I've setup 3 vlans (10, 20, 30), that are working propperly. What i need to do is to make VLAN 10 be able to access all other vlans, but not the other way around.
I need for any PC in vlan 10 can access via RDP to any pc in vlan 20 and vlan30.
And all the pc's in vlan 20, and vlan 30 only see and communicate with the pc's in their own vlan.
So this is my actual config:
Right now i cannot ping or RDP between vlans, i've tryed to deactivating windows firewall in both machines but still cannot link them.
(The 2 pc's that i'm doing the testing are connected to the same ARUBA manageable switch)
Code: Select all
# oct/13/2022 12:02:47 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
/interface bridge
add name=BridgeVLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name=vlan10-LAN vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface=vlan10-LAN name=dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=xxx@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN comment="PVE3 (Servidor Consultar)" frame-types=\
admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=BridgeVLAN comment="Switch Pecera (unmanageable)" \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=BridgeVLAN comment="Switch Aruba (manageable)" frame-types=\
admit-only-vlan-tagged ingress-filtering=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 untagged=ether4 \
vlan-ids=10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether5 vlan-ids=20
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 vlan-ids=30
/interface list member
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN
/ip address
add address=10.0.10.1/24 interface=vlan10-LAN network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
add address=192.168.99.1/24 comment="acceso secundario" interface=ether10 \
network=192.168.99.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
interface=ether2-Fibercorp
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,9.9.9.9
/ip firewall address-list
add address=10.0.10.1-10.0.10.101 comment="Resto de la red" list=a_fibercorp
add address=10.0.10.201 comment=webserver list=a_claro
add address=10.0.10.250-10.0.10.254 comment=Servidores list=a_fibercorp
add address=10.0.20.0/24 comment=Clientes list=a_claro
add address=10.0.10.7 comment=Des07 list=a_claro
add address=10.0.10.102 comment=cosag list=a_claro
add address=10.0.10.103 comment=w2019 list=a_claro
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow admin to config router" \
in-interface-list=ADMIN
add action=accept chain=input comment="Allow VLAN DNS queries-UDP" dst-port=\
53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="allow vlan10 access to vlan20" \
connection-state="" dst-address=10.0.20.254 log=yes log-prefix=VALN \
src-address=10.0.10.7
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
"Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=cosag dst-port=xxxx \
in-interface-list=WAN protocol=tcp to-addresses=10.0.10.102 to-ports=xxxx
add action=dst-nat chain=dstnat comment=servidor_cp dst-port=xx \
in-interface-list=WAN protocol=tcp to-addresses=10.0.10.101 to-ports=xxx
add action=dst-nat chain=dstnat comment=des07 dst-port=xxxx \
in-interface-list=WAN protocol=tcp to-addresses=10.0.10.7 to-ports=xxx
add action=dst-nat chain=dstnat comment=w2019 dst-port=xxx \
in-interface-list=WAN protocol=tcp to-addresses=10.0.10.103 to-ports=xx
add action=dst-nat chain=dstnat comment=webserver dst-port=80 \
in-interface-list=WAN protocol=tcp to-addresses=10.0.10.201 to-ports=x
add action=dst-nat chain=dstnat comment=ftp dst-port=21 in-interface-list=WAN \
protocol=tcp to-addresses=10.0.10.101 to-ports=21
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
;\r\
\n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
teway ];\r\
\n:if (\$newgw != \$routegw) do={\r\
\n /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
gw;\r\
\n}\r\
\n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
way ];\r\
\n:if (\$newgw != \$routegw) do={\r\
\n /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
;\r\
\n}\r\
\n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
ateway];\r\
\n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
] gateway ];\r\
\n:if (\$newgw != \$routegw) do={\r\
\n /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
\$newgw;\r\
\n}\r\
\n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
];\r\
\n:if (\$newgw != \$routegw) do={\r\
\n /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
\n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=xxx@gmail.com port=xx start-tls=\
yes user=xx
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
/tool romon
set enabled=yes