Maybe this won't be like a big thing, but I have some doubts about my home network.
I bought a hAP (RB941-2nd) which I use as my main router. I have two more home routers from TP-Link (a TL-WR841N and a Arche-C60), which are in AP mode. One router is for the 2.4ghz, and the other just for the 5ghz band (I thought that having one device for each band was more reliable and optimal than having one device for both).
And that's it, at home we have around 5 phones, some at 2.4, others at 5 ghz, also 2 laptops, one at 5 and the other at 2.4, plus my two work laptops which are at 2.4.
Initially I wanted to do the following (all this before deciding to invest in mikrotik):
But now that I have the device, I was like... do I really want to do it like that? I mean, I'm no network guy, I'm just a power user (yes, from the 80's, 90's), and so far, the network is fine, is fast, just added some rules for queue management, and that's all. The network is on 192.168.88.1/24, and so far, the adblocking is done by each device using the host file... I even downclocked a bit the device to avoid overheating... (I mean, it stays around less that 5% all day long so, you can figure out 100mbps internet is not stressed at all).ether1 -> Internet
Firewall (good rules to prevent hacking and stuff)
Receive DHCP from ISP
Ad blocking? is a powerfull enough device, it could be nice to have instead of having the clients do the blocking.
Should I add an IP to have connection to the modem's interface? It would be a 192.168.100.x network, that's my guess so far.
Do traffic shaping? =D that would be awesome
ether2 -> to 2.4 AP
vlan 24
192.168.24.x/for around 10 devices network
192.168.24.1/28 (dhcp from 1 to 10)
ether3 -> to NAS
vlan 31
192.168.31.x/for around 01 device network
"aa", I have to choose, it would be for only 1 device anyways
192.168.31.0/31 (0 to 1)
ether4 -> to 5.8 AP
vlan 58
192.168.58.x/for around 10 devices network
192.168.58.1/28 (dhcp 1 to 15)
1 week life time.
ether3 must be reachable by ether2 and ether4.
It is quite a good device, maybe I overdid it (I convinced my wife to buy it for me hehe and also the extra router/ap).
What do you think? am I just overthinking?, should I leave it as it is?
As for config, I have the following:
Firewall
MangleFlags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP rate limited 30/s
chain=input action=drop protocol=icmp limit=30,30:packet dst-limit=30,30,dst-address/1m40s log=no
log-prefix=""
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
5 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,rel
6 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
7 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""
8 X ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
9 X ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstna
log-prefix=""
11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
Queue
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 chain=postrouting action=mark-packet new-packet-mark=streaming passthrough=no connection-mark=streaming packet-mark=no-mark
4 chain=postrouting action=mark-packet new-packet-mark=misc-fast passthrough=no tcp-flags=ack protocol=tcp packet-mark=no-mark packet-size=40
5 chain=postrouting action=mark-packet new-packet-mark=misc-fast passthrough=no protocol=udp out-interface=ether1 packet-mark=no-mark dst-port=53
6 chain=postrouting action=mark-packet new-packet-mark=http passthrough=no connection-mark=http packet-mark=no-mark
7 ;;; Streaming
chain=postrouting action=mark-connection new-connection-mark=streaming connection-state=new protocol=tcp connection-mark=no-mark
out-interface=ether1 dst-port=33001
8 ;;; Streaming
chain=postrouting action=mark-connection new-connection-mark=streaming connection-state=new protocol=udp connection-mark=no-mark
out-interface=ether1 dst-port=33001
9 ;;; Web Browsing
chain=postrouting action=mark-connection new-connection-mark=http connection-state=new protocol=tcp connection-mark=no-mark out-interface=ether1
dst-port=80,443
I think the firewall could be optimized but I'm not sure, also some rules I have the feeling are duplicated (I read about the order in which they have to be but I'm all confunsed), I don't know. What do you think?Flags: X - disabled, I - invalid
0 name="queue1" parent=ether1 packet-mark="" limit-at=9700k queue=default priority=8 max-limit=9700k burst-limit=0 burst-threshold=0 burst-time=0s
bucket-size=0.1
1 name="prio5-streaming" parent=queue1 packet-mark=streaming limit-at=6200k queue=default priority=5 max-limit=6200k burst-limit=0 burst-threshold=0
burst-time=0s bucket-size=0.1
2 name="prio8-untagged" parent=queue1 packet-mark=no-mark limit-at=100k queue=default priority=8 max-limit=9500k burst-limit=0 burst-threshold=0
burst-time=0s bucket-size=0.1
3 name="prio2-misc-fast" parent=queue1 packet-mark=misc-fast limit-at=1G queue=default priority=2 max-limit=1G burst-limit=0 burst-threshold=0
burst-time=0s bucket-size=0.1
4 name="prio6-http" parent=queue1 packet-mark=http limit-at=100k queue=default priority=6 max-limit=9100k burst-limit=0 burst-threshold=0 burst-time=0s
bucket-size=0.