when starting with my MT, I thought I'd strictly separate my VLANs with no access between two clients in different VLANs. In the meantime, I think it would be a good idea to access at least one or two devices from other VLANs, for example the printer from the guest or home-office VLAN.
I made it to access the printer web interface from one VLAN to the printer VLAN, but not more yet. I seem to miss a point as I thought I just look up the ports that are used for printing and create a forward rule in the firewall from VLAN to VLAN? For me it's still difficutl to grasp the basic concept based on research in the MT resources and how-tos.
Can maybe someone clear up the necessary rules for access across VLANs? I guess also other users would benefit from that. The following is my current setup. Thanks a lot:)
Code: Select all
# apr/08/2021 19:32:19 by RouterOS 6.48.1
# software id = 8ZCU-N24W
#
# model = RBD52G-5HacD2HnD
# serial number = D7160DC46EB8
/interface bridge
add dhcp-snooping=yes igmp-snooping=yes name=bridge_VLAN100 vlan-filtering=\
yes
/interface pppoe-client
add ac-name=FFMJ14 add-default-route=yes comment=\
"PPPoE Telekom - AC Name: FFMJ14" disabled=no interface=ether1 max-mru=\
1492 max-mtu=1492 name=PPPoE-Telekom user=[xzy]
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
20/40/80mhz-XXXX country=germany disabled=no frequency=auto hide-ssid=yes \
installation=indoor mode=ap-bridge name=FrannyMainW scan-list=5GHz ssid=\
FrannyMainW station-roaming=enabled vlan-id=99 wireless-protocol=802.11 \
wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-onlyn country=germany \
default-forwarding=no disabled=no frequency=auto hide-ssid=yes mode=\
ap-bridge name=FrannyW24 ssid=FrannyMainW24 station-roaming=enabled \
vlan-id=66 wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add disabled=yes interface=bridge_VLAN100 name=VLAN1 vlan-id=1
add interface=ether1 name=VLAN7-PPPoE vlan-id=7
add interface=bridge_VLAN100 name=VLAN66 vlan-id=66
add interface=bridge_VLAN100 name=VLAN77 vlan-id=77
add interface=bridge_VLAN100 name=VLAN88 vlan-id=88
add interface=bridge_VLAN100 name=VLAN99 vlan-id=99
/interface ethernet switch port
set 1 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=LANfullWAN
add name=LANlimWAN
/interface wireless channels
add band=5ghz-onlyac comment="ch56 - 40MHz: eC Ce - 80MHz: eCee" disabled=yes \
extension-channel=eCee frequency=5280 list=5GHz name=ch56 width=20
add band=5ghz-onlyac comment="ch136 - 40MHz: Ce - 80MHz: \?" \
extension-channel=eC frequency=5680 list=5GHz name=ch136 width=20
add band=5ghz-onlyac comment="ch104 - 80MHz: eCee" extension-channel=eCee \
frequency=5520 list=5GHz name=ch104 width=20
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
business supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=home \
supplicant-identity=""
/interface wireless
add default-forwarding=no disabled=no hide-ssid=yes keepalive-frames=disabled \
mac-address=0A:55:31:3B:07:7F master-interface=FrannyMainW \
multicast-buffering=disabled name=FrannyHOW security-profile=business \
ssid=FrannyHOW station-roaming=enabled vlan-id=88 wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
0A:55:31:3B:07:7E master-interface=FrannyMainW multicast-buffering=\
disabled name=FrannyGastW security-profile=guest ssid=FrannyGastW \
station-roaming=enabled vlan-id=77 wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
0A:55:31:3B:07:7D master-interface=FrannyW24 multicast-buffering=disabled \
name=FrannyHomeW24 security-profile=home ssid=FrannyHomeW24 \
station-roaming=enabled vlan-id=66 wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
/ip pool
add comment="Default VLAN (ID 1):" name=dhcp_pool5 ranges=\
192.168.100.10-192.168.100.50
add comment="Smart Home Network:" name=dhcp_pool6 ranges=\
192.168.66.10-192.168.66.30
add comment="Guest Wifi:" name=dhcp_pool7 ranges=\
192.168.77.10-192.168.77.30
add comment="Internal Network:" name=dhcp_pool9 ranges=\
192.168.99.10-192.168.99.50
add comment="Business Network:" name=dhcp_pool10 ranges=\
192.168.88.10-192.168.88.50
/ip dhcp-server
add address-pool=dhcp_pool5 interface=VLAN1 lease-time=10h name=dhcp1
add address-pool=dhcp_pool6 disabled=no interface=VLAN66 lease-time=1w name=\
"dhcp2 (66)"
add address-pool=dhcp_pool7 disabled=no interface=VLAN77 lease-time=10h name=\
"dhcp3 (77)"
add address-pool=dhcp_pool9 disabled=no interface=VLAN99 lease-time=10h name=\
"dhcp5 (99)"
add address-pool=dhcp_pool10 disabled=no interface=VLAN88 lease-time=10h \
name="dhcp2 (88)"
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge_VLAN100 frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
interface=FrannyGastW pvid=77
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
interface=FrannyHOW pvid=88
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
interface=FrannyMainW pvid=99
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
interface=FrannyHomeW24 pvid=66
add bridge=bridge_VLAN100 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=1
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=66
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether3 vlan-ids=77
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether5 vlan-ids=88
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether5,ether3 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=bridge_VLAN100 list=LAN
add interface=VLAN88 list=LANfullWAN
add interface=VLAN99 list=LANfullWAN
add interface=VLAN66 list=LANlimWAN
add interface=VLAN77 list=LANlimWAN
add interface=VLAN66 list=LAN
add interface=VLAN77 list=LAN
add interface=VLAN88 list=LAN
add interface=VLAN99 list=LAN
add interface=PPPoE-Telekom list=WAN
add interface=VLAN1 list=LANfullWAN
add interface=VLAN1 list=LAN
/ip address
add address=192.168.99.1/24 interface=VLAN99 network=192.168.99.0
add address=192.168.66.1/24 interface=VLAN66 network=192.168.66.0
add address=192.168.88.1/24 interface=VLAN88 network=192.168.88.0
add address=192.168.77.1/24 interface=VLAN77 network=192.168.77.0
add address=192.168.100.1/24 disabled=yes interface=VLAN1 network=\
192.168.100.0
add address=192.168.99.100 interface=bridge_VLAN100 network=192.168.99.100
/ip dhcp-client
add !dhcp-options interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.100.1
add address=192.168.66.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.66.1 \
netmask=24
add address=192.168.77.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.77.1 \
netmask=24
add address=192.168.88.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.88.1 \
netmask=24
add address=192.168.99.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.99.1 \
netmask=24
/ip dns
set servers=9.9.9.9
/ip firewall address-list
add address=192.168.77.0/24 list="VLAN77 Guest Wifi"
add address=192.168.88.0/24 list="VLAN88 Business"
add address=192.168.99.0/24 list="VLAN99 Intern"
add address=192.168.66.0/24 list="VLAN66 Home"
add address=192.168.100.0/24 list="VLAN1 (addr. list)"
add address=192.168.7.0/24 list="Ether1 Routermodem IPs"
add address=192.168.100.1-192.168.77.255 disabled=yes list=limWAN
add address=192.168.88.1-192.168.99.255 disabled=yes list=fullWAN
/ip firewall filter
add action=accept chain=input comment="Management Port ether2 (input)" \
in-interface=ether2
add action=accept chain=input comment=\
"Management Port via VLAN99 (to Router / Gateway IP)" dst-address=\
192.168.99.1 dst-port=8291 in-interface=VLAN99 protocol=tcp
add action=drop chain=input comment=\
"drop WAN router config for non-VLAN99 (input)" dst-address-list=\
"Ether1 Routermodem IPs" in-interface=!VLAN99
add action=drop chain=forward comment=\
"drop WAN router config for non-VLAN99 (forward)" dst-address-list=\
"Ether1 Routermodem IPs" in-interface=!VLAN99
add action=accept chain=input comment=\
"defconf: accept established, related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=" allow VLAN66 to WAN traffic (UDP)" \
dst-port=53,25050 in-interface=VLAN66 out-interface-list=WAN protocol=udp
add action=accept chain=forward comment=\
"allow VLAN66 to WAN traffic (limited, TCP)" dst-port=80,123,443,53,25050 \
in-interface=VLAN66 out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=\
"allow VLAN88 to VLAN99 printer (TCP)" dst-address=192.168.99.193 \
protocol=tcp src-address-list="VLAN88 Business"
add action=accept chain=forward comment=\
"allow VLAN77 to VLAN99 printer (TCP)" disabled=yes dst-address=\
192.168.99.193 protocol=tcp src-address-list="VLAN77 Guest Wifi"
add action=accept chain=forward comment=\
"allow VLAN77 to VLAN99 printer (UDP)" disabled=yes dst-address=\
192.168.99.193 protocol=udp src-address-list="VLAN77 Guest Wifi" \
src-port=""
add action=accept chain=forward comment="Router NTP Service (TCP, test)" \
disabled=yes dst-port=123 in-interface=VLAN77 protocol=tcp
add action=accept chain=forward comment="Router NTP Service (TCP, test)" \
disabled=yes dst-address=192.168.99.1 dst-port=123 protocol=udp \
src-port=123
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment="Allow Admin Access" in-interface=\
VLAN99
add action=accept chain=input comment="Router DNS Service (TCP)" disabled=yes \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Router DNS Service (TCP)" disabled=yes \
dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else (input)"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked (LANfullWAN)" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow LAN to WAN traffic" \
in-interface-list=LANfullWAN out-interface-list=WAN
add action=accept chain=forward comment=\
"allow VLAN77 to WAN traffic (test, full)" disabled=yes in-interface=\
VLAN77 out-interface-list=WAN
add action=accept chain=forward comment=" allow VLAN77 to WAN traffic (UDP)" \
dst-port=53,123,25050 in-interface=VLAN77 out-interface-list=WAN \
protocol=udp
add action=accept chain=forward comment=\
"allow VLAN77 to WAN traffic (limited, TCP)" dst-port=80,123,443,53,25050 \
in-interface=VLAN77 out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="allow Admin to all limited vlans" \
disabled=yes in-interface=VLAN99 out-interface-list=LANlimWAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else (forward)"
/ip firewall nat
add action=src-nat chain=srcnat comment=\
NTP-test disabled=yes \
protocol=udp src-port=123 to-addresses=192.168.99.1
add action=src-nat chain=srcnat disabled=yes protocol=udp src-port=123 \
to-addresses=192.168.99.1
add action=src-nat chain=srcnat disabled=yes protocol=udp src-address=\
192.168.88.1 src-port=123 to-addresses=192.168.99.1
add action=src-nat chain=srcnat disabled=yes protocol=udp src-address=\
192.168.66.1 src-port=123 to-addresses=192.168.99.1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=FrannyHap
/system ntp client
set enabled=yes primary-ntp=141.2.22.74 secondary-ntp=134.176.2.5
/system ntp server
set enabled=yes
/system routerboard settings
set auto-upgrade=yes