I'll make things simple and just dive right in since I know I'm a total newb to this. Hopefully I've included everything relevant, if I'm missing anything that may help, please let me know!
Currently, the address scheme for both devices is not set to the way I've listed I'd like to do it below. I'm aware of this and am willing to adjust, just figured I'd try and figure everything out before diving in any deeper.
My Equipment:
Networking:
Mikrotik Hex Router
Mikrotik HAP AC3
NetGear Nighthawk r6900p (Goal of using this as only a wireless repeater / access point eventually, but I'll ignore it for now to get the Mikrotik hardware running first)
Dumb Switch (Managed switch on it's way)
Clients
Gaming PC / Workstation
ThinkStation D30 Proxmox Host
Wired Gaming Laptop
Wired NAS
Wired PiHole for DNS
WiFi Laptop
WiFi Chromebook
WiFi Lights x2
WiFi Video Doorbell
WiFi Cellphone x3
WiFi Kindle
WiFi WiFi iPad
WiFi Various handheld Game Consoles
------------------------------------------------------------------
My starting goal(s):
I'm trying to setup the Hex router as the primary router, with the HAP AC3 as an access point / wireless router for wireless devices since the hex has no built in WiFi.
Alongside the above, I'm also trying to segment my network into pieces for security and management purposes. To clarify I'd like to setup the following (using generic example addresses here):
Router - 192.168.1.1
-- DHCP'd devices on 192.168.1.50 <-> 192.168.1.100
-- Static'd devices on 192.168.1.101 <-> 192.168.1.200
WiFi - 192.168.2.1
-- DHCP'd devices on 192.168.2.50 <-> 192.168.2.100
-- Static'd device on 192.168.2.5 (Ring Doorbell Camera)
Servers - 192.168.3.1
-- Static'd devices on 192.168.3.50 <-> 192.168.3.100
IoT Devices - 192.168.4.1
-- DHCP'd devices on 192.168.4.50 <-> 192.168.4.100
I would like to make it so that devices receiving a DHCP lease or Static IP from the Router (192.168.1.1) can access and communicate with the devices in both WiFi (192.168.2.1) and Servers (192.168.3.1) while leaving the IoT Devices with access to WiFi (192.168.2.1). The reason for IoT to interact with WiFi is so that I can control things such as wireless lights, etc from my cell phone while connected to WiFi.
----------------------------------------------------------
Hex Router 'export hide-sensitive'
Code: Select all
# aug/05/2021 19:57:28 by RouterOS 6.48.3
# software id = GR5F-DASV
#
# model = RB760iGS
# serial number = E2090EF86E7B
/interface bridge
add admin-mac=2C:C8:1B:19:0E:5D auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
********
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
dynamic-keys name=WiFi1 supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.90.50-192.168.90.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!all
/interface detect-internet
set detect-interface-list=all lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.90.1/24 comment=defconf interface=bridge network=\
192.168.90.0
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.88.1 interface=bridge network=192.168.88.1
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.90.0/24 comment=defconf gateway=192.168.90.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.201
/ip dns static
add address=192.168.90.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-address=192.168.90.1 src-address=\
192.168.1.1
add action=accept chain=forward dst-address=192.168.90.0/24 src-address=\
192.168.88.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Phoenix
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Code: Select all
# aug/05/2021 19:58:45 by RouterOS 6.47.9
# software id = CFIR-U1HA
#
# model = RBD53iG-5HacD2HnD
# serial number = E7290E1642D8
/interface bridge
add admin-mac=2C:C8:1B:7F:5C:9C auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=ThePromisedLan wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=ThePromisedLan-5GHz wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/system clock
set time-zone-name=**********
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN