(1) You are missing the POOL, address, DHCP etc, for the BASE vlan.
Added with the following block as outlined in the referenced article's example:
# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
(2) If ether2-5 are the same vlan why does ether2 not have the other settings of vlan filtering tagged frames only??
It was commented out in my script while trying things. The following should resolve this, correct?
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
Should these ports have a pvid assigned? Should it just be the base_vlan of 99?
(3) ON bridge port settings; If ether6 is going to an unmanaged switch why does it have tagged frames it should be untagged or priority frames and the PVID for the appropriate vlan to the unmanaged switch
(4) On the vlan setting side same deal for ether6 ???? It should untagged for the applicable vlanid.
I believe the following line will add the tagging, but I'm a little confused ont he tagged/untagged.
add bridge=BR1 interface=ether6 pvid=60
Something like this?
add bridge=BR1 untagged=ether6 vlan-ids=60
(5) You seem to have many vlans setup not yet made. If all the tagged ports are the same one can group vlan-ids so all that could be put on ONE line.
I believe the following is what you're suggesting, if so yes that seems cleaner. I omitted ether 6 from the list, would 2-5 also be omitted? Or do they get moved to untagged. Also wasn't entirely certain if 60 is needed in the list of IDs.
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether7,ether8,ether9,ether10 vlan-ids=10,20,30,99
(6) Input chain fw rules. The second allow base vlan is redundant as you have already done that by allow VLAN.
Light bulb on?
The point is only the admin should have access and everyone else just needs necessary service such as DNS
So see the improvement below which include dropping invalid traffic and all other traffic at the end of the input chain.
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface-list=BASE src-address-list=adminaccess ***
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="drop all else" { only add this AFTER you have the allow admin rule setup! }
*** So now only those with access to the BASE VLAN can access the router itself for config purpose, the source address is optional.
I use to only allow certain IP addresses access (admin desktop, admin laptop, smartphone etc.........) However I dont have a separate BASE VLAN and that may be good enough for you.
++++++++++++++++++++++++++++++++++++++++
7. Forward chain Fw Rules. Also incomplete, and assume you are not doing any port forwarding based on the config thus far and no VPN...........
See below for better config, more complete and safer.
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
TO
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
Easy enough change.
(8) Note for mac server ---- >winmac Server make sure you select interface BASE.
Would this be to the list or the interface BASE_VLAN?
Thank you very much for working with me on this, I truly appreciate the help.