need advice regarding my network, trying to set up vlans following this
https://wiki.mikrotik.com/wiki/Manual:C ... s_switches but once i enter vpid for the specific bridge port the device stops responding
I have this topology on my CSR328-24P
eth1 - wan in modem
eth2 - cAP - 3 networks, private (family), guest (visitors) and iot (iot devices)
eth3 - powerbox pro - goes outside property, bridge mode, powering 2x poe cams
eth4-14 - some home devices pc laptop, nas etc...
eth16-24 - hikvision poe cams
I am first trying to get the poe cams on one vlan, then continue iot, guest network, private network etc...
Currently i have cams, iot and guest split only by subnets, dhcp server leases static entries but they still can access other networks too.
Why my vlan config does not work? thanx
Code: Select all
# jan/06/2002 08:33:40 by RouterOS 6.48.3
# model = CRS328-24P-4S+
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - wan in" poe-out=off
set [ find default-name=ether2 ] name="ether2 - ap"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=bridge name=pppoe-out1 user=\
xxxxxxxx
/interface pptp-server
add name=pptp-user1 user=user1
/caps-man interface
add configuration.mode=ap configuration.ssid=guest datapath.bridge=bridge \
disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=\
none name=2.4G radio-mac=xx:xx:xx:xx:xx:xx radio-name=xxxxxxxxxxxx \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm
add configuration.mode=ap configuration.ssid=guest datapath.bridge=bridge \
disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=\
none name=5G radio-mac=xx:xx:xx:xx:xx:xx radio-name=xxxxxxxxxxxx \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm
add configuration.mode=ap configuration.ssid=iot datapath.bridge=bridge \
datapath.vlan-id=30 disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx \
master-interface=2.4G name=iot radio-mac=00:00:00:00:00:00 radio-name="" \
security.authentication-types=wpa2-psk security.encryption=aes-ccm
add configuration.mode=ap configuration.ssid=iot_link datapath.bridge=bridge \
disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=\
2.4G name=iot_link radio-mac=00:00:00:00:00:00 radio-name=xxxxxxxxxxxx \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm
/interface vlan
add interface=bridge name=MGMT vlan-id=99
add interface=bridge name=VLAN1001 vlan-id=1001
add interface=bridge name=VLAN1002 vlan-id=1002
add interface=bridge name=VLAN1003 vlan-id=1003
/caps-man datapath
add bridge=bridge client-to-client-forwarding=no name=datapath1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.10.10.20-10.10.10.100
add name=PPTP-Pool ranges=192.168.99.10-192.168.99.200
add name=VLAN1001_pool ranges=192.168.1.100-192.168.1.200
add name=VLAN1002_pool ranges=192.168.2.100-192.168.2.200
add name=VLAN1003_pool ranges=192.168.3.100-192.168.3.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=2d name=dhcp1
add address-pool=VLAN1001_pool disabled=no interface=VLAN1001 name=\
VLAN1001_DHCP
add address-pool=VLAN1002_pool disabled=no interface=VLAN1002 name=\
VLAN1002_DHCP
add address-pool=VLAN1003_pool disabled=no interface=VLAN1003 name=\
VLAN1003_DHCP
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=PPTP-Pool \
name=PPTP-Profile only-one=yes remote-address=PPTP-Pool use-encryption=\
yes
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled
/interface bridge port
add bridge=bridge interface="ether1 - wan in"
add bridge=bridge interface="ether2 - ap"
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16 pvid=1003
add bridge=bridge interface=ether17 pvid=1003
add bridge=bridge interface=ether18 pvid=1003
add bridge=bridge interface=ether19 pvid=1003
add bridge=bridge interface=ether20 pvid=1003
add bridge=bridge interface=ether21 pvid=1003
add bridge=bridge interface=ether22 pvid=1003
add bridge=bridge interface=ether23 pvid=1003
add bridge=bridge interface=ether24 pvid=1003
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether11 vlan-ids=99
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
/interface pptp-server server
set authentication=chap,mschap1,mschap2 default-profile=PPTP-Profile enabled=yes
/ip address
add address=10.10.10.1/24 interface=bridge network=10.10.10.0
add address=10.0.2.1/24 interface="ether2 - ap" network=10.0.2.0
add address=10.0.3.1/24 interface="ether2 - ap" network=10.0.3.0
add address=192.168.99.1/24 interface=MGMT network=192.168.99.0
add address=192.168.1.1/24 interface=VLAN1001 network=192.168.1.0
add address=192.168.2.1/24 interface=VLAN1002 network=192.168.2.0
add address=192.168.3.1/24 interface=VLAN1003 network=192.168.3.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.0.2.11 comment=poe_cam1 mac-address=xx:xx:xx:xx:xx:xx server=dhcp1
add address=10.0.2.12 comment=poe_cam2 mac-address=xx:xx:xx:xx:xx:xx server=dhcp1
add address=10.0.2.13 comment=poe_cam3 mac-address=xx:xx:xx:xx:xx:xx server=dhcp1
add address=10.0.2.14 comment=poe_cam4 mac-address=xx:xx:xx:xx:xx:xx server=dhcp1
add address=10.0.3.11 comment=iot1 mac-address=xx:xx:xx:xx:xx:xx server=dhcp1
add address=10.0.3.12 comment=iot2 mac-address=xx:xx:xx:xx:xx:xx server=dhcp1
add address=10.0.3.13 comment=iot3 mac-address=xx:xx:xx:xx:xx:xx server=dhcp1
add address=10.0.3.14 comment=iot4 mac-address=xx:xx:xx:xx:xx:xx server=dhcp1
/ip dhcp-server network
add address=10.0.2.0/24 dns-server=9.9.9.9 gateway=10.0.2.1 netmask=24
add address=10.0.3.0/24 dns-server=9.9.9.9 gateway=10.0.3.1 netmask=24
add address=10.10.10.0/24 dns-server=9.9.9.9 gateway=10.10.10.1 netmask=24
add address=192.168.1.0/24 dns-server=9.9.9.9 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=9.9.9.9 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=9.9.9.9 gateway=192.168.3.1
/ip dns
set servers=9.9.9.9
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
add chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=poe_cam1 dst-port=23211 protocol=tcp to-addresses=10.0.2.11 to-ports=8000
add action=dst-nat chain=dstnat comment=poe_cam2 dst-port=23212 protocol=tcp to-addresses=10.0.2.12 to-ports=8000
add action=dst-nat chain=dstnat comment=poe_cam2 dst-port=23212 protocol=tcp to-addresses=10.0.2.12 to-ports=8000
add action=dst-nat chain=dstnat comment=poe_cam2 dst-port=23212 protocol=tcp to-addresses=10.0.2.12 to-ports=8000