First: I am new to Mikrotik and routerOS
Second: I just got my RB4011. I already have a Ubiquiti Switch and 3 Ubiquiti NanoHDs.
Third: the RB4011 is great. Reduced the number of network devices, all in one
Scenario: I have set up 3 VLANs (secure, guest, IoT) in the ubiquiti ecosystem. My main network is not a VLAN for the ease of plugging in devices and configuring
The RB4011 is my router to the internet and should also handle the DHCP for the different VLANs. At the RB4011, several other network devices are connected without VLAN setting like switch, server.
The RB4011 does not do any VLAN tagging, that is done via the NanoHDs and the Ubiquiti switch.
I have outgoing IPSEC connections to my private VPS and an incoming IPSEC connection from my mobile (roadwarrior).
Problem: so far each network works separately, but I cannot make e.g the guest VLAN accessible from the secure VLAN etc.
It is also not possible to reach any devices in the 192.168.88.0 network from the IPSEC roadwarrior connection (192.168.200.0/24).
Any configuration problems?
The configuration of the RB4011 is the following (removes some elements that are not relevant)
[admin@MikroTik] > export
# jul/24/2019 11:06:27 by RouterOS 6.45.2
# software id = 5FMV-E258
#
# model = RB4011iGS+
/interface bridge
add admin-mac=74:4D:28:B3:B0:F7 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1UP
set [ find default-name=ether2 ] name=ether2CBL
/interface vlan
add interface=bridge name=vlan100.secure vlan-id=100
add interface=bridge name=vlan200.iot vlan-id=200
add interface=bridge name=vlan300.guest vlan-id=300
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp.home ranges=192.168.88.101-192.168.88.200
add name=dhcp.secure100 ranges=192.168.89.101-192.168.89.200
add name=dhcp.iot200 ranges=192.168.90.101-192.168.90.200
add name=dhcp.guest300 ranges=192.168.91.101-192.168.91.200
add name=vpn-pool ranges=192.168.200.100-192.168.200.200
/ip dhcp-server
add address-pool=dhcp.home disabled=no interface=bridge name=defconf
add address-pool=dhcp.secure100 disabled=no interface=vlan100.secure lease-time=1h name=secure
add address-pool=dhcp.iot200 disabled=no interface=vlan200.iot lease-time=1h name=iot
add address-pool=dhcp.guest300 disabled=no interface=vlan300.guest lease-time=1h name=guest
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10LITE
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=ether1UP
add bridge=bridge interface=vlan300.guest
add bridge=bridge interface=vlan200.iot
add bridge=bridge interface=vlan100.secure
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=loose
/interface bridge vlan
add bridge=bridge vlan-ids=300
add bridge=bridge vlan-ids=200
add bridge=bridge vlan-ids=100
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether2CBL list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.90.1/24 interface=vlan200.iot network=192.168.90.0
add address=192.168.91.1/24 interface=vlan300.guest network=192.168.91.0
add address=192.168.89.1/24 interface=vlan100.secure network=192.168.89.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1 domain=intranet gateway=192.168.88.1
add address=192.168.89.0/24 comment="Secure network" dns-server=192.168.89.1 domain=intranet gateway=192.168.89.1 netmask=24
add address=192.168.90.0/24 comment="IoT network" dns-server=1.1.1.1,9.9.9.9 domain=intranet gateway=192.168.90.1 netmask=24
add address=192.168.91.0/24 comment="Guest network" dns-server=1.1.1.1,9.9.9.9 domain=intranet gateway=192.168.91.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IPsec IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow IPsec l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IPsec ssh,webadmin,winbox from VPN" dst-port=22,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp src-address=192.168.200.0/24
add action=accept chain=input comment="allow IPsec access to home network" dst-address=192.168.88.0/24 src-address=192.168.200.0/24
add action=accept chain=forward comment="Allow Home net to Guest" disabled=yes dst-address=192.168.91.0/24 src-address=192.168.88.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Fastforward with IPSEC disabled" connection-mark="" connection-state=established,related disabled=yes routing-mark=routedsl
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="IPsec masq. vpn traffic" src-address=192.168.200.0/24