Community discussions

MikroTik App
 
dtsarouc
just joined
Topic Author
Posts: 2
Joined: Mon Mar 08, 2021 12:29 pm

Nev to Mikrotik Routers - 2trunk ports

Tue Mar 09, 2021 8:10 pm

Hello all,

I have just purchaced a CCR-1009-7G-1C-1s mikrotik router.
I want to configure the following:
2 trunk ports that will allow vlans 10,20,30 (one as uplik to my cisco switch and one as uplink to my Access Point)
1 wan port
3 access ports (one for each vlan)
3 DHCP servers -one for each vlan

Till now i have created the three vlans, one trunk port,the three access ports and the dhcp servers.
But i cat fid out how to create a second truk port that will allow the 3 vlans.
/interface bridge
add name=bridge_Vlan10
add name=bridge_Vlan20
add name=bridge_Vlan30
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Switch_Trunk
set [ find default-name=ether7 ] name=ether7-Trunk_Wifi
/interface vlan
add interface=ether1-Switch_Trunk name=Guest_Vlan vlan-id=20
add interface=ether7-Trunk_Wifi name=Guest_Vlan2 vlan-id=20
add interface=ether1-Switch_Trunk name=Home_Vlan vlan-id=10
add interface=ether7-Trunk_Wifi name=Home_Vlan2 vlan-id=10
add interface=ether1-Switch_Trunk name=Security_Vlan vlan-id=30
add interface=ether7-Trunk_Wifi name=Security_Vlan2 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.85.20-10.10.85.254
add name=dhcp_pool1 ranges=10.20.85.20-10.20.85.254
add name=dhcp_pool2 ranges=10.30.85.20-10.30.85.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_Vlan10 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge_Vlan20 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=bridge_Vlan30 name=dhcp3
/interface bridge port
add bridge=bridge_Vlan10 interface=ether2 trusted=yes
add bridge=bridge_Vlan10 interface=Home_Vlan
add bridge=bridge_Vlan20 interface=ether3 pvid=20 trusted=yes
add bridge=bridge_Vlan20 interface=Guest_Vlan
add bridge=bridge_Vlan30 interface=ether4
add bridge=bridge_Vlan30 interface=Security_Vlan
add bridge=bridge_Vlan10 interface=ether5
/ip address
add address=10.10.85.1/24 interface=Home_Vlan network=10.10.85.0
add address=10.20.85.1/24 interface=Guest_Vlan network=10.20.85.0
add address=10.30.85.1/24 interface=Security_Vlan network=10.30.85.0
/ip dhcp-server network
add address=10.10.85.0/24 dns-server=8.8.8.8,4.4.4.4 domain=dtzs.local \
    gateway=10.10.85.1
add address=10.20.85.0/24 dns-server=8.8.8.8,4.4.4.4 domain=dtzs_guest.local \
    gateway=10.20.85.1
add address=10.30.85.0/24 dns-server=8.8.8.8,4.4.4.4 domain=dtzs_security \
    gateway=10.30.85.1
/ip dns
set servers=8.8.8.8,4.4.4.4
/ip service
set telnet address=10.10.85.0/24
set ftp address=10.10.85.0/24
set www address=10.10.85.0/24
set ssh address=10.10.85.0/24
set www-ssl address=10.10.85.0/24 disabled=no
set api address=10.10.85.0/24
set winbox address=10.10.85.0/24
set api-ssl address=10.10.85.0/24
Can you please help me
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Nev to Mikrotik Routers - 2trunk ports

Wed Mar 10, 2021 2:28 pm

This guide is excellent.......
You have a start but with flaws.
viewtopic.php?f=23&t=143620
If will guide you setup your vlans properly on the bridge.

The only services that you should need are winbox and possibly SSH, the rest I would disable.

When you are ready for a review of your next attempt, post complete config.
/export hide-sensitive file=anynameyouwish
 
dtsarouc
just joined
Topic Author
Posts: 2
Joined: Mon Mar 08, 2021 12:29 pm

Re: Nev to Mikrotik Routers - 2trunk ports

Sun Apr 04, 2021 1:20 pm

First off all thank you very much for your suggestion. The guide helped me to solve all the problems i faced.
My current config is
# apr/04/2021 13:11:36 by RouterOS 6.48.1
# software id = LGY6-FUUK
#
# model = CCR1009-7G-1C-1S+
/interface bridge
add name=Trunk_bridge protocol-mode=none pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] advertise=10M-half,10M-full
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=ether1 \
    keepalive-timeout=900 max-mru=1492 max-mtu=1492 name=pppoe-Cosmote \
    use-peer-dns=yes user=****************
/interface vlan
add interface=Trunk_bridge name=Guest_VLAN vlan-id=20
add interface=Trunk_bridge name=Home_VLAN vlan-id=10
add interface=Trunk_bridge name=Security_VLAN vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Home_POOL ranges=10.10.85.20-10.10.85.254
add name=Guest_POOL ranges=10.20.85.20-10.20.85.254
add name=Security_POOL ranges=10.30.85.20-10.30.85.254
/ip dhcp-server
add address-pool=Guest_POOL disabled=no insert-queue-before=bottom interface=\
    Guest_VLAN lease-time=1d name=Guest_DHCP
add address-pool=Security_POOL disabled=no insert-queue-before=bottom \
    interface=Security_VLAN lease-time=1d name=Security_DHCP
add address-pool=Home_POOL disabled=no insert-queue-before=bottom interface=\
    Home_VLAN lease-time=1d name=Home_DHCP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=Trunk_bridge interface=ether6
add bridge=Trunk_bridge interface=ether7
add bridge=Trunk_bridge ingress-filtering=yes interface=ether2 pvid=10
add bridge=Trunk_bridge ingress-filtering=yes interface=ether3 pvid=20
add bridge=Trunk_bridge ingress-filtering=yes interface=ether4 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=Trunk_bridge tagged=Trunk_bridge,ether6,ether7 untagged=ether2 \
    vlan-ids=10
add bridge=Trunk_bridge tagged=Trunk_bridge,ether6,ether7 untagged=ether3 \
    vlan-ids=20
add bridge=Trunk_bridge tagged=Trunk_bridge,ether6,ether7 untagged=ether4 \
    vlan-ids=30
/interface list member
add interface=pppoe-Cosmote list=WAN
add interface=Guest_VLAN list=VLAN
add interface=Security_VLAN list=VLAN
add interface=Home_VLAN list=VLAN
add interface=Home_VLAN list=MGMT
/ip address
add address=10.10.85.1/24 interface=Home_VLAN network=10.10.85.0
add address=10.20.85.1/24 interface=Guest_VLAN network=10.20.85.0
add address=10.30.85.1/24 interface=Security_VLAN network=10.30.85.0
add address=10.0.85.2/24 interface=ether1 network=10.0.85.0
/ip cloud
set ddns-update-interval=10m
/ip dhcp-client
add add-default-route=no !dhcp-options interface=ether1
/ip dhcp-server lease
add address=10.30.85.20 client-id=1:0:50:c2:9a:88:68 mac-address=\
    00:50:C2:9A:88:68 server=Security_DHCP
/ip dhcp-server network
add address=10.20.85.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.20.85.1
add address=10.10.85.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.85.1
add address=10.30.85.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.30.85.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward in-interface=Home_VLAN out-interface=\
    Security_VLAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=\
    4443 in-interface=pppoe-Cosmote protocol=tcp to-addresses=10.30.85.20 \
    to-ports=4443
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.10.85.0/24 disabled=yes
set ssh address=10.10.85.0/24
set api disabled=yes
set winbox address=10.10.85.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=DTZS_ROUTER
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

I would like if possible dhcp server to lease addresses from 20-255 and not from 255 to 20.
and also i would like any suggestions regarding my firewall rules.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Nev to Mikrotik Routers - 2trunk ports

Sun Apr 04, 2021 3:02 pm

(1) IF it works for you great, if not, then I would recommend not deviating from vlan1 as the default pvid for the bridge (not vlan10).
Remember from the guide...... one does not change the default and introduce a different pvid!!

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
# Purple Trunk. Leave pvid set to default of 1
/interface bridge set BR1 vlan-filtering=yes


You already have vlan10 as the management vlan, there is no need to set the bridge-trunk default pvid to 10.
All the smart devices down the line simply need an IP address in the vlan10 IP structure and it will work smooth.

(2) bridge ports 6,7 you can add ingress filtering and frame type allow only vlan tags, assuming these are your trunk ports.

(3) Not necessary but for completeness I would add ether1 to the interface WAN list, (ppoe is the action interface so that one is the needed one) .

(4) Adjusted filter rules to streamline and manage security better, and consistent approach. Only mgmt (you) needs full access to the router!! The rest only need specific services such as DNS, another example could be NTP. As admin you may want to be able to access security and/or guest vlan for whatever reason.......

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=drop chain=input comment=Drop

add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Authorized_Access" in-interface-list=MGMT \
source-address-list=adminaccess

add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="Drop All Else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN

add action=accept chain=forward in-interface-list=MGMT out-interface-list=VLAN
add action=drop chain=forward comment=Drop

Note: where the firewall address list, in the input chain called 'adminaccess'. Assuming you have statically assigned IP addresses, and looks like:
/ip firewall address-list
add address=IPaddress of your desktop list=adminaccess
add address=IPaddress of your laptop list=adminaccess
add address=IPaddress of your tablet list=adminaccess
add address=IPaddress of your smartphones list=adminaccess

Who is online

Users browsing this forum: esj, rarlup, Rox169 and 50 guests