Community discussions

 
MusicCog
just joined
Topic Author
Posts: 20
Joined: Sun Mar 16, 2014 10:27 am

Switching to new ISP-ROS script for bridge+VLAN+static IP please

Wed May 08, 2019 3:25 pm

Hi,

I know that this topic has probably been done to death, but after reading (and trying) a lot of ideas from posts and wikis, not getting very far.

We are switching to a new ISP that requires VLAN-ID=100 for internet and a /30 static ip address (for EoIP).
This is my first introduction to VLANs with Mikrotik (small businesses so far) and I will be the first to admit that I am just not understanding how RouterOS is handling this.

So if someone can help me with the appropriate scripting, would be appreciated.

- Hex S v6.41.x
- WAN Static IP: 127.133.60.14/30
- WAN Gateway IP: 127.133.60.13
- eth1 WAN
- LAN IP: 192.168.1.1/24
- eth2 LAN
- eth3-5 other parts of the network
- currently bridge on all ports (except WAN)

Thanks,
Rob
 
mkx
Forum Guru
Forum Guru
Posts: 2484
Joined: Thu Mar 03, 2016 10:23 pm

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Wed May 08, 2019 4:00 pm

You can handle the other parts of network as if nothing changed. For the WAN part, these steps should do:
  1. remove ether1 port from bridge if it is part of it now (by default it's not part of it anyway)
  2. remove any configuration touching ether1 (IP address, DHCP client, interface list membership)
  3. add VLAN configuration to ether1:
    /interface vlan
    add interface=ether1 name=WAN_vlan100 vlan-id=100
    
  4. add IP config to the VLAN interface (created in previous step)
    /ip address
    add address=127.133.60.14/30 interface=WAN_vlan100
    /ip route
    add dst-address=0.0.0.0/0 gateway=127.133.60.13
    
    and adjust interface list membership
    /interface list member
    add interface=WAN_vlan100 list=WAN
    

If your router is configured according to current ROS defaults for SOHO devices (enabled firewall, extensive use of interface lists), then you're almost done.

If your router was heavily customized, then you have to review and adjust firewall filter rules before plugging it to ISP line. Check NAT rules as well.
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 3533
Joined: Mon Dec 04, 2017 9:19 pm

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Wed May 08, 2019 4:05 pm

Will you be using VLANs anywhere else in your setup, and will your interface looking towards the ISP equipment be involved in any way to other VLANs than the required one? Like IPTV broadcasting via some other VLAN on the same interface, connection to your other branch offices provided by the ISP via some other VLAN on the same interface, ...?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
MusicCog
just joined
Topic Author
Posts: 20
Joined: Sun Mar 16, 2014 10:27 am

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Wed May 08, 2019 4:10 pm

Thanks both for the replies.

mkx,
I think that you might have nailed it with 'interface list membership', will have to try that tomorrow and let you know how it goes.

Sindy,
At the moment just need VLAN ISP facing, but might want to do other VLAN's later - you have another script suggestion?

Thanks again,
Rob
 
sindy
Forum Guru
Forum Guru
Posts: 3533
Joined: Mon Dec 04, 2017 9:19 pm

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Wed May 08, 2019 4:33 pm

At the moment just need VLAN ISP facing, but might want to do other VLAN's later - you have another script suggestion?
For "at the moment", I would have suggested the same what Metod did, but experience has taught me to always think about "later", that's why I've asked first. hEX S makes some directions of thinking useless due to the poor feature set of the switch chip, but still you have to think about CPU load. In particular: making ether1 a member of the same bridge as the other ether interfaces would be a waste of CPU in the "at the moment" case. But if "later" eventually includes a need to have the same VLAN on ether1 and some other ether, use of a separate bridge to forward that VLAN between ether1 and the other ether if these two ethers weren't member ports of the same bridge would be even more waste of CPU.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
MusicCog
just joined
Topic Author
Posts: 20
Joined: Sun Mar 16, 2014 10:27 am

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Wed May 08, 2019 4:49 pm

Thanks for the reply sindy,

Let me get it working first, then I can experiment with other options.

Will let you know how it goes.
 
MusicCog
just joined
Topic Author
Posts: 20
Joined: Sun Mar 16, 2014 10:27 am

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Mon May 13, 2019 7:58 am

Hi all,

Thanks for the previous replies - it does connect now - but doesn't appear to use firewall rules - so disconnected for now.

Applicable config below:
# may/13/2019 14:48:03 by RouterOS 6.44.3
/interface bridge
add admin-mac=XXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1 speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface vlan
add interface=ether1 name=WAN_vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcpClients ranges=192.168.1.101-192.168.1.129
/ip dhcp-server
add address-pool=dhcpClients disabled=no interface=bridge lease-time=12h name=serverDhcpClients
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=WAN_vlan100 pvid=100
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=WAN_vlan100 list=WAN
/ip address
add address=192.168.1.1/24 comment=ROUTER-GWPRIMARY-1-IP interface=bridge network=192.168.1.0
add address=127.133.60.14/30 interface=WAN_vlan100 network=127.133.60.12
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=dummy gateway=192.168.1.1
/ip dns
set allow-remote-requests=no cache-size=5000KiB max-udp-packet-size=512 servers=203.50.2.71,139.130.4.4,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router-gwprimary-1 ttl=18w2d
/ip firewall address-list
add address=192.168.0.0/23 comment="Local network" list=LOCAL_NETWORK
...
/ip firewall filter
add chain=input comment="Accept established connections" connection-state=established
...
add action=drop chain=forward comment="Forward allow devnuc 80" dst-port=80 in-interface=ether1 protocol=tcp src-address-list=!DEVWEB_ACCESS_LIST
...
/ip firewall nat
add action=masquerade chain=srcnat comment="MASQ ether1" out-interface=bridge
/ip route
add comment=ROUTE-GWPRIMARY distance=1 gateway=127.133.60.13
Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 3533
Joined: Mon Dec 04, 2017 9:19 pm

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Mon May 13, 2019 8:12 am

You have a mix of default and your own rules in the firewall, so some refer to interface-list WAN and some to interface ether1. I'd recommend to replace all occurrences of interface ether1 in the firewall rules by interface-list WAN, and replace ether1 by WAN_vlan100 as a member of interface-list WAN.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
MusicCog
just joined
Topic Author
Posts: 20
Joined: Sun Mar 16, 2014 10:27 am

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Mon May 13, 2019 10:13 am

You have a mix of default and your own rules in the firewall, so some refer to interface-list WAN and some to interface ether1. I'd recommend to replace all occurrences of interface ether1 in the firewall rules by interface-list WAN, and replace ether1 by WAN_vlan100 as a member of interface-list WAN.
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=WAN_vlan100 list=WAN
43 ;;; Forward allow conf
chain=forward action=drop protocol=tcp src-address-list=!DEVWEB_ACCESS_LIST in-interface-list=WAN dst-port=2663

16 ;;; conf-2663
chain=dstnat action=dst-nat to-addresses=192.168.1.16 to-ports=2663 protocol=tcp in-interface-list=WAN
dst-port=2663

..no forward connection or /ip firewall filter print stats

..sorry, guess I am missing something here..
 
sindy
Forum Guru
Forum Guru
Posts: 3533
Joined: Mon Dec 04, 2017 9:19 pm

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Mon May 13, 2019 11:42 am

Post the whole config, the order of lines in the firewall matters so nothing can be concluded from a single line. See my automatic signature for hints on anonymization.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
MusicCog
just joined
Topic Author
Posts: 20
Joined: Sun Mar 16, 2014 10:27 am

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Mon May 13, 2019 11:49 am

entire config:
# may/13/2019 10:03:08 by RouterOS 6.41.3
# software id = B62N-5JPG
#
# model = RB760iGS
# serial number = 976E09E5FAF4
/interface bridge
add admin-mac=B8:69:F4:01:B8:9F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=\
    "NBN" mac-address=B8:69:F4:01:B8:9E \
    name=ETHCU1
set [ find default-name=ether2 ] mac-address=B8:69:F4:01:B8:9F
set [ find default-name=ether3 ] mac-address=B8:69:F4:01:B8:A0
set [ find default-name=ether4 ] mac-address=B8:69:F4:01:B8:A1
set [ find default-name=ether5 ] mac-address=B8:69:F4:01:B8:A2
set [ find default-name=sfp1 ] mac-address=B8:69:F4:01:B8:A3
/interface vlan
add interface=ETHCU1 name=WAN_vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcpClients ranges=192.168.1.101-192.168.1.129
/ip dhcp-server
add address-pool=dhcpClients disabled=no interface=bridge lease-time=12h name=\
    serverDhcpClients
/snmp community
set [ find default=yes ] addresses=192.168.1.11/32
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=WAN_vlan100 pvid=100
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=WAN_vlan100 list=WAN
/ip address
add address=192.168.1.243/24 comment="Local IP" interface=bridge network=192.168.1.0
add address=192.168.1.1/24 comment=ROUTER-GWPRIMARY-1-IP interface=bridge network=192.168.1.0
add address=192.168.88.1 comment=ROUTER-PROGRAMMING-88.1 interface=bridge network=\
    192.168.88.1
add address=27.33.60.14/30 interface=WAN_vlan100 network=27.33.60.12
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ETHCU1
/ip dhcp-server lease
add address=192.168.1.3 comment=airport-3 mac-address=78:CA:39:FB:95:AC
add address=192.168.1.21 comment=desktop-studio-audio mac-address=40:6C:8F:B7:AC:A8
add address=192.168.1.22 comment=desktop-studio-audio-wifi mac-address=28:37:37:0B:2D:8C
add address=192.168.1.23 comment=desktop-studio-admin mac-address=00:17:F2:02:36:FC
add address=192.168.1.41 comment=desktop-jeff-imac mac-address=0C:4D:E9:C8:FC:75
add address=192.168.1.42 comment=desktop-jeff-imac-wifi mac-address=88:63:DF:AF:2D:FB
add address=192.168.1.45 comment=desktop-piera-imac mac-address=AC:87:A3:12:69:EC
add address=192.168.1.46 comment=desktop-piera-imac-wifi mac-address=88:63:DF:CE:DF:9F
add address=192.168.1.91 comment=centosvm68 mac-address=00:1C:42:0B:43:EC
add address=192.168.1.97 comment=hare2-wifi mac-address=C8:BC:C8:E7:58:81
add address=192.168.1.99 comment=hare-i7 mac-address=F4:5C:89:91:E2:89
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=jtp.local gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 servers=\
    203.50.2.71,139.130.4.4,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router-gwprimary-1.jtp.office ttl=18w2d
add address=192.168.1.1 name=router.jtp.office ttl=18w2d
add address=192.168.1.1 name=jtp.phantomproducer.com ttl=18w2d
add address=192.168.1.3 name=airport-3.jtp.office ttl=18w2d
add address=192.168.1.11 name=devnuc.jtp.office ttl=18w2d
add address=192.168.1.11 name=devnuc.phantomproducer.com ttl=18w2d
add address=192.168.1.16 name=opsnuc.phantomproducer.com ttl=18w2d
add address=192.168.1.16 name=opsnuc.jtp.office ttl=18w2d
add address=192.168.1.16 name=ops.phantomproducer.com ttl=18w2d
add address=192.168.1.21 name=desktop-studio-audio.jtp.office ttl=18w2d
add address=192.168.1.22 name=desktop-studio-audio-wifi.jtp.office ttl=18w2d
add address=192.168.1.23 name=desktop-studio-admin.jtp.office ttl=18w2d
add address=192.168.1.41 name=desktop-jeff-imac.jtp.office ttl=18w2d
add address=192.168.1.42 name=desktop-jeff-imac-wifi.jtp.office ttl=18w2d
add address=192.168.1.43 name=laptop-jeff.jtp.office ttl=18w2d
add address=192.168.1.44 name=laptop-jeff-wifi.jtp.office ttl=18w2d
add address=192.168.1.45 name=desktop-piera-imac.jtp.office ttl=18w2d
add address=192.168.1.46 name=desktop-piera-imac-wifi.jtp.office ttl=18w2d
add address=192.168.1.91 name=centosvm68.jtp.office ttl=18w2d
add address=192.168.1.97 name=hare2-wifi.jtp.office ttl=18w2d
add address=192.168.1.99 name=hare-i7.jtp.office ttl=18w2d
add address=192.168.1.99 name=dev.and.phantomproducer.jtp.office ttl=18w2d
add address=192.168.1.99 name=dev-hare-old.phantomproducer.com ttl=18w2d
add address=192.168.1.99 name=dev-hare-cruncher1.phantomproducer.com ttl=18w2d
add address=192.168.1.99 name=dev-hare-api.phantomproducer.com ttl=18w2d
add address=192.168.1.99 name=dev-hare-my.phantomproducer.com ttl=18w2d
add address=192.168.1.99 name=dev-hare-www.phantomproducer.com ttl=18w2d
add address=192.168.1.99 name=dev-hare-ppweb.phantomproducer.com ttl=18w2d
add address=192.168.1.11 name=dev-old.phantomproducer.com ttl=30m
add address=192.168.1.11 name=dev-api.phantomproducer.com ttl=30m
add address=192.168.1.11 name=dev-cruncher.phantomproducer.com ttl=30m
add address=192.168.1.99 name=dev-and.phantomproducer.com ttl=18w2d
add address=192.168.1.11 name=dev2-www.phantomproducer.com ttl=30m
add address=192.168.1.11 name=dev-my.phantomproducer.com ttl=30m
add address=192.168.1.11 name=dev-www.phantomproducer.com ttl=30m
add address=192.168.1.11 name=dev-ppweb.phantomproducer.com ttl=30m
add address=192.168.1.11 name=dev-www.killerhertz.com ttl=30m
add address=192.168.1.99 name=dev-hare-www.killerhertz.com ttl=18w2d
add address=192.168.1.11 name=jenk.phantomproducer.com ttl=30m
add address=192.168.1.11 name=graf.phantomproducer.com ttl=30m
add address=192.168.1.16 name=ops-www.phantomproducer.com ttl=30m
add address=192.168.1.16 name=jira.phantomproducer.com ttl=30m
add address=192.168.1.16 name=conf.phantomproducer.com ttl=30m
add address=192.168.1.16 name=nfsn.phantomproducer.com ttl=30m
add address=192.168.1.16 name=onms.phantomproducer.com ttl=30m
/ip firewall address-list
add address=192.168.0.0/23 comment="Local network-TRUSTED" list=TRUSTED_ACCESS_LIST
add address=192.168.0.0/23 comment="Local network" list=LOCAL_NETWORK
add address=14.202.176.48 comment=TRUSTED_ACCESS_LIST-RRG list=TRUSTED_ACCESS_LIST
add address=14.202.176.48 comment=SYSADMIN_ACCESS_LIST-RRG list=SYSADMIN_ACCESS_LIST
add address=50.18.201.134 comment="SYSADMIN_ACCESS_LIST-Phantom temp" list=\
    SYSADMIN_ACCESS_LIST
add address=52.9.119.145 comment="SYSADMIN_ACCESS_LIST-khz temp" list=SYSADMIN_ACCESS_LIST
add address=52.9.94.67 comment=OpenNMS-phantomproducer.com-cruncher0001 list=\
    SYSADMIN_ACCESS_LIST
add address=192.168.1.11 comment=SYSADMIN_ACCESS_LIST list=SYSADMIN_ACCESS_LIST
add address=50.18.201.134 comment="Rate limited-phantomproducer.com-primary" list=\
    RL_PHAN_WEBSITES
add address=52.9.119.145 comment="Rate limited-killerhertz.com-primary" list=RL_PHAN_WEBSITES
add address=107.21.126.167 list=DROPBOX
add address=54.221.249.127 list=DROPBOX
add address=50.19.125.179 list=DROPBOX
add address=174.129.26.151 list=DROPBOX
add address=14.202.176.48 comment=DEVWEB_ACCESS_LIST-RRG list=DEVWEB_ACCESS_LIST
add address=101.190.55.165 comment="DEVWEB_ACCESS_LIST-JT Home" list=DEVWEB_ACCESS_LIST
add address=58.173.131.206 comment="DEVWEB_ACCESS_LIST-Adz home" list=DEVWEB_ACCESS_LIST
add address=101.190.0.0/16 comment="DEVWEB_ACCESS_LIST-Jeff home temp" list=\
    DEVWEB_ACCESS_LIST
add address=110.145.250.54 comment="DEVWEB_ACCESS_LIST-Jeff travel temp" list=\
    DEVWEB_ACCESS_LIST
add address=14.202.176.48 comment=WHITELIST_SSH-RRG list=WHITELIST_SSH
add address=192.168.0.0/23 comment="WHITELIST_SSH-Local network" list=WHITELIST_SSH
add address=58.108.167.24 comment="WHITELIST_SSH-Adz home" list=WHITELIST_SSH
add address=14.202.176.48 comment=WHITELIST_FTP-RRG list=WHITELIST_FTP
add address=50.18.201.134 comment=WHITELIST_FTP-phantom list=WHITELIST_FTP
/ip firewall filter
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Allow access to router from known networks and remote servers" \
    src-address-list=TRUSTED_ACCESS_LIST
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward dst-port=0 protocol=tcp
add action=drop chain=forward protocol=udp src-port=0
add action=drop chain=forward dst-port=0 protocol=udp
add chain=forward connection-state=established
add action=drop chain=forward connection-state=invalid
add chain=output connection-state=established
add chain=output connection-state=related
add action=drop chain=output connection-state=invalid
add action=drop chain=input src-address-list=BLACKLIST_BOGONS
add action=drop chain=input src-address-list=BLACKLIST_MANUAL
add action=drop chain=input src-address-list=BLACKLIST_FAIL2BAN
add action=drop chain=forward src-address-list=BLACKLIST_BOGONS
add action=drop chain=forward src-address-list=BLACKLIST_MANUAL
add action=drop chain=forward src-address-list=BLACKLIST_FAIL2BAN
add action=drop chain=forward comment="Forward allow devnuc 80" dst-port=80 in-interface=\
    ETHCU1 protocol=tcp src-address-list=!DEVWEB_ACCESS_LIST
add action=drop chain=forward comment="Forward allow devnuc 443" dst-port=443 in-interface=\
    ETHCU1 protocol=tcp src-address-list=!DEVWEB_ACCESS_LIST
add action=drop chain=forward comment="Forward allow SYSADMIN to - onms.phantomproducer.com" \
    dst-port=8980 in-interface=ETHCU1 protocol=tcp src-address-list=!SYSADMIN_ACCESS_LIST
add action=drop chain=forward comment=\
    "Forward allow minions to - onms.phantomproducer.com:8981" dst-port=8981 in-interface=\
    ETHCU1 protocol=tcp src-address-list=!SYSADMIN_ACCESS_LIST
add action=drop chain=forward comment=\
    "Forward allow minions/ActiveMQ to - onms.phantomproducer.com:61616" dst-port=61616 \
    in-interface=ETHCU1 protocol=tcp src-address-list=!SYSADMIN_ACCESS_LIST
add action=drop chain=forward comment=\
    "Forward allow minions/ActiveMQ to - onms.phantomproducer.com:8443" dst-port=8443 \
    in-interface=ETHCU1 protocol=tcp src-address-list=!SYSADMIN_ACCESS_LIST
add action=drop chain=forward comment="forward-drop dst-port=22,222,223 !WHITELIST_SSH" \
    dst-port=22,222,223 in-bridge-port=WAN_vlan100 protocol=tcp src-address-list=\
    !WHITELIST_SSH
add action=drop chain=forward comment="forward-drop dst-port=20,21 !WHITELIST_FTP" dst-port=\
    20,21 in-interface=ETHCU1 protocol=tcp src-address-list=!WHITELIST_FTP
add action=drop chain=forward comment="Forward allow jenk.phantom" dst-port=5365 \
    in-interface=ETHCU1 protocol=tcp src-address-list=!DEVWEB_ACCESS_LIST
add action=drop chain=forward comment="Forward allow graf.phantom" dst-port=3000 \
    in-interface=ETHCU1 protocol=tcp src-address-list=!SYSADMIN_ACCESS_LIST
add action=drop chain=forward comment="Forward allow postgres" dst-port=5432 in-interface=\
    ETHCU1 protocol=tcp src-address-list=!SYSADMIN_ACCESS_LIST
add action=drop chain=forward comment="Forward allow elasticsearch-ui" dst-port=5601 \
    in-interface=ETHCU1 protocol=tcp src-address-list=!SYSADMIN_ACCESS_LIST
add action=drop chain=forward comment="Forward allow elasticsearch" dst-port=9200 \
    in-interface=ETHCU1 protocol=tcp src-address-list=!SYSADMIN_ACCESS_LIST
add action=drop chain=forward comment="Forward allow nfsen.phantom" dst-port=6376 \
    in-interface=ETHCU1 protocol=tcp src-address-list=!SYSADMIN_ACCESS_LIST
add action=drop chain=forward comment="Forward allow jira.phantom" dst-port=5472 \
    in-interface=bridge protocol=tcp src-address-list=!DEVWEB_ACCESS_LIST
add action=drop chain=forward comment="Forward allow conf.phantom" dst-port=2663 \
    in-interface=ETHCU1 protocol=tcp src-address-list=!DEVWEB_ACCESS_LIST
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="MASQ ETHCU1" out-interface=bridge
add action=dst-nat chain=dstnat comment="SSH to .11-22" dst-port=22 in-interface=ETHCU1 log=\
    yes protocol=tcp to-addresses=192.168.1.11 to-ports=22
add action=dst-nat chain=dstnat comment="SSH to .11-222" dst-port=222 in-interface=bridge \
    log=yes protocol=tcp to-addresses=192.168.1.11 to-ports=222
add action=dst-nat chain=dstnat comment=devnuc-80 dst-port=80 in-interface=ETHCU1 protocol=\
    tcp to-addresses=192.168.1.11 to-ports=80
add action=dst-nat chain=dstnat comment=devnuc-443 dst-port=443 in-interface=ETHCU1 protocol=\
    tcp to-addresses=192.168.1.11 to-ports=443
add action=dst-nat chain=dstnat comment="devnuc-ftp temp-20" dst-port=20 in-interface=ETHCU1 \
    protocol=tcp to-addresses=192.168.1.11 to-ports=20
add action=dst-nat chain=dstnat comment="devnuc-ftp temp-21" dst-port=21 in-interface=ETHCU1 \
    protocol=tcp to-addresses=192.168.1.11 to-ports=21
add action=dst-nat chain=dstnat comment=jenkins-5365 dst-port=5365 in-interface=ETHCU1 \
    protocol=tcp to-addresses=192.168.1.11 to-ports=5365
add action=dst-nat chain=dstnat comment=service-grafana-3000 dst-port=3000 in-interface=\
    ETHCU1 protocol=tcp to-addresses=192.168.1.11 to-ports=3000
add action=dst-nat chain=dstnat comment=PostGres-5432 dst-port=5432 in-interface=ETHCU1 \
    protocol=tcp to-addresses=192.168.1.11 to-ports=5432
add action=dst-nat chain=dstnat comment=opsnuc-jira-5472 dst-port=5472 in-interface=ETHCU1 \
    protocol=tcp to-addresses=192.168.1.16 to-ports=5472
add action=dst-nat chain=dstnat comment=opsnuc-confluence-2663 dst-port=2663 in-interface=\
    ETHCU1 protocol=tcp to-addresses=192.168.1.16 to-ports=2663
add action=dst-nat chain=dstnat comment=opsnuc-nfsen-6376 dst-port=6376 in-interface=ETHCU1 \
    protocol=tcp to-addresses=192.168.1.16 to-ports=6376
add action=dst-nat chain=dstnat comment="opsnuc-OpenNMS UI:443/8980" dst-port=8980 \
    in-interface=ETHCU1 protocol=tcp to-addresses=192.168.1.16 to-ports=8980
add action=dst-nat chain=dstnat comment="devnuc-OpenNMS 8443" dst-port=8443 in-interface=\
    ETHCU1 protocol=tcp to-addresses=192.168.1.16 to-ports=8443
add action=dst-nat chain=dstnat comment=devnuc-OpenNMS-Minions-ActiveMQ dst-port=61616 \
    in-interface=ETHCU1 protocol=tcp to-addresses=192.168.1.16 to-ports=61616
/ip route
add comment=ROUTE-GWPRIMARY distance=1 gateway=27.33.60.13
 
MusicCog
just joined
Topic Author
Posts: 20
Joined: Sun Mar 16, 2014 10:27 am

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Mon May 13, 2019 11:52 am

..would have thought that this would have been a really easy thing to do..
 
sindy
Forum Guru
Forum Guru
Posts: 3533
Joined: Mon Dec 04, 2017 9:19 pm

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Mon May 13, 2019 12:19 pm

..would have thought that this would have been a really easy thing to do..
It is an easy thing to do. The problem is that you have renamed ether1 to ETHCU1 but took my advice to update the firewall literally, i.e. you've changed only rules referring to ether1 (which were clearly not working already in that state as they referred to a non-existent interface name) but haven't changed rules referring to ETHCU1 (which is the physical ether1 but known under your customized name).

The IP firewall cannot see the packets as coming in via ETHCU1 because the IP configuration is attached to WAN_vlan100. So replace all references to (in|out)-interface=ETHCU1 by references to (in|out)-interface-list=WAN and you should be good.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
MusicCog
just joined
Topic Author
Posts: 20
Joined: Sun Mar 16, 2014 10:27 am

Re: Switching to new ISP-ROS script for bridge+VLAN+static IP please

Mon May 13, 2019 12:53 pm

Thanks sindy, will try that tomorrow

Who is online

Users browsing this forum: No registered users and 54 guests