I am new to physical network engineering and currently working on setting up a private IoT hub. I took references from an interesting conversation on mikrotik forum to get me started in setting up my hEXs. I am using it as a Gateway/Router/Firewall and using L2 managed jetstream switch from TPLink. I have connected a 16 GB microSD card on the hEXs with additional packages and router configuration script
Currently I have configured all the DHCP servers on L2 switch except NetAdmin (192.168.30.0/24). I am able to access internet "only" when I am on VLAN 30 when physically connected to hEXs OR L2 switch
Problems:
I am unable to create connection between other vlans on switch to reach internet
I am unsure about the intervlan routing such that PXE and Storage is visible to all the local network devices
I am unsure about the firewall rules that PXE and Storage are not directly accessible from internet
I would appreciate any guidance/hints on the implementation and impediments.
Network diagram:
Configuration script:
Code: Select all
###############################################################################
#Script: RouterBOARD configuration script
#RouterOS: 6.47.8
#Date: Apr 03, 2021
#Notes: Start with a reset (/system reset-configuration)
###############################################################################
#Setup VLANs
/interface vlan
add interface=bridge name=VLAN10-Guest vlan-id=10
add interface=bridge name=VLAN20-IoT-Devices vlan-id=20
add interface=bridge name=VLAN30-NetAdmin vlan-id=30
add interface=bridge name=VLAN11-Storage vlan-id=11
add interface=bridge name=VLAN12-AuthNBoot vlan-id=12
add interface=bridge name=VLAN13-DevAdmin vlan-id=13
add interface=bridge name=VLAN14-PXE vlan-id=14
add interface=bridge name=VLAN101-MySpace vlan-id=101
add interface=bridge name=VLAN201-DevOps vlan-id=201
/interface list
add name=VLAN
add name=MGMT
/interface list member
#add to the exiting list so we maintain access to router
add interface=VLAN10-Guest list=LAN
add interface=VLAN20-IoT-Devices list=LAN
add interface=VLAN30-NetAdmin list=LAN
add interface=VLAN11-Storage list=LAN
add interface=VLAN12-AuthNBoot list=LAN
add interface=VLAN13-DevAdmin list=LAN
add interface=VLAN14-PXE list=LAN
add interface=VLAN101-MySpace list=LAN
add interface=VLAN201-DevOps list=LAN
#this is our new list
add interface=VLAN10-Guest list=VLAN
add interface=VLAN20-IoT-Devices list=VLAN
add interface=VLAN30-NetAdmin list=VLAN
add interface=VLAN11-Storage list=VLAN
add interface=VLAN12-AuthNBoot list=VLAN
add interface=VLAN13-DevAdmin list=VLAN
add interface=VLAN14-PXE list=VLAN
add interface=VLAN101-MySpace list=VLAN
add interface=VLAN201-DevOps list=VLAN
#Management list
add interface=VLAN30-NetAdmin list=MGMT
#IP Setup
/ip pool
/ip pool add name=NetAdmin_POOL ranges=192.168.30.2-192.168.30.254
/ip address
add address=192.168.30.1/24 interface=VLAN30-NetAdmin
/ip dhcp-server network
set comment=main-dhcp-network [find comment=defconf]
add address=192.168.30.0/24 gateway=192.168.30.1 comment="NetAdmin-dhcp-network"
/ip dhcp-server
add address-pool=NetAdmin_POOL interface=VLAN30-NetAdmin disabled=no name=NetAdmin-dhcp-network
#set the dns main static and google and cloudflare
/ip dns static
set address=192.168.30.1 [find name=router.lan]
/ip dns
set servers=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
#disable ISP DNS servers obtained through DHCP.
/ip dhcp-client
set use-peer-dns=no [find interface=ether1]
#Ingress Behavior
/interface bridge port
#Guests and IoT devices
set pvid=10 [find where interface=ether2] ingress-filtering=yes frame-types=admit-only-vlan-tagged
#IoT Devices
set pvid=20 [find where interface=ether2] ingress-filtering=yes frame-types=admit-only-vlan-tagged
#Backend clusters
set pvid=11 [find where interface=ether3] ingress-filtering=yes frame-types=admit-only-vlan-tagged
set pvid=12 [find where interface=ether3] ingress-filtering=yes frame-types=admit-only-vlan-tagged
set pvid=13 [find where interface=ether3] ingress-filtering=yes frame-types=admit-only-vlan-tagged
#Front end clusters
set pvid=101 [find where interface=ether3] ingress-filtering=yes frame-types=admit-only-vlan-tagged
set pvid=201 [find where interface=ether3] ingress-filtering=yes frame-types=admit-only-vlan-tagged
#Managament
set pvid=13 frame-types=admit-only-untagged-and-priority-tagged [find bridge=bridge]
set pvid=30 frame-types=admit-only-untagged-and-priority-tagged [find bridge=bridge]
#Egress Behaviour
/interface bridge vlan
#Eth4 and Eth5 can be used for MGMT access
add bridge=bridge tagged=bridge untagged=ether4,ether5,sfp1 vlan-ids=30 comment="NetAdmin VLAN"
add bridge=bridge tagged=bridge untagged=ether4,ether5,sfp1 vlan-ids=13 comment="DevAdmin VLAN"
add bridge=bridge tagged=bridge,ether2 vlan-ids=10 comment="IoT-Devices VLAN"
add bridge=bridge tagged=bridge,ether2 vlan-ids=20 comment="Guest VLAN"
add bridge=bridge tagged=bridge,ether3 vlan-ids=11 comment="Storage VLAN"
add bridge=bridge tagged=bridge,ether3 vlan-ids=12 comment="AuthNBoot VLAN"
add bridge=bridge tagged=bridge,ether3 vlan-ids=14 comment="PXE VLAN"
add bridge=bridge tagged=bridge,ether3 vlan-ids=101 comment="MySpace VLAN"
add bridge=bridge tagged=bridge,ether3 vlan-ids=201 comment="DevOps VLAN"
#enable vlan filtering
/interface bridge
set vlan-filtering=yes [find name="bridge"]
#remove default ip addressing
/ip dhcp-server
remove [find name=defconf]
/ip dhcp-server network
remove [find gateway=192.168.88.1]
/ip pool
remove [find name=default-dhcp]
/ip address
remove [find interface=bridge]
#Clear and re-set the firewall for ease of ordering
/ip firewall filter
remove [find action!="passthrough"]
/ip firewall filter
#Input Chain
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add chain=input action=accept in-interface-list=MGMT comment="Allow NetAdmin-vlan MGMT access to all router services"
add chain=input action=accept in-interface-list=VLAN dst-port=67 protocol=udp comment="Allow VLAN DHCP"
add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=udp comment="Allow VLAN DNS UDP"
add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=tcp comment="Allow VLAN DNS TCP"
add chain=input action=accept in-interface-list=VLAN protocol=icmp comment="Allow VLAN ICMP Ping"
add chain=input action=drop comment="Drop all other traffic"
#Forward Chain
add chain=forward action=accept comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add chain=forward action=accept comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access Only"
add action=accept chain=forward connection-nat-state=dstnat connection-state=new in-interface-list=WAN disabled=yes comment="Allow Port Forwarding - DSTNAT - enable if need server"
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all other traffic"
#Security
#Disable all the configuration methods except ssh, www-ssl and winbox
/ip service enable ssh,www-ssl,winbox
/ip service disable telnet,ftp,www,api,api-ssl
#Ensure only winbox MAC Address based access from MGMT aka NetAdmin-vlan
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT
#Disable unused wireless related packages
/system package
disable hotspot
disable wireless
#create a self signed cert for www-ssl
/certificate
add name=local-cert common-name=local-cert key-usage=key-cert-sign,crl-sign
sign local-cert
add name=webfig common-name=192.168.30.1
sign webfig
/ip service
set www-ssl certificate=webfig
#Allow viewing resource and usage graphs on main-vlan for each main interface
/tool graphing resource
add allow-address=192.168.30.0/24
/tool graphing interface
add allow-address=192.168.30.0/24 interface=ether1
add allow-address=192.168.30.0/24 interface=VLAN10-Guest
add allow-address=192.168.30.0/24 interface=VLAN20-IoT-Devices
add allow-address=192.168.30.0/24 interface=VLAN30-NetAdmin
add allow-address=192.168.30.0/24 interface=VLAN11-Storage
add allow-address=192.168.30.0/24 interface=VLAN12-AuthNBoot
add allow-address=192.168.30.0/24 interface=VLAN13-DevAdmin
add allow-address=192.168.30.0/24 interface=VLAN13-PXE
add allow-address=192.168.30.0/24 interface=VLAN101-MySpace
add allow-address=192.168.30.0/24 interface=VLAN201-DevOps
#Setup a new administrative account
/user add name=USERNAME password=PASSWORD group=full
/user remove admin
/dude set enabled=yes
#create download and update script
/system script add name=DownloadAndUpdate source="/system upgrade\r\
\nrefresh\r\
\n:delay 20\r\
\ndownload 0\r\
\n/\r\
\n/system reboot \r\
\n:delay 60\r\
\ny\r\
\n/"
#schedule script to run every 2 days
/system scheduler
add interval=2d name=Upgrade_Router on-event="run DownloadAndUpdate" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=apr/05/2021 start-time=02:45:00
#all done reboot to confirm
/system reboot
#/system backup save name=MyConfig