3 network=10.10.50.0
add address=10.10.60.1/24 interface=ether3 network=10.10.60.0
add address=10.10.70.1/24 interface=ether3 network=10.10.70.0
add address=10.10.30.1/24 interface=ether4 network=10.10.30.0
add address=10.10.40.1/24 interface=ether4 network=10.10.40.0
add address=10.10.50.1/24 interface=ether4 network=10.10.50.0
add address=10.10.60.1/24 interface=ether4 network=10.10.60.0
add address=10.10.30.1/24 interface=Local_VLAN network=10.10.30.0
add address=10.10.40.1/24 interface=Guest_VLAN network=10.10.40.0
add address=10.10.50.1/24 interface=Untrusted_VLAN network=10.10.50.0
add address=10.10.60.1/24 interface=Kids_VLAN network=10.10.60.0
add address=10.10.0.1/24 interface=Local_VLAN network=10.10.0.0
add address=10.10.0.1/24 interface=Guest_VLAN network=10.10.0.0
add address=10.10.0.1/24 interface=Kids_VLAN network=10.10.0.0
add address=10.10.0.1/24 interface=Untrusted_VLAN network=10.10.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1 netmask=24
add address=10.10.0.0/16 gateway=10.10.0.1 netmask=16
add address=10.10.10.0/24 gateway=10.10.10.1 netmask=24
add address=10.10.20.0/24 gateway=10.10.20.1 netmask=24
add address=10.10.30.0/24 gateway=10.10.30.1 netmask=24
add address=10.10.40.0/24 gateway=10.10.40.1 netmask=24
add address=10.10.50.0/24 gateway=10.10.50.1 netmask=24
add address=10.10.60.0/24 gateway=10.10.60.1 netmask=24
add address=10.10.70.0/24 gateway=10.10.70.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN