Thu Apr 08, 2021 10:13 pm
Feedback. Get rid of VLAN1 it serves no purpose.
(1) I dont have Snooping DHCP or IGMP on my bridge, and just wondering what is the value of those settings??
(2) We do not identify vlans in the wirless settings themselves.
We associate the vlans to the Bridge ports (ether ports or WLAN ports).
interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
20/40/80mhz-XXXX country=germany disabled=no frequency=auto hide-ssid=yes \
installation=indoor mode=ap-bridge name=FrannyMainW scan-list=5GHz ssid=\
FrannyMainW station-roaming=enabled vlan-id=99 wireless-protocol=802.11 \
wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-onlyn country=germany \
default-forwarding=no disabled=no frequency=auto hide-ssid=yes mode=\
ap-bridge name=FrannyW24 ssid=FrannyMainW24 station-roaming=enabled \
vlan-id=66 wireless-protocol=802.11 wps-mode=disabled
(3) Remove the line for vlan1, doesnt need to exist.
/interface vlan
add disabled=yes interface=bridge_VLAN100 name=VLAN1 vlan-id=1
add interface=ether1 name=VLAN7-PPPoE vlan-id=7
add interface=bridge_VLAN100 name=VLAN66 vlan-id=66
add interface=bridge_VLAN100 name=VLAN77 vlan-id=77
add interface=bridge_VLAN100 name=VLAN88 vlan-id=88
add interface=bridge_VLAN100 name=VLAN99 vlan-id=99
(4) WHY is ether1 associated with vlan7. Assuming this is an ISP vlan that you are required to match up!! Otherwise not needed.
(5) Same comments here, wirless settings should avoid vlan parameters.
/interface wireless
add default-forwarding=no disabled=no hide-ssid=yes keepalive-frames=disabled \
mac-address=0A:55:31:3B:07:7F master-interface=FrannyMainW \
multicast-buffering=disabled name=FrannyHOW security-profile=business \
ssid=FrannyHOW station-roaming=enabled vlan-id=88 wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
0A:55:31:3B:07:7E master-interface=FrannyMainW multicast-buffering=\
disabled name=FrannyGastW security-profile=guest ssid=FrannyGastW \
station-roaming=enabled vlan-id=77 wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
0A:55:31:3B:07:7D master-interface=FrannyW24 multicast-buffering=disabled \
name=FrannyHomeW24 security-profile=home ssid=FrannyHomeW24 \
station-roaming=enabled vlan-id=66 wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
(6) This not vlan1 related, and in fact would replace where you state vlan1 with HOME, or simply create vlan100 for the home network!! (assuming this is also your managment network) However I read config top to bottom so there may be reasons as I go along.
Understand you have four vlans 66,77,88,99 for various wifi networks mostly (smart devices, guests, business, and internal respectively)
/ip pool
add comment="Default VLAN (ID 1):" name=dhcp_pool5 ranges=\
192.168.100.10-192.168.100.50
(7) Example of the above that is confusing..... If they were actual VLANs, like VLAN100 with subnets etc, would be easy to understand and read, and if no such desire just change
vlan1 to HomeLAN. There is nothing wrong or in error just bloody confusing.
add interface=VLAN1 list=LANfullWAN
add interface=VLAN1 list=LAN
(8) From Bridge port settings you have two trunk ports to smart devices (either switches or access points for example) on ether3 and ether 5.
Ether4 is going to an internal device (probably a PC) on vlan99.
Curious about ether2 LOL.
The wlan ports are also identified.
WHAT IS MISSING............................................. no wifi for VLAN1 subnet and no etherports specifically for VLAN1 subnet
(9) My concerns about calling an interface vlan1 with no actual vlan definition come to the for looking at bridge vlans......
/interface bridge vlan
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=1 WHAT THE HECK DOES THIS DO??? {purpose}
(10) What your bridge vlan settings tell me is that (besides already noted in (9), is that vlan 66 is not trunked elsewhere, vlan77 and vlan 99 are trunked to ether3 and vlans 88 and 99 are trunked to ether5. I personally ADD the untagging as its way more clear to me what I have done and is much easier to understand a config.
/interface bridge vlan
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=1
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=66
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether3 vlan-ids=77
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether5 vlan-ids=88
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether5,ether3 vlan-ids=99
(11) OKAY your firewall rules need a serious clean up and ORDER within a chain matters. It should look more like this.
/ip firewall filter {input chain}
add action=accept chain=input comment=\
"defconf: accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment="Allow Admin Access" in-interface=\
VLAN99
add action=accept chain=input comment="Router DNS Service (TCP)" disabled=yes \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Router DNS Service (TCP)" disabled=yes \
dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else (input)"
/ip firewall filter {forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked (LANfullWAN)" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow LAN to WAN traffic" \
in-interface-list=LANfullWAN out-interface-list=WAN
{okay next rules seem okay but are a bit different, only comment is why port 53, There is no need to allow port 53 to the internet as we have already allowed all port 53 to the router?? However i dont think its wrong if you are accessing an outside DNS server??)
add action=accept chain=forward comment=" allow VLAN66 to WAN traffic (UDP)" \
dst-port=53,25050 in-interface=VLAN66 out-interface-list=WAN protocol=udp
add action=accept chain=forward comment=\
"allow VLAN66 to WAN traffic (limited, TCP)" dst-port=80,123,443,53,25050 \
in-interface=VLAN66 out-interface-list=WAN protocol=tcp
{okay next set of rules have to do with accessing printer. Seem okay, not sure why you use source address list instead of in-interface=vlan88 for example?? Both work!!
{not sure why you separate out tcp and udp to a printer, just use addresses??
add action=accept chain=forward comment=\
"allow VLAN88 to VLAN99 printer (TCP)" dst-address=192.168.99.193 \
protocol=tcp src-address-list="VLAN88 Business"
add action=accept chain=forward comment=\
"allow VLAN77 to VLAN99 printer (TCP)" disabled=yes dst-address=\
192.168.99.193 protocol=tcp src-address-list="VLAN77 Guest Wifi"
add action=accept chain=forward comment=\
"allow VLAN77 to VLAN99 printer (UDP)" disabled=yes dst-address=\
192.168.99.193 protocol=udp src-address-list="VLAN77 Guest Wifi" \
src-port=""
What I would do is one clear and simple rule for all
add action=accept chain=forward comment='shared printer access" source-address-list=sharedprinter
dst-address=192.168.99.193
where:
/ip firewall address list
add address=192.168.77.0/24 list=sharedprinter
add address=192.168.66.0/24 list=sharedprinter
This IS NOT required here and can be MOVED to where they belong in the INPUT chain rules, above the drop all rule.
Access to router services is provided in the INPUT CHAIN Rules.
add action=accept chain=forward input comment="Router NTP Service (TCP, test)" \
disabled=yes dst-port=123 in-interface=VLAN77 protocol=tcp
add action=accept chain=forward input comment="Router NTP Service (TCP, test)" \
disabled=yes dst-address=192.168.99.1 dst-port=123 protocol=udp \
src-port=123
Same comments I had for vlan66..........................................
add action=accept chain=forward comment=\
"allow VLAN77 to WAN traffic (test, full)" disabled=yes in-interface=\
VLAN77 out-interface-list=WAN
add action=accept chain=forward comment=" allow VLAN77 to WAN traffic (UDP)" \
dst-port=53,123,25050 in-interface=VLAN77 out-interface-list=WAN \
protocol=udp
add action=accept chain=forward comment=\
"allow VLAN77 to WAN traffic (limited, TCP)" dst-port=80,123,443,53,25050 \
in-interface=VLAN77 out-interface-list=WAN protocol=tcp
Rest is fine.
add action=accept chain=forward comment="allow Admin to all limited vlans" \
disabled=yes in-interface=VLAN99 out-interface-list=LANlimWAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else (forward)"