While I know basics of networking due to my work, I am in no way an expert. But I do know how to google and read docs. I read the almanac thread viewtopic.php?f=23&t=143620 at least five times before things started making sense. I tried thrice and it broke everything. Turns out that the configuration was complicated due to TPLink and Ubiquiti present in the mix.
The UniFi access point (AP) tags packets when they go out from WLAN to wire. When tagged traffic comes in from the wire, it will untag it and forward it to WLAN.
So the packets arrive at the switch as tagged. This was my first clue :) ports 1 (to router), 2 & 3 (to APs) needed to be trunks.
On the switch, if you're connecting a device that recognizes VLANS (VoIP device etc.), that port should be marked tagged, if not, untagged.
Ubiquiti
Define Networks in Unifi Controller, mapping each VLAN to a network Define SSID in Unifi Controller and tie it to the VLANs created above (Ignore the subnets in this pic, they are of no significant, VLAN is most imp. Unifi has a single page config 🤷♂️) Set each APs Management VLAN to BASE TP Link
Enable 802.1Q VLAN (this is disabled by default). Enable, refresh and move to next step
Map ports based on the network diagram Set IP of the switch to an available one in the BASE VLAN (after this you will lose connectivity to switch until you complete steps below)
Mikrotik
Reset configuration
Connect PC to eth5 (I leveraged the default config to avoid being kicked out by misconfiguration)
Do all config (export below)
As you progress making the mikrotik changes, you should be able to see addresses showing up in ARP. I hope this helps someone and I'd be glad to answer how I can
If someone could take a look at the firewall piece, I'd be grateful :D
Code: Select all
# jun/06/2021 23:01:11 by RouterOS 6.48.3
# model = RB750Gr3
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=yes
/interface bridge add admin-mac=74:4D:28:A5:82:29 auto-mac=no name=br0
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=40
/interface vlan add interface=BR1 name=BLUE_HOME_VLAN vlan-id=10
/interface vlan add interface=BR1 name=GREEN_WORK_VLAN vlan-id=20
/interface vlan add interface=BR1 name=RED_IOT_VLAN vlan-id=30
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=VLAN
/interface list add name=BASE
/interface list add name=INSIDE_NETWORK
/interface list add name=IOT
/interface list add name=HOME
/interface list add name=WORK
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=BLUE_HOME_POOL ranges=192.168.10.2-192.168.10.254
/ip pool add name=GREEN_WORK_POOL ranges=192.168.20.2-192.168.20.254
/ip pool add name=RED_IOT_POOL ranges=192.168.30.2-192.168.30.254
/ip pool add name=BASE_POOL ranges=10.40.40.10-10.40.40.254
/ip dhcp-server add address-pool=default-dhcp disabled=no interface=br0 name=defconf
/ip dhcp-server add address-pool=BLUE_HOME_POOL disabled=no interface=BLUE_HOME_VLAN name=BLUE_DHCP
/ip dhcp-server add address-pool=GREEN_WORK_POOL disabled=no interface=GREEN_WORK_VLAN name=GREEN_DHCP
/ip dhcp-server add address-pool=RED_IOT_POOL disabled=no interface=RED_IOT_VLAN name=RED_DHCP
/ip dhcp-server add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/interface bridge port add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
/interface bridge port add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
/interface bridge port add bridge=br0 comment=defconf interface=ether5
/ip neighbor discovery-settings set discover-interface-list=BASE
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=10
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=20
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=30
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=40
/interface list member add interface=br0 list=LAN
/interface list member add interface=ether1 list=WAN
/interface list member add interface=ether2 list=WAN
/interface list member add interface=BASE_VLAN list=VLAN
/interface list member add interface=BLUE_HOME_VLAN list=VLAN
/interface list member add interface=GREEN_WORK_VLAN list=VLAN
/interface list member add interface=RED_IOT_VLAN list=VLAN
/interface list member add interface=BASE_VLAN list=BASE
/interface list member add interface=GREEN_WORK_VLAN list=WORK
/interface list member add interface=BLUE_HOME_VLAN list=HOME
/interface list member add interface=RED_IOT_VLAN list=IOT
/interface list member add interface=BASE_VLAN list=INSIDE_NETWORK
/interface list member add interface=BLUE_HOME_VLAN list=INSIDE_NETWORK
/interface list member add interface=GREEN_WORK_VLAN list=INSIDE_NETWORK
/interface list member add interface=RED_IOT_VLAN list=INSIDE_NETWORK
/interface list member add interface=br0 list=INSIDE_NETWORK
/ip address add address=192.168.88.1/24 comment=defconf interface=br0 network=192.168.88.0
/ip address add address=10.40.40.1/24 interface=BASE_VLAN network=10.40.40.0
/ip address add address=192.168.10.1/24 interface=BLUE_HOME_VLAN network=192.168.10.0
/ip address add address=192.168.20.1/24 interface=GREEN_WORK_VLAN network=192.168.20.0
/ip address add address=192.168.30.1/24 interface=RED_IOT_VLAN network=192.168.30.0
/ip dhcp-client add comment=defconf disabled=no interface=ether1
/ip dhcp-client add disabled=no interface=ether2
/ip dhcp-server network add address=10.40.40.0/24 gateway=10.40.40.1
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1
/ip dhcp-server network add address=192.168.20.0/24 gateway=192.168.20.1
/ip dhcp-server network add address=192.168.30.0/24 gateway=192.168.30.1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
# The idea here was to allow everyone access to WAN, Restrict IOT to WAN, WORK to WAN, stop everyone except BASE from connecting to WORK.
# In near future, I'd like to setup a PiHole and allow traffic from all INSIDE_NETWORK to that IP on UDP:53
/ip firewall filter add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="Allow Established/Related/Untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="Allow ICMP" protocol=icmp
/ip firewall filter add action=fasttrack-connection chain=input connection-state=established,related
/ip firewall filter add action=accept chain=input connection-state=established,related
/ip firewall filter add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
/ip firewall filter add action=drop chain=input comment="Drop everything else"
/ip firewall filter add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="Allow ICMP" protocol=icmp
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related
/ip firewall filter add action=accept chain=forward connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="allow connections from everything inside to WAN" in-interface-list=INSIDE_NETWORK out-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="drop connections from IOT to anywhere else" in-interface-list=IOT
/ip firewall filter add action=drop chain=forward comment="drop connections from WORK to anywhere else" in-interface-list=WORK
/ip firewall filter add action=drop chain=forward comment="drop connections from HOME to work" in-interface-list=HOME out-interface-list=WORK
/ip firewall filter add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="drop everything else"
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
#Dual WAN failover, eth0 is primary ISP.
/ip route add check-gateway=ping distance=1 gateway=10.20.30.1
/ip route add check-gateway=ping distance=1 gateway=8.8.8.8
/ip route add distance=2 gateway=10.20.31.1
/ip route add check-gateway=ping distance=2 gateway=8.8.4.4
/ip route add distance=1 dst-address=8.8.4.4/32 gateway=10.20.31.1 scope=10
/ip route add distance=1 dst-address=8.8.8.8/32 gateway=10.20.30.1 scope=10
/system clock set time-zone-name=Asia/Kolkata
/tool mac-server set allowed-interface-list=INSIDE_NETWORK
/tool mac-server mac-winbox set allowed-interface-list=INSIDE_NETWORK