Community discussions

 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

2 Ethernet ports not working on HAP AC2

Mon Mar 18, 2019 12:52 am

I have two MikroTik router boards: (a) HAP AC and (b) HAP AC2. I have been using HAP AC as my home router without issues for the past two months.

However, when I recreated my configuration on HAP AC2 (export from HAP AC and rerun on AC2 via terminal) I've found that two ethernet ports are shown disabled, along with one of the wifi endpoints. Namely ether5-VMLAB, ether2-OPEN and plan-guest

I thinking I'm dong something wrong and its not a hardware related issue. Appreciate help.

Here is my AC2 config (passwords removed) for reference:
# mar/17/2019 18:49:47 by RouterOS 6.42.10
# software id = N505-56PM
#
# model = RBD52G-5HacD2HnD
# serial number = BLAHBLAH
/interface bridge
add admin-mac=74:4D:28:0C:BB:6A auto-mac=no comment=defconf name=bridge
add name=bridge-guest-lan
add name=bridge-iot-lan
add name=bridge-main-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether-WAN
set [ find default-name=ether2 ] name=ether2-OPEN
set [ find default-name=ether3 ] name=ether3-WIN-WRKST
set [ find default-name=ether4 ] name=ether4-NAS
set [ find default-name=ether5 ] name=ether5-VMLAB
/interface vlan
add interface=ether3-WIN-WRKST name=vlan-main-lan vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Home LAN Network" name=HOME-LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=BLAHBLAH
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=home-user supplicant-identity="" \
    wpa2-pre-shared-key=BLAHBLAH
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=iot-user supplicant-identity="" \
    wpa2-pre-shared-key=BLAHBLAH
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=guest-user supplicant-identity="" \
    wpa2-pre-shared-key=BLAHBLAH
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto hide-ssid=yes mode=ap-bridge \
    name=wlan-2-main-lan security-profile=home-user ssid=KhanNetHome \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
    yes mode=ap-bridge name=wlan-5-main-lan security-profile=home-user ssid=\
    KhanNetHome5 vlan-id=40 wireless-protocol=802.11
add default-forwarding=no disabled=no hide-ssid=yes keepalive-frames=disabled \
    mac-address=CE:2D:E0:3F:F3:CB master-interface=wlan-2-main-lan \
    multicast-buffering=disabled name=wlan-guest security-profile=guest-user \
    ssid=KhanNetGuest wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no hide-ssid=yes keepalive-frames=disabled \
    mac-address=CE:2D:E0:3F:F3:CA master-interface=wlan-2-main-lan \
    multicast-buffering=disabled name=wlan-iot security-profile=iot-user \
    ssid=KhanNetD wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    CE:2D:E0:3F:F3:C9 master-interface=wlan-2-main-lan multicast-buffering=\
    disabled name=wlan-router ssid=MK-KhanNet wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-main-lan ranges=192.168.40.10-192.168.40.254
add name=pool-iot-lan ranges=192.168.30.10-192.168.30.254
add name=pool-guest-lan ranges=192.168.80.10-192.168.80.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=pool-main-lan disabled=no interface=bridge-main-lan name=\
    dhcp-main-lan
add address-pool=pool-iot-lan disabled=no interface=bridge-iot-lan \
    lease-time=4d3h10m name=dhcp-iot-lan
add address-pool=pool-guest-lan disabled=no interface=bridge-guest-lan name=\
    dhcp-guest-lan
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-OPEN
add bridge=bridge-main-lan comment=defconf interface=ether3-WIN-WRKST
add bridge=bridge-main-lan comment=defconf interface=ether4-NAS
add bridge=bridge comment=defconf interface=ether5-VMLAB
add bridge=bridge-main-lan comment=defconf interface=wlan-2-main-lan
add bridge=bridge-main-lan comment=defconf interface=wlan-5-main-lan
add bridge=bridge interface=wlan-router
add bridge=bridge-main-lan interface=vlan-main-lan
add bridge=bridge-iot-lan interface=wlan-iot
add bridge=bridge-guest-lan interface=wlan-guest
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether-WAN list=WAN
add interface=bridge-main-lan list=HOME-LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.9.1/24 comment=defconf interface=bridge network=\
    192.168.9.0
add address=192.168.40.1/24 interface=bridge-main-lan network=192.168.40.0
add address=192.168.30.1/24 interface=bridge-iot-lan network=192.168.30.0
add address=192.168.80.1/24 interface=bridge-guest-lan network=192.168.80.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether-WAN use-peer-dns=no
/ip dhcp-server lease
add address=192.168.30.253 client-id=1:64:16:66:c:9a:d4 mac-address=\
    64:16:66:0C:9A:D4 server=dhcp-iot-lan
add address=192.168.30.252 client-id=1:18:b4:30:e8:98:9a mac-address=\
    18:B4:30:E8:98:9A server=dhcp-iot-lan
add address=192.168.40.251 client-id=1:f0:18:98:27:94:e mac-address=\
    F0:18:98:27:94:0E server=dhcp-main-lan
add address=192.168.30.250 client-id=1:7c:1c:4e:e9:68:26 mac-address=\
    7C:1C:4E:E9:68:26 server=dhcp-iot-lan
add address=192.168.30.249 mac-address=C8:3A:6B:17:3F:DA server=dhcp-iot-lan
add address=192.168.40.253 client-id=1:90:dd:5d:4a:c7:8a mac-address=\
    90:DD:5D:4A:C7:8A server=dhcp-main-lan
add address=192.168.40.252 client-id=1:4c:56:9d:1d:47:6a mac-address=\
    4C:56:9D:1D:47:6A server=dhcp-main-lan
/ip dhcp-server network
add address=192.168.9.0/24 comment=defconf gateway=192.168.9.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.80.0/24 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.9.1 name=router.lan
add address=192.168.40.2 name=mynas
/ip firewall address-list
add address=192.168.30.1-192.168.30.254 list=iot-clients
add address=192.168.80.1-192.168.80.254 list=guest-clients
add address=192.168.40.1-192.168.40.254 list=home-lan-clients
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=reject chain=forward comment="IOT Client Isolation" \
    dst-address-list=iot-clients log=yes reject-with=icmp-network-unreachable \
    src-address-list=iot-clients
add action=reject chain=forward comment="Guest LAN Client Isolation" \
    dst-address-list=guest-clients log=yes reject-with=\
    icmp-network-unreachable src-address-list=guest-clients
add action=drop chain=input comment="Block IOT from Home LAN" dst-address=\
    192.168.40.0/24 log=yes src-address-list=iot-clients
add action=drop chain=input comment="Block Guest LAN from Home LAN" \
    dst-address=192.168.40.0/24 log=yes src-address-list=guest-clients
add action=drop chain=input comment="Block DNS from WAN" dst-port=53 \
    in-interface=ether-WAN protocol=udp
add action=drop chain=input comment="Block DNS from WAN" dst-port=53 \
    in-interface=ether-WAN protocol=tcp
add action=drop chain=input comment="Block Telnet from WAN" dst-port=23 \
    in-interface=ether-WAN protocol=tcp
add action=drop chain=input comment="Block Telnet from WAN" dst-port=23 \
    in-interface=ether-WAN protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set silent-boot=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 2 Ethernet ports not working on HAP AC2

Mon Mar 18, 2019 2:12 am

Suggest you clean up the config and use only one bridge. Much less confusing.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

Re: 2 Ethernet ports not working on HAP AC2

Wed Mar 20, 2019 7:49 pm

Suggest you clean up the config and use only one bridge. Much less confusing.
Yeah its really easy to walk away and resort to simplistic solutions, isn't it.
I have this configuration working perfectly on the HAP AC, so I know that this works. Plus this is what I need to have segmentation in my network and have multiple LANs.

Unless you were pointing me to another way of doing the same thing? Your answer isn't specific and does not contribute to anything useful. Care to elaborate?

Thanks
ZeeKay
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 2 Ethernet ports not working on HAP AC2

Wed Mar 20, 2019 10:03 pm

Suggest you clean up the config and use only one bridge. Much less confusing.
Yeah its really easy to walk away and resort to simplistic solutions, isn't it.
I have this configuration working perfectly on the HAP AC, so I know that this works. Plus this is what I need to have segmentation in my network and have multiple LANs.

Unless you were pointing me to another way of doing the same thing? Your answer isn't specific and does not contribute to anything useful. Care to elaborate?

Thanks
ZeeKay
Without a config I can only speculate and I leave that to the illogical and paranoid! ;-)
But if you insist, I suggest you plug in ethernet cables (with active devices on the other ends) to the disabled ports and they should come up right away. :-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

Re: 2 Ethernet ports not working on HAP AC2

Thu Mar 21, 2019 12:19 am

Suggest you clean up the config and use only one bridge. Much less confusing.
Yeah its really easy to walk away and resort to simplistic solutions, isn't it.
I have this configuration working perfectly on the HAP AC, so I know that this works. Plus this is what I need to have segmentation in my network and have multiple LANs.

Unless you were pointing me to another way of doing the same thing? Your answer isn't specific and does not contribute to anything useful. Care to elaborate?

Thanks
ZeeKay
Without a config I can only speculate and I leave that to the illogical and paranoid! ;-)
But if you insist, I suggest you plug in ethernet cables (with active devices on the other ends) to the disabled ports and they should come up right away. :-)
Without a config? I hope you can see the entire config I posted here.
I plugged in the Ethernet with working computers in all ports to check. And they did not start working.
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 2 Ethernet ports not working on HAP AC2

Thu Mar 21, 2019 4:02 am

Had a brief look at your config.
Potential issues:

1. You have assigned two subnets to the same bridge, this is not good LOL
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.9.1/24 comment=defconf interface=bridge network=\
192.168.9.0

2. You have assigned VLAN40 to eth3, one of the bridge ports on the bridge, however there is no subnet defined for the vlan???
This leads to mass confusion as one asks if the VLAN is for the entire bridge (eth4 and both bridge wlans??) or just for eth3 port.

3. One bridge port setting for the bridge makes no sense to me....... add bridge=bridge interface=wlan-router???

4. The bridge port setting for the wlans on the bridge may require pvid settings if they are on vlan40 and certainly WLAN5 has that indication, so remove it from the wireless rule
and add it to the bridge port setting along with admit only untagged and priority tagged frames and ingress filtering=yes. Strangely wlan2 has no vlan 40 assignment? On purpose?

5. Where did this address line come from, its not tied to anything - no ip pool
add address=192.168.9.0/24 comment=defconf gateway=192.168.9.1????

well other than this and not sure this is an allowed designation
6. /ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.9.1 name=router.lan

7. You dont assign a vlan as Bridge port Interface.....
add bridge=bridge-main-lan interface=vlan-main-lan??

8, How do you intent to give WLAN IOT and WLAN GUEST their separate DHCP service? They are both running off WLAN2 which is the main-lan bridge??

My overall assessment stands, your config is a confusing mess and now more evidently full of errors.
Suggest a makeover is necessary. :-)
Use one bridge and create vlans for necessary subnets.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

Re: 2 Ethernet ports not working on HAP AC2

Thu Mar 21, 2019 11:24 pm

Had a brief look at your config.
Potential issues:

1. You have assigned two subnets to the same bridge, this is not good LOL
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.9.1/24 comment=defconf interface=bridge network=\
192.168.9.0

2. You have assigned VLAN40 to eth3, one of the bridge ports on the bridge, however there is no subnet defined for the vlan???
This leads to mass confusion as one asks if the VLAN is for the entire bridge (eth4 and both bridge wlans??) or just for eth3 port.

3. One bridge port setting for the bridge makes no sense to me....... add bridge=bridge interface=wlan-router???

4. The bridge port setting for the wlans on the bridge may require pvid settings if they are on vlan40 and certainly WLAN5 has that indication, so remove it from the wireless rule
and add it to the bridge port setting along with admit only untagged and priority tagged frames and ingress filtering=yes. Strangely wlan2 has no vlan 40 assignment? On purpose?

5. Where did this address line come from, its not tied to anything - no ip pool
add address=192.168.9.0/24 comment=defconf gateway=192.168.9.1????

well other than this and not sure this is an allowed designation
6. /ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.9.1 name=router.lan

7. You dont assign a vlan as Bridge port Interface.....
add bridge=bridge-main-lan interface=vlan-main-lan??

8, How do you intent to give WLAN IOT and WLAN GUEST their separate DHCP service? They are both running off WLAN2 which is the main-lan bridge??

My overall assessment stands, your config is a confusing mess and now more evidently full of errors.
Suggest a makeover is necessary. :-)
Use one bridge and create vlans for necessary subnets.
Ok so first of all thank for taking the time to go through the config. It wasn't an easy question to ask.
I was trying to create a home networking setup with three different subnets that are selectively allowed to talk to each other. Here is a diagram of the network I was trying to implement https://imgur.com/a/8Gigo1y.

As you can see, I want three different subnets for specific purpose as shown. I'm not a networking guru, everything I learned about RouterOS was by watching YouTube videos. Most of the videos are not in English, so I found only one series that was good and explained MikroTik configurations in easy to understand language: https://www.youtube.com/watch?v=1ZJ-pM89N7o

If I don't create one bridge per subnet as shown in the config, then how can I create the separate subnets I need?

Thanks in advance!
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 2 Ethernet ports not working on HAP AC2

Fri Mar 22, 2019 1:39 am

No worries, I am you, just sitting in a different chair in a different country LOL.
This article should be considered the bible with good examples.
viewtopic.php?f=13&t=143620

Okay a couple of things from your diagram.
Dont use VLAN1 lets make it vlan10
Why is your VM vlan the same as a guest wifi-vlan?
Assuming you want your homevlan network to include the 2K photo and NAS?
Assuming that the switch you have is a managed switch?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 2 Ethernet ports not working on HAP AC2  [SOLVED]

Fri Mar 22, 2019 1:53 am

1 - One bridge, call it home-bridge
2 - Four VLANs, Vlan2-home, Vlan3-Guest, Vlan4-VM, Vlan10-iot with interface being the bridge
3 - Router config Trunk Port ether1 (all vlans tagged)
4 - Switch config Trunk Port ether1 from router (tagged with all VLANs), Trunk port ether2 to WAP(tagged with VLANs 2,3,10), Access port ether3 to 2K (vlan2), Access port ether4 to NAS(vlan2), Access port ether5 to VM(vlan4)

Networks required for
Home subnet - with interface vlan2
Guest subnet - with interface vlan3
VM subnet -with interface vlan4
iot subnet - with interface vlan10

WAP (use default AP-wisp mode)
Create Bridge - call it wifi-bridge
Create vlans 2,3,10 with interface wifi-bridge
Bridge ports- are
wlan1 for home WIFI, pvid=2 allow untagged priority packets ingress filtering=yes
wlan2 for iot-wifi pvid=10 allow untagged priority packets ingress filtering=yes
wlan3 (if you have three chains) if not suggest you create a virtual AP using the home wifi wlan1 as the master interface.
pvid=3 allow untagge priority packets ingress filtering=yes
Bridge interface vlans
one line for vlan2 id untagged is WLAN1, tagged is bridge
one line for vlan3 id untagged is WLAN2, tagged is bridge
one line for vlan10 id untagged is WLAN3, tagged is bridge

That with the article should get you to a happier place.
When done all you can post your config
/export hide-sensitive file=yourconfigmar21
dont forget to use safe mode
and the last step is to go to bridge and enable vlan filtering
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

Re: 2 Ethernet ports not working on HAP AC2

Sun Mar 24, 2019 9:40 pm

1 - One bridge, call it home-bridge
2 - Four VLANs, Vlan2-home, Vlan3-Guest, Vlan4-VM, Vlan10-iot with interface being the bridge
3 - Router config Trunk Port ether1 (all vlans tagged)
4 - Switch config Trunk Port ether1 from router (tagged with all VLANs), Trunk port ether2 to WAP(tagged with VLANs 2,3,10), Access port ether3 to 2K (vlan2), Access port ether4 to NAS(vlan2), Access port ether5 to VM(vlan4)

Networks required for
Home subnet - with interface vlan2
Guest subnet - with interface vlan3
VM subnet -with interface vlan4
iot subnet - with interface vlan10

WAP (use default AP-wisp mode)
Create Bridge - call it wifi-bridge
Create vlans 2,3,10 with interface wifi-bridge
Bridge ports- are
wlan1 for home WIFI, pvid=2 allow untagged priority packets ingress filtering=yes
wlan2 for iot-wifi pvid=10 allow untagged priority packets ingress filtering=yes
wlan3 (if you have three chains) if not suggest you create a virtual AP using the home wifi wlan1 as the master interface.
pvid=3 allow untagge priority packets ingress filtering=yes
Bridge interface vlans
one line for vlan2 id untagged is WLAN1, tagged is bridge
one line for vlan3 id untagged is WLAN2, tagged is bridge
one line for vlan10 id untagged is WLAN3, tagged is bridge

That with the article should get you to a happier place.
When done all you can post your config
/export hide-sensitive file=yourconfigmar21
dont forget to use safe mode
and the last step is to go to bridge and enable vlan filtering


Ok I did exactly that. Thank you for pointing me to those pages that gave me the configuration examples. Honestly, I didn't know any better that why would I need one bridge vs two or three. I still don't, but now I got to configure clean separation one way. Look at my config at the bottom and let me know what you think. Also, check out the diagram I made that shows the topology of my config: https://imgur.com/a/XyZxwMV

IMG_9924.JPG


So this setup is working fine now. But I do have a few questions that I want to ask and some things I want to tinker with. So I'd appreciate if you can provide some guidance:
  • In the example article viewtopic.php?f=13&t=143620 I took the second example and created my config using the RouterSwitchAP.rsc file. I don't quite understand why this configuration is needed. I'm thinking that this might be a management LAN, but I don't see any IP addresses being assigned in the 192.168.0.x range anywhere.
    #######################################
    # IP Addressing & Routing
    #######################################
    
    # LAN facing router's IP address on a BASE_VLAN
    /interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
    /ip address add address=192.168.0.1/24 interface=BASE_VLAN
    
  • As you can see from my diagram that I now have a switch connected into ether5. Right now this switch is just another device on the router connected to VLAN 50. So any device I plug into the switch will be on VLAN 50 as well. That is fine. But how would I configure this so that each port on the switch can be on specific VLAN? Like port 2 on VLAN 10, port 3 on VLAN 50, port 4 on VLAN 70 etc? I have to follow the first example here, I know, but its now going above my understanding of configuration of routers and switches :D I had to study what is PVID and why its necessary. I'm not coming from a deep network config background. Maybe I'll add another VLAN aware switch on ether2 on router for this for clean config. But I still need to know how to do this.
  • How do I limit Winbox and SSH to specific ether port & WLAN SSID on the router? I don't want people being able to connect to my master config from anywhere.
  • How do I allow SSH and network traffic from VLAN 10 (HOME_VLAN) to be able to go into other VLANs but block from other VLANs to go into any other VLAN? Right now I cannot go into any other VLAN, the cross VLAN traffic is blocked by firewall. I want to selectively allow it.
  • How do I block all traffic originating outside from WAN to come into my networks? Is this already the case? If yes, how is this controlled?
  • I don't know why its saying that my ethernets are locked at 100Mbps only in my config. I did no such thing. How do I lift this limitation?
    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-WAN speed=100Mbps
    set [ find default-name=ether2 ] name=ether2-OPEN speed=100Mbps
    set [ find default-name=ether3 ] name=ether3-WIN-WRKST speed=100Mbps
    set [ find default-name=ether4 ] name=ether4-NAS speed=100Mbps
    set [ find default-name=ether5 ] name=ether5-SWITCH speed=100Mbps
    

Thanks in advance for the support. Please point me to more articles examples of MikroTik config.

My Full Config

# mar/24/2019 14:41:15 by RouterOS 6.44.1
# software id = N505-56PM
#
# model = RBD52G-5HacD2HnD
# serial number = A97A0A3850DD
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-OPEN speed=100Mbps
set [ find default-name=ether3 ] name=ether3-WIN-WRKST speed=100Mbps
set [ find default-name=ether4 ] name=ether4-NAS speed=100Mbps
set [ find default-name=ether5 ] name=ether5-SWITCH speed=100Mbps
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=70
add interface=BR1 name=HOME_VLAN vlan-id=10
add interface=BR1 name=IOT_VLAN vlan-id=80
add interface=BR1 name=SW_VLAN vlan-id=50
/interface list
add name=WAN
add name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=home-user supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=iot-user supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=guest-user supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto hide-ssid=yes \
    mode=ap-bridge name=wlan-2-home-lan security-profile=home-user ssid=\
    BlahBlahHome
set [ find default-name=wlan2 ] disabled=no frequency=auto hide-ssid=yes \
    mode=ap-bridge name=wlan-5-home-lan security-profile=home-user ssid=\
    BlahBlahHome5
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    76:4D:28:0C:BB:6E master-interface=wlan-2-home-lan multicast-buffering=\
    disabled name=wlan-guest security-profile=guest-user ssid=BlahBlahGuest \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    76:4D:28:0C:BB:6F master-interface=wlan-2-home-lan multicast-buffering=\
    disabled name=wlan-iot security-profile=iot-user ssid=BlahBlahD \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    76:4D:28:0C:BB:70 master-interface=wlan-2-home-lan multicast-buffering=\
    disabled name=wlan-router ssid=MK-BlahBlah wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=HOME_POOL ranges=10.0.10.10-10.0.10.254
add name=GUEST_POOL ranges=10.0.70.10-10.0.70.254
add name=IOT_POOL ranges=10.0.80.10-10.0.80.254
add name=SW_POOL ranges=10.0.50.10-10.0.50.254
add name=BASE_POOL ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=HOME_POOL disabled=no interface=HOME_VLAN name=HOME_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
add address-pool=SW_POOL disabled=no interface=SW_VLAN name=SW_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2-OPEN pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3-WIN-WRKST pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4-NAS pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-2-home-lan pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-5-home-lan pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5-SWITCH pvid=50
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-guest pvid=70
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-iot pvid=80
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=\
    ether2-OPEN,ether3-WIN-WRKST,ether4-NAS,wlan-2-home-lan,wlan-5-home-lan \
    vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether5-SWITCH vlan-ids=50
add bridge=BR1 tagged=BR1 untagged=wlan-guest vlan-ids=70
add bridge=BR1 tagged=BR1 untagged=wlan-iot vlan-ids=80
/interface list member
add interface=ether1-WAN list=WAN
add interface=BASE_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=SW_VLAN list=VLAN
/ip address
add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
add address=192.168.1.10/24 interface=ether1-WAN network=192.168.1.0
add address=10.0.10.1/24 interface=HOME_VLAN network=10.0.10.0
add address=10.0.70.1/24 interface=GUEST_VLAN network=10.0.70.0
add address=10.0.80.1/24 interface=IOT_VLAN network=10.0.80.0
add address=10.0.50.1/24 interface=SW_VLAN network=10.0.50.0
/ip dhcp-server lease
add address=10.0.10.253 client-id=1:0:11:32:94:b7:83 mac-address=\
    00:11:32:94:B7:83 server=HOME_DHCP
add address=10.0.50.2 client-id=1:b0:be:76:9d:84:e2 mac-address=\
    B0:BE:76:9D:84:E2 server=SW_DHCP
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.50.0/24 gateway=10.0.50.1
add address=10.0.70.0/24 gateway=10.0.70.1
add address=10.0.80.0/24 gateway=10.0.80.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=passthrough chain=forward comment=\
    "Dummy rule to show fasttrack counters"
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment=\
    "Allow VLANs to access router services like DNS, Winbox" \
    in-interface-list=VLAN
add action=drop chain=input comment="Drop Invalid"
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access Only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop Invalid"
add action=accept chain=input comment="Block DNS from WAN" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Block Telnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Block Telnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Block DNS from WAN" dst-port=53 \
    in-interface-list=WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="Default Masquerade" \
    out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.1
/ip ssh
set allow-none-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=BlahBlahRouterSwitchAP
/system routerboard settings
set silent-boot=yes
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 83 guests