Community discussions

MikroTik App
 
mpreissner
Member
Member
Topic Author
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Need some help...hex setup

Sun Feb 24, 2019 2:35 am

Hey everyone...it's been a while since I've been active up here...but now I'm in a bit of a bind and need some help with setting up my new hex.

Situation: I have an older RB750GL that's been running great for a while (ROS 6.40.5) using the older Master/slave port setup. I recently had to change an address on one of my VLAN interfaces, and accidentally changed the wrong interface, locking myself out of the router. Even worse, my backups are all on my storage server, which recently suffered a hardware failure, so I can't get at my backups. Since most of my network was still running, I opted to buy a hex (RB750Gr3 on ROS 6.43.11). I know that the Master/slave switch setup has been replaced with Bridge, but I can't for the life of me figure out how to get it configured correctly such that I can just swap out the RB750GL and hex and get my network fully operational again.

Here's what I remember of the 750GL setup: ether1 was my Internet connection (default config on the hex, so no problem there); ether2 (Master) and ether3 are trunk ports, ether4 and ether5 are access ports. All addresses were on VLAN interfaces assigned to ether2.

What I need: a working config script that puts VLANs 100, 200, 300, 501, 801, and 901 on the router; Management IP address (preferably 172.16.0.30/27) on VLAN 100 (needs functional DHCP server on this interface as well); ether 2 and 3 configured as trunk ports carrying all VLANs, ether 4 and 5 configured as access ports for VLAN 100. The other VLAN interfaces need to have IP addresses, but no DHCP server (actual addresses used for this initial config don't matter as long as routing works; I can change the addresses to suit my network).

Normally, I'd take the time to really learn what I'm doing wrong (I have a feeling it's something obvious, but I'm beyond frustrated at this point), but I just started my own business and I need to get my lab fully functional ASAP. Please help! And big thanks in advance to anyone and everyone who helps me get out of this nightmare.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
BRMateus2
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Thu Oct 26, 2017 11:18 pm

Re: Need some help...hex setup

Sun Feb 24, 2019 4:58 am

You might want to start by this link then: viewtopic.php?t=143620
I don't know about VLANs tho, I only bridge for now (home).
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1797
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Need some help...hex setup

Sun Feb 24, 2019 2:45 pm

Hey tough luck...

Not the whole config but pointers, some todo's left for you:
* bridge
bridge1 with eth2-5, should be default config

* assign vlans, see https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29

eth2 & 3: trunk: all vlans should be tagged on these ports
ex: /interface bridge port add bridge=bridge1 interface=ether2

eth4 & 5: only untagged traffic with definition of default vlan
ex: /interface bridge port add bridge=bridge1 interface=ether4 pvid=200

make sure to include bridge itself for all vlans which need to be routed
ex: /interface bridge vlan add bridge=bridge1 tagged=ether2,ether3,bridge untagged=ether4 vlan-ids=100

* addresses
these need to be assigned to vlan interfaces linked to the bridge "/bridge vlan"
ex: /interface vlan add interface=bridge1 vlan-id=100 name=v100
/ip address add interface=v100 address=...
 
mpreissner
Member
Member
Topic Author
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Need some help...hex setup

Mon Feb 25, 2019 10:38 pm

Thanks! So far so good...but here's the next piece...I've added a DHCP server to my "Management" VLAN (100) interface, and I can get an address, so that works fine. However, I am unable to connect to the address I put on that interface via Winbox (using IP or MAC) or mactelnet. I can still connect to the default 192.168.88.1 address that is assigned directly to the bridge (I left ether5 on pvid=1 until I get things finalized), but I'd like to ditch that and just use the address I have assigned to my Management VLAN interface. Does this newer version of ROS require an address directly on the bridge? On my older setup, I only had to have addresses on the VLAN interfaces and could access all enabled management services (Winbox, ssh, Webfig), assuming my firewall input chain allowed it (which I had restricted ONLY to the Management VLAN IP address).
Michael Preissner
CISSP, CCSP, CEH, PMP
 
mpreissner
Member
Member
Topic Author
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Need some help...hex setup

Mon Feb 25, 2019 10:42 pm

Here's my export so you can see where I am...
/interface bridge
add admin-mac=B8:69:F4:AE:58:0E auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=DMZ vlan-id=300
add interface=bridge name=GuestWireless vlan-id=901
add interface=bridge name=InternalWireless vlan-id=801
add interface=bridge name=MediaLAN vlan-id=501
add interface=bridge name=Mgmt vlan-id=100
add interface=bridge name=ServerLAN vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Mgmt-pool ranges=172.16.0.20-172.16.0.24
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=Mgmt-pool disabled=no interface=Mgmt name=Mgmt
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 pvid=100
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether2,ether3,bridge untagged=ether4 vlan-ids=100
add bridge=bridge tagged=ether2,ether3,bridge vlan-ids=200
add bridge=bridge tagged=ether2,ether3,bridge vlan-ids=300
add bridge=bridge tagged=ether2,ether3,bridge vlan-ids=501
add bridge=bridge tagged=ether2,ether3,bridge vlan-ids=801
add bridge=bridge tagged=ether2,ether3,bridge vlan-ids=901
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.16.0.30/27 interface=Mgmt network=172.16.0.0
add address=10.1.150.254/24 interface=ServerLAN network=10.1.150.0
add address=172.31.120.30/27 interface=DMZ network=172.31.120.0
add address=172.18.0.30/27 interface=MediaLAN network=172.18.0.0
add address=10.1.168.30/26 interface=InternalWireless network=10.1.168.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Michael Preissner
CISSP, CCSP, CEH, PMP
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1797
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Need some help...hex setup  [SOLVED]

Mon Feb 25, 2019 11:06 pm

Regarding mac servers
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
but only bridge is added to LAN, and that means untagged traffic / vlan=1.


Don't you want /ip dhcp-server network config for mgmt?

Can you ping Mgmt ip over mgmt vlan? Probably yes, but nothing else right? -> firewalled, as mgmt isn't part of LAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
 
mpreissner
Member
Member
Topic Author
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Need some help...hex setup

Tue Feb 26, 2019 2:34 am


but only bridge is added to LAN, and that means untagged traffic / vlan=1.
Ah! The concept of grouping interfaces as LAN is a little odd to me. After assigning the Management VLAN interface to LAN, I'm able to reach my desired management IP address both from an access port on my management VLAN as well as routing from the default 192.168.88.0 network to the management IP. Looks like I just need to add all my trusted VLAN interfaces to LAN and then rely on the firewall to block access via certain addresses.

This is so much more confusing than the old Master/Slave port arrangement, but it's not like I really have a choice at this point. Thanks again!
Michael Preissner
CISSP, CCSP, CEH, PMP
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1797
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Need some help...hex setup

Tue Feb 26, 2019 9:45 am

You can define multiple interface lists and have separate firewall rules for each or just for the mgmt interface itself.
I would recommend to to isolate your management and permissions from the rest.

Who is online

Users browsing this forum: anav, arkos, Vshadow and 124 guests