Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Help with config  [SOLVED]

Post Reply
 
sticky911
just joined
Topic Author
Posts: 3
Joined: Sun Mar 10, 2024 8:27 am

Help with config

Sun Mar 10, 2024 9:04 am

Hello guys,

i need help with some configuration, I have strange problem with mine. Please tell me what is wrong :(

below is my setup, but strangely the network is very very slow, e.g. when loading webpages, it time out the first time, many sites fail to connect and so on and when i remove all my config everything is fine again.

Image

here is my config
Code: Select all
# 2024-02-29 23:02:16 by RouterOS 7.13.5
# software id = U3ZI-3UB1
#
# model = RB750Gr3
# serial number = CC220EBE14C3
/interface bridge
add igmp-snooping=yes ingress-filtering=no name=bridge1 port-cost-mode=short \
    vlan-filtering=yes
/interface vlan
add interface=bridge1 name=Guest_VLAN vlan-id=30
add interface=bridge1 name=Mgmt_VLAN vlan-id=99
add interface=bridge1 name=Office_VLAN vlan-id=10
add interface=bridge1 name=Training_VLAN vlan-id=20
/interface list
add name=WAN
add name=Internal
add name=Guest
add name=Mgmt
add name=Training
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=Office_POOL ranges=192.168.2.121-192.168.2.250
add name=Training_POOL ranges=192.168.1.151-192.168.1.254
add name=Guest_POOL ranges=10.0.30.30-10.0.30.250
add name=Mgmt_POOL ranges=192.168.99.5-192.168.99.254
/ip dhcp-server
add address-pool=Office_POOL interface=Office_VLAN lease-time=10m name=\
    Office_DHCP
add address-pool=Training_POOL interface=Training_VLAN lease-time=10m name=\
    Training_DHCP
add address-pool=Guest_POOL interface=Guest_VLAN lease-time=10m name=\
    Guest_DHCP
add address-pool=Mgmt_POOL interface=Mgmt_VLAN lease-time=10m name=Mgmt_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2 internal-path-cost=\
    10 path-cost=10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether5 \
    internal-path-cost=10 path-cost=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5 untagged=ether3 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether5 untagged=ether4 vlan-ids=99
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add interface=Office_VLAN list=Internal
add interface=Guest_VLAN list=Guest
add interface=Mgmt_VLAN list=Mgmt
add interface=Training_VLAN list=Training
add interface=Mgmt_VLAN list=Internal
/ip address
add address=192.168.99.1/24 interface=Mgmt_VLAN network=192.168.99.0
add address=192.168.2.1/24 interface=Office_VLAN network=192.168.2.0
add address=192.168.1.1/24 interface=Training_VLAN network=192.168.1.0
add address=10.0.30.1/24 interface=Guest_VLAN network=10.0.30.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "ATikconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="ATikconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment="ATikconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Internal" in-interface-list=\
    Internal
add action=accept chain=input comment="Allow Training" in-interface-list=\
    Training
add action=accept chain=input comment="Allow Guest" in-interface-list=Guest
add action=accept chain=input comment="Allow Mgmt_Vlan Full Access" \
    in-interface-list=Mgmt
add action=fasttrack-connection chain=forward comment="ATikconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "ATikconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Training_VLAN to Office_VLAN" \
    connection-state=new in-interface-list=Training out-interface-list=\
    Internal
add action=accept chain=forward comment="Office_VLAN to Training_VLAN" \
    connection-state=new in-interface-list=Internal out-interface-list=\
    Training
add action=accept chain=forward comment="Internal Internet Access only" \
    connection-state=new in-interface-list=Internal out-interface-list=WAN
add action=accept chain=forward comment="Guest Internet Access only" \
    connection-state=new in-interface-list=Guest out-interface-list=WAN
add action=accept chain=forward comment="mgmt to mgmt" in-interface-list=Mgmt \
    out-interface-list=Mgmt
add action=drop chain=forward comment="ATikconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "ATikconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.99.0/24
set api disabled=yes
set winbox address=192.168.99.0/24
set api-ssl disabled=yes
/ip socks
set auth-method=password enabled=yes port=20907 version=5
/ip socks users
add name=es9999
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Singapore
/system identity
set name=Router
/system logging
set 1 action=disk
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.99.1 enabled=yes
/system ntp client servers
add address=sg.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11647
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help with config

Sun Mar 10, 2024 11:48 am

Nothing strikes me as clearly wrong in your config. The only thing I'd definitely change is disable internet detection:
Code: Select all
/interface detect-internet
set wan-interface-list=none

It's a public secret that this feature can cause some subtle, but nasty problems ... and you don't seem to need it anyway.
Top
 
sticky911
just joined
Topic Author
Posts: 3
Joined: Sun Mar 10, 2024 8:27 am

Re: Help with config

Sun Mar 10, 2024 11:50 am

oops i forgot to mention,

VLAN 10 is supposed to have internet, and access into VLAN 20
VLAN 20 is supposed to access a server VLAN 10 but no internet
VLAN 30 is just internet no access to VLAN 10 & 20
Top
 
CGGXANNX
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Thu Dec 21, 2023 6:45 pm

Re: Help with config

Sun Mar 10, 2024 12:42 pm

If I am not mistaken, on the hEX, which uses the MT7621 chip, enabling bridge IGMP snooping will disable hardware offloading on the bridge:

https://help.mikrotik.com/docs/display/ ... Offloading

Maybe you can try to disable IGMP snooping?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19405
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Help with config  [SOLVED]

Sun Mar 10, 2024 6:24 pm

Your firewall rules are where the most work is needed, its clear you got mixed up or at least didnt think through the logic.
For example you have the office vlan accessing the training vlan and then you have the training vlan accessing the office vlan.

But you dont use vlan subnets you actually use interface lists which included other vlans
a. not targeted, by using internal for example you give training access to office AND Mgmt........... .
b. nonsensical, if you wish a to originate traffic to access b, and then you wish b to originate traffic to access a,
THEN THERE IS LITTLE POINT IN HAVING TWO SEPARATE VLANs.

what might make sense, is that you want to give the office access to training, and thats it.


Suggested changes:

1./interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=99
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5

2. /interface detect-internet
set wan-interface-list=NONE

3. FOUR VLANS and pools etc, but FIVE /ip dhcp-server network entries ???????????
Remove the entry for the fictitious 192.168.1.3.0 entry.

4. /interface list member
add interface=ether1 list=WAN
add interface=Office_VLAN list=LAN
add interface=Training_VLAN list=LAN
add interface=Mgmt_VLAN list=LAN
add interface=Guest_VLAN list=LAN
add interface=Office_VLAN list=Internet
add interface=Guest_VLAN list=Internet
add interface=Mgmt_VLAN list=Internet
add interface=Mgmt_VLAN list=Mgmt

5. /tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Mgmt

6. /interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5 untagged=ether3 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=20,30
add bridge=bridge1 tagged=bridge1,ether5 untagged=ether4 vlan-ids=99

7. /ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Mgmt_Vlan Full Access" \
in-interface-list=Mgmt
add action=accept chain=input comment="access to router DNS,NTP" \
in-interface-list=LAN dst-port=53,123 protocol=udp
add action=acccept chain=input comment="access to router DNS tcp " \
in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { PUT THIS RULE IN LAST }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=Internet out-interface-list=WAN
add action=accept chain=forward comment="Office to Training" \
src-address=192.168.2.0/24 dst-address=192.168.1.0/24
add action=accept chain=forward comment="Training to Office Server(s)" \
src-address=192.168.1.0/24 dst-address=Officeserver-IP { if more than one server make a firewall address list to use }
add action=accept chain=forward comment="admin to all vlans" in-interface-list=Mgmt out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="Drop all else"
Top
 
sticky911
just joined
Topic Author
Posts: 3
Joined: Sun Mar 10, 2024 8:27 am

Re: Help with config

Mon Mar 11, 2024 10:19 pm

Your firewall rules are where the most work is needed, its clear you got mixed up or at least didnt think through the logic.
For example you have the office vlan accessing the training vlan and then you have the training vlan accessing the office vlan.

But you dont use vlan subnets you actually use interface lists which included other vlans
a. not targeted, by using internal for example you give training access to office AND Mgmt........... .
b. nonsensical, if you wish a to originate traffic to access b, and then you wish b to originate traffic to access a,
THEN THERE IS LITTLE POINT IN HAVING TWO SEPARATE VLANs.

what might make sense, is that you want to give the office access to training, and thats it.


Suggested changes:

1./interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=99
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5

2. /interface detect-internet
set wan-interface-list=NONE

3. FOUR VLANS and pools etc, but FIVE /ip dhcp-server network entries ???????????
Remove the entry for the fictitious 192.168.1.3.0 entry.

4. /interface list member
add interface=ether1 list=WAN
add interface=Office_VLAN list=LAN
add interface=Training_VLAN list=LAN
add interface=Mgmt_VLAN list=LAN
add interface=Guest_VLAN list=LAN
add interface=Office_VLAN list=Internet
add interface=Guest_VLAN list=Internet
add interface=Mgmt_VLAN list=Internet
add interface=Mgmt_VLAN list=Mgmt

5. /tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Mgmt

6. /interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5 untagged=ether3 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=20,30
add bridge=bridge1 tagged=bridge1,ether5 untagged=ether4 vlan-ids=99

7. /ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Mgmt_Vlan Full Access" \
in-interface-list=Mgmt
add action=accept chain=input comment="access to router DNS,NTP" \
in-interface-list=LAN dst-port=53,123 protocol=udp
add action=acccept chain=input comment="access to router DNS tcp " \
in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { PUT THIS RULE IN LAST }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=Internet out-interface-list=WAN
add action=accept chain=forward comment="Office to Training" \
src-address=192.168.2.0/24 dst-address=192.168.1.0/24
add action=accept chain=forward comment="Training to Office Server(s)" \
src-address=192.168.1.0/24 dst-address=Officeserver-IP { if more than one server make a firewall address list to use }
add action=accept chain=forward comment="admin to all vlans" in-interface-list=Mgmt out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="Drop all else"
omg thank you... i guess i'm still too noob at this... was trying to follow one of the VLAN threads to setup previously... viewtopic.php?t=143620
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19405
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Help with config

Mon Mar 11, 2024 10:38 pm

Yup thats a good video and is what most use, including myself.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], tdw and 26 guests
  4. RouterOS
  5. Beginner Basics