/interface bridge
add comment=ISP igmp-snooping=yes name=bridge1
add comment=lan2 name=bridge2
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-WAN
set [ find default-name=ether2 ] comment=LAN1
set [ find default-name=ether10 ] comment=LAN2
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether1-WAN name=vlan2 vlan-id=2
add interface=ether1-WAN name=vlan3 vlan-id=3
add interface=ether1-WAN name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan6 keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=pppoe-out1 use-peer-dns=yes user=xxxxxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=clientes
/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=dhcp_pool_LAN1 ranges=192.168.1.220-192.168.1.230
add name=dhcp_pool_LAN2 ranges=172.16.24.100-172.16.24.110
/ip dhcp-server
add address-pool=dhcp_pool_LAN1 bootp-support=dynamic disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool_LAN2 disabled=no interface=bridge2 name=dhcp2
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 disabled=yes interface=ether6
add bridge=bridge1 disabled=yes interface=ether7
add bridge=bridge1 disabled=yes interface=ether8
add bridge=bridge1 disabled=yes interface=ether9
add bridge=bridge2 interface=ether10
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge2 list=clientes
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1 network=192.168.1.0
add address=192.168.100.10/24 interface=ether1-WAN network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.24.1/24 comment=LAN2 interface=ether10 network=172.16.24.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=decozyxel dhcp-option=option_para_deco server=dhcp1
add address=192.168.1.40 client-id=1:40:16:7e:20:90:4a server=dhcp1
add address=192.168.1.50 client-id=1:0:e:c6:fa:6e:b4 server=dhcp1
/ip dhcp-server network
add address=172.16.24.0/24 gateway=172.16.24.1 netmask=24
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
/ip dns
set servers=80.58.61.250,80.58.61.254
/ip firewall address-list
add address=172.16.24.100-172.16.24.110 list=client
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward in-interface-list=clientes out-interface-list=clientes
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-WAN
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=udp to-addresses=192.168.1.200
/ip route
add distance=255 gateway=255.255.255.255
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan2 upstream=yes
add interface=bridge1
/routing rip interface
add interface=vlan3 passive=yes receive=v2
add interface=vlan2 passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8
add network=172.26.0.0/16
/system clock
set time-zone-autodetect=no time-zone-name=Europe/London
/system ntp client
set enabled=yes primary-ntp=193.145.15.15 secondary-ntp=147.156.7.26
/system ntp server
set broadcast=yes enabled=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip firewall filter
add action=drop chain=forward in-interface=bridge2 out-interface=bridge1
add action=drop chain=forward in-interface=bridge1 out-interface=bridge2
andLAN2 IP address should be bount do interface bridge2 - now it's bound to it's slave interface ether10.
I rechecked and the rule was working as intended.If you want to block traffic between LAN and LAN2, you need a pair of firewall rules similar to this:
C
Looks a clean way to do it. Will read about vlans and come back if I have any doubt. Thx.I use vlans for all subnets.
By their nature all vlans do not talk on layer 2
Thus all I do in the forward chain is state what I wish to allow, ie LAN to WAN for whatever vlans,
then Drop ALL as the last rule which kills any L3 routing between the vlans.
Done!
After further looking into the options of RoS and the rb4011, I found "switch". In the case of the rb4011 it has 2 switches and each 5 ports assigned. There is an option called "port isolation" which allows to forward a port to any of the other ports or switches (not bridges).Forget VLANs. They are great when you want to have multiple separate networks on one cable, but you also need either a managed switch or end device (server) specifically configured for VLAN.
In your case, simply split router's switch into separae ports and assign a subnet to each one. Then use firewall to allow traffic from each LAN to internet and block the rest, i.e. communucation between LANs
Since I have bridge1 configured (includes ether2-ether10), should I create a new bridge2 and assign eth10 for my AP or just take eth10 out of bridge1? How can I make eth10 to be a stand alone port?Thank you so much for your reply. Today I have been working with different subnets and for now it seems to work somehow.
ETH1=WAN (Address: Public Static IP)
ETH2=LAN (Address: 192.168.1.1/24 Network: 192.168.1.0 Subnet: 255.255.255.0)
ETH3=DISABLED
ETH4=DISABLED
ETH5=SERVER (Address 192.168.5.1/30 Network: 192.168.5.0 Subnet: 255.255.255.252)
All ETH ports are not linked and only acting as stand-alone ports.
Hi anav!I use vlans for all subnets.
By their nature all vlans do not talk on layer 2
Thus all I do in the forward chain is state what I wish to allow, ie LAN to WAN for whatever vlans,
then Drop ALL as the last rule which kills any L3 routing between the vlans.
Done!
(specially the highlited part)?But I checked the setup of the Ubiquity AP and it was not correct. It was assigning to the connected devices IP´s in the range 172.16.24.xx BUT the AP itself was connected to 192.168.1.1. Once I tried to modified that in the Ubiquity software I was not allowed and the AP inmmediatly lost connection.
I have been playing with vlans and I like them. I will keep an eye on them but before I want to finish what we were trying to setup.No, you don't need anything special to set-up VLANs on RB4011, they are dealt by router's CPU. The price for that functionality is performance hit for traffic between different ethernet ports carrying same VLAN, which would be carried by switch chip if switch chip was at least half-decent. In your case with single ether port dedicated for second LAN performance won't degrade (all traffic will have to pass CPU anyways), but makes use of VLANs just for subnet separation meaningless.
N.b.: using VLANs seem to be answer to all questions for my buddy @anav
My guess is that you actually were on the right track, I just don't understand details of the problem you described with the following paragraph:
(specially the highlited part)?But I checked the setup of the Ubiquity AP and it was not correct. It was assigning to the connected devices IP´s in the range 172.16.24.xx BUT the AP itself was connected to 192.168.1.1. Once I tried to modified that in the Ubiquity software I was not allowed and the AP inmmediatly lost connection.
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
I don't know where in winbox that is, in webfig it's in bridge->settings[Also, where is this in winbox?/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
I can't see any picture.I reverted to the last step I showed you. The problem is the AP is not working on bridge2. I attach a pic.
I don't know where in winbox that is, in webfig it's in bridge->settings[Also, where is this in winbox?/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
I can't see any picture.I reverted to the last step I showed you. The problem is the AP is not working on bridge2. I attach a pic.
I had to ask ... but I thought that would be the answer.I started off using bridges and quickly discovered that one was limited in that the bridge could only be assigned one subnet
I have already 3 vlans running on ether1(WAN): each one for IPTV, VOIP and Internet (PPPoe on vlan6).Assign your vlans to the bridge
/ip firewall filter
add action=drop chain=forward in-interface=bridge2 out-interface=bridge1
add action=drop chain=forward in-interface=bridge1 out-interface=bridge2
/ip firewall filter
add action=drop chain=forward dst-address=176.16.24.1/24 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=176.16.24.1/24
After that, please wait for the instructions what to do ... if you change things meanwhile then instructions might not be relevant anymore.
/interface bridge
add igmp-snooping=yes name=bridge1-ISP
add name=bridge2
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-gateway
set [ find default-name=ether2 ] comment=LAN1
set [ find default-name=ether6 ] comment=LAN2
/interface vlan
add interface=ether1-gateway name=vlan2 vlan-id=2
add interface=ether1-gateway name=vlan3 vlan-id=3
add interface=ether1-gateway name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan6 keepalive-timeout=60 max-mru=1492 max-mtu=1492 \
name=pppoe-out1 use-peer-dns=yes user=xxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=dhcp_pool1 ranges=192.168.1.210-192.168.1.230
add name=dhcp_pool2 ranges=172.16.24.100-192.16.24.120
/ip dhcp-server
add address-pool=dhcp_pool1 bootp-support=dynamic disabled=no interface=bridge1-ISP name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=bridge2 name=dhcp2
/interface bridge port
add bridge=bridge1-ISP interface=ether2
add bridge=bridge1-ISP interface=ether3
add bridge=bridge1-ISP interface=ether4
add bridge=bridge1-ISP interface=ether5
add bridge=bridge2 interface=ether6
add bridge=bridge2 interface=ether7
add bridge=bridge2 interface=ether8
add bridge=bridge2 interface=ether9
add bridge=bridge2 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1-ISP network=192.168.1.0
add address=192.168.100.10/24 comment=WAN interface=ether1-gateway network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.24.1/24 comment=LAN2 interface=bridge2 network=172.16.24.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=XXX dhcp-option=option_para_deco mac-address=90:EF:68:E8:54:17 server=dhcp1
add address=192.168.1.40 client-id=1:XXX mac-address=XXX server=dhcp1
add address=192.168.1.50 client-id=XXX mac-address=XXX server=dhcp1
add address=172.16.24.2 client-id=1:XXX mac-address=XXX server=dhcp2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=80.58.61.250,80.58.61.254
/ip firewall filter
add action=fasttrack-connection chain=forward
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=\
udp to-addresses=192.168.1.200
/ip upnp interfaces
add interface=bridge1-ISP type=internal
add interface=pppoe-out1 type=external
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan2 upstream=yes
add interface=bridge1-ISP
/routing rip interface
add interface=vlan3 passive=yes receive=v2
add interface=vlan2 passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8
add network=172.26.0.0/16
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
My mistake. I also added the gateway: 172.16.24.1.One problem I see is the following: Look closely at the Ip range for dhcp_pool2:
/ip pool
add name=dhcp_pool1 ranges=192.168.1.210-192.168.1.230
add name=dhcp_pool2 ranges=172.16.24.100-192.16.24.120
Also, you should add the network 172.16.24.0/24, as you yourself stated
You can try some tests, run from RB4011
[] > /ping src-address=172.16.24.1 172.16.24.2 count=4
SEQ HOST SIZE TTL TIME STATUS
0 172.16.24.2 56 64 0ms
1 172.16.24.2 56 64 0ms
2 172.16.24.2 56 64 0ms
3 172.16.24.2 56 64 0ms
sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
[] > /ping src-address=172.16.24.1 192.168.1.1 count=4
SEQ HOST SIZE TTL TIME STATUS
0 192.168.1.1 56 64 0ms
1 192.168.1.1 56 64 0ms
2 192.168.1.1 56 64 0ms
3 192.168.1.1 56 64 0ms
sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
It is from a previous config. Ignore it.
BTW, on the chart the AP has two IP addresses indicated. What does 192.168.1.45 do there? It shouldn't work because its in a wrong subnet.
Also you did not perform the second ping test requested.by @mkx (192.168.1.1 to 172.16.24.2)
- /ping src-address=172.16.24.1 172.16.24.2 count=4
This one should succeed as both addresses are on directly connected subnet.- /ping src-address=192.168.1.1 172.16.24.2 count=4
This one shoukd succeed as well, if it doesnt, tgen there's something wrong on the AP.
This test showed that RB4011 can reach itself.[] > /ping src-address=172.16.24.1 192.168.1.1 count=4
Also you did not perform the second ping test requested.by @mkx (192.168.1.1 to 172.16.24.2)
[XXX] > /ping src-address=192.168.1.1 172.16.24.2 count=4
SEQ HOST SIZE TTL TIME STATUS
0 172.16.24.2 56 64 0ms
1 172.16.24.2 56 64 0ms
2 172.16.24.2 56 64 0ms
3 172.16.24.2 56 64 0ms
sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
1- Try ping from Ubiquiti AP to 4011, and post results (172.16.24.2 to 172.16.24.1)
[XXX] > /ping src-address=172.16.24.2 172.16.24.1 count=4
SEQ HOST SIZE TTL TIME STATUS
0 could not make socket
1 could not make socket
2 could not make socket
3 could not make socket
sent=4 received=0 packet-loss=100%
3 - Try ping from client device that is connected by WiFi to Ubiquiti AP to the 4011, and post results (172.16.24.x to 172.16.24.1)
4 - Try tracert from client device connected by WiFi to the Ubiquiti AP 4011 to an internet site (8.8.8.8 for ex) and post results
I think too the AP does not like 172.16.24.1.I still think that Ubiquiti AP doesn't like address 172.16.24.2 for its management interface. And that RB config is fine regarding that.
What still confuses me is that it obviously falls back to some weird default configuration if it can't connect to management console after restart. Can't you configure it for management-console-free operations? Or is it that AP and management console should be in same broadcast domain (same LAN subnet)?
After you get AP working properly, you can tackle the issue of separating LANs 172.16.24.0/24 and 192.168.1.0/24 ...
I was looking into the ubnt forum and found this:I still think that Ubiquiti AP doesn't like address 172.16.24.2 for its management interface. And that RB config is fine regarding that.
What still confuses me is that it obviously falls back to some weird default configuration if it can't connect to management console after restart. Can't you configure it for management-console-free operations? Or is it that AP and management console should be in same broadcast domain (same LAN subnet)?
After you get AP working properly, you can tackle the issue of separating LANs 172.16.24.0/24 and 192.168.1.0/24 ...
What should I put in the "ip-of-controller"?If you can SSH into the AP, it's possible to do L3-adoption via CLI command:
1. Make sure the AP is running updated firmware. If it is not, see this guide: UniFi - Changing the Firmware of a UniFi Device.
2. Make sure the AP is in the factory default state. If it's not, do:
sudo syswrapper.sh restore-default
3. SSH into the device and type the following and hit enter:
set-inform http://ip-of-controller:8080/inform
4. After issuing the set-inform, the UniFi device will show up for adoption. Once you click adopt, the device will appear to go offline.
5. Once the device goes offline, issue the command set-inform in step 3 again. This will permanently save the inform address, and the device will start provisioning.
set-inform http://192.168.1.50:8080/inform
Solved. Now Unify is up and running and the AP has a static IP of 172.16.24.120.After you get AP working properly, you can tackle the issue of separating LANs 172.16.24.0/24 and 192.168.1.0/24 ...
see post #24 by @anavHow should I proceed with the firewall to separate the lans?
see post #24 by @anavHow should I proceed with the firewall to separate the lans?
/ip firewall filter
add action=drop chain=forward dst-address=176.16.24.1/24 src-address=192.168.1.0/24
in-interface=bridge2 out-interface=bridge1
add action=drop chain=forward dst-address=192.168.1.0/24 /src-address=176.16.24.1/24
in-interface=bridge1 out-interface=bridge2
C:\Users\rafa>ping 172.16.24.120 -n 3
Haciendo ping a 172.16.24.120 con 32 bytes de datos:
Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
C:\Users\rafa>ping 172.16.24.120 -n 3
Haciendo ping a 172.16.24.120 con 32 bytes de datos:
Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
/ip firewall filter
add action=fasttrack-connection chain=forward
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add action=drop chain=forward dst-address=192.168.1.0/24 in-interface=bridge1-ISP out-interface=bridge2 src-address=\
172.16.24.0/24
add action=drop chain=forward dst-address=172.16.24.0/24 in-interface=bridge2 out-interface=bridge1-ISP src-address=\
192.168.1.0/24
add action=drop chain=forward disabled=yes in-interface=bridge2 out-interface=bridge1-ISP
add action=drop chain=forward disabled=yes in-interface=bridge1-ISP out-interface=bridge2
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=\
udp to-addresses=192.168.1.200
add chain=input action=drop protocol=icmp src-address=172.16.24.0/24 dst-address=192.168.1.1
add action=drop chain=input dst-address=192.168.1.1 protocol=icmp src-address=172.16.24.0/24
Since I did not start from the basic firewall after importing the first time a script (with the actual FW), where can I get it? I am reading hereI suggest you to start over from default firewall filter rules and adapt them according to needs
.
/ip firewall
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
/ipv6 firewall
address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
/ip firewall filter
add action=drop chain=input comment="ROUTER PROTECTION.Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow connections to router itself only from our local network" dst-port=46767 in-interface=\
!ether1-gateway protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="CUSTOMER PROTECTION. Drop invalid connections" connection-state=invalid protocol=tcp
add action=accept chain=forward comment="Allow already established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block \"bogon\" IP addresses" src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=dhcp_pool1 ranges=192.168.1.210-192.168.1.230
add name=dhcp_pool2 ranges=172.16.24.100-192.16.24.120
/ip dhcp-server
add address-pool=dhcp_pool1 bootp-support=dynamic disabled=no interface=bridge1-ISP name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=bridge2 name=dhcp2
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1-ISP network=192.168.1.0
add address=192.168.100.10/24 comment=WAN interface=ether1-gateway network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.24.1/24 comment=LAN2 interface=bridge2 network=172.16.24.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=7a:79:78:65:6c:5f:44:54:54:37:31:30:35:2d:30:2e:32:5f:53:31:34:30:59:34:38:39:32:35:32:31:35 \
dhcp-option=option_para_deco mac-address=xxx server=dhcp1
add address=192.168.1.40 client-id=xxx mac-address=xxx server=dhcp1
add address=192.168.1.50 client-id=xxx mac-address=xxx server=dhcp1
add address=172.16.24.2 client-id=xxx mac-address=xxx server=dhcp2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=80.58.61.250,80.58.61.254
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add action=fasttrack-connection chain=forward
add action=accept chain=input comment="deniego ICMP" log=yes protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=accept chain=input dst-port=8291 protocol=tcp src-address=192.168.1.50
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=udp to-addresses=\
192.168.1.200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=221
set api disabled=yes
set winbox address=192.168.1.50/32 port=8291
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge1-ISP type=internal
add interface=pppoe-out1 type=external
/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=pool1 ranges=192.168.1.210-192.168.1.230
add name=pool2 ranges=172.16.33.10-172.16.33.20
/ip dhcp-server
add address-pool=pool1 bootp-support=dynamic disabled=no interface=bridge1-ISP name=dhcp1
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1-ISP network=192.168.1.0
add address=192.168.100.10/24 comment=WAN interface=ether1-gateway network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.33.1/24 comment=LAN2 interface=bridge2 network=172.16.33.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=\
7a:79:78:65:6c:5f:44:54:54:37:31:30:35:2d:30:2e:32:5f:53:31:34:30:59:34:38:39:32:35:32:31:35 \
dhcp-option=option_para_deco mac-address=x server=dhcp1
add address=192.168.1.40 mac-address=x server=dhcp1
add address=192.168.1.50 mac-address=x server=dhcp1
add address=192.168.1.11 mac-address=x server=dhcp1
add address=192.168.1.47 mac-address=x server=dhcp1
add address=192.168.1.49 mac-address=x server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=80.58.61.250,80.58.61.254
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add action=drop chain=input comment="ROUTER PROTECTION.Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow connections to router itself only from our local network" \
dst-port="" in-interface=!ether1-gateway protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="CUSTOMER PROTECTION. Drop invalid connections" connection-state=\
invalid protocol=tcp
add action=accept chain=forward comment="Allow already established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block \"bogon\" IP addresses" src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=\
vlan2 protocol=udp to-addresses=192.168.1.200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=221
set api disabled=yes
set winbox address=192.168.1.50/32 port=8291
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge1-ISP type=internal
add interface=pppoe-out1 type=external
.you don't have corresponding /ip dhcp-server network nor /ip dhcp-server ...
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 \
netmask=24
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=dst-nat chain=dstnat comment=VOD dst-address-type=local in-interface=vlan2 protocol=udp to-addresses=192.168.1.200
add action=accept chain=input comment="Allow connections to router itself only from our local network" in-interface=!ether1-gateway \
protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else"
/ip firewall filter
add action=fasttrack-connection chain=forward
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add action=drop chain=forward dst-address=192.168.1.0/24 in-interface=bridge1-ISP out-interface=bridge2 src-address=172.16.24.0/24
add action=drop chain=forward dst-address=172.16.24.0/24 in-interface=bridge2 out-interface=bridge1-ISP src-address=192.168.1.0/24
add action=drop chain=forward disabled=yes in-interface=bridge2 out-interface=bridge1-ISP
add action=drop chain=forward disabled=yes in-interface=bridge1-ISP out-interface=bridge2
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=udp to-addresses=192.168.1.200
That´s a perfect definitionAhhh, Luka you have discovered what I like to call the mkx infinite loop. Its a phenomena that often occurs. The Op slowly goes mad and ends up throwing his device against the wall at high velocity. It doesn't fix the configuration at all but it feels really really good at the time.
You mentioned:.you don't have corresponding /ip dhcp-server network nor /ip dhcp-server ...
Maybe I don´t understand you but I think I do have the network:and no need for a dhcp-server since it is a static ip (192.168.1.200).Code: Select alladd address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 \ netmask=24
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge2 name=dhcp2
add name=dhcp_pool2 ranges=172.16.24.100-172.16.24.119
/ip dhcp-server network
add address=172.16.24.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.24.1 netmask=24
chain=forward src-address=192.168.2.0/24 dst-address=192.168.1.0