- Each apartment will have its own VLAN (untagged on the apartments' own ports, tagged on other apartments' ports)
- There will be a management VLAN and any management access will be firewalled to be only possible from this VLAN
- Obviously the CRS328 will be configured as a NAT, as well as serving DHCP for each VLAN
Code: Select all
pvid
These are the pertinent parts of /export hide-sensitive:
On the CRS328 (filtered to show only two apartments for brevity):
Code: Select all
/interface bridge add name=bridge-lan vlan-filtering=yes
/interface vlan
add interface=bridge-lan name=vlan11 vlan-id=11 # VLAN 11 is management
add interface=bridge-lan name=vlan21 vlan-id=21 # VLAN 21 is apt. A
add interface=bridge-lan name=vlan22 vlan-id=22 # VLAN 22 is apt. B
/ip pool
add name=pool-11 ranges=172.28.11.55-172.28.11.254
add name=pool-21 ranges=172.28.21.55-172.28.21.254
add name=pool-22 ranges=172.28.22.55-172.28.22.254
/ip dhcp-server network
add address=172.28.11.0/24 gateway=172.28.11.1
add address=172.28.21.0/24 gateway=172.28.21.1
add address=172.28.22.0/24 gateway=172.28.22.1
/ip address
add address=172.28.11.1/24 interface=vlan11 network=172.28.11.0
add address=172.28.21.1/24 interface=vlan21 network=172.28.21.0
add address=172.28.22.1/24 interface=vlan22 network=172.28.22.0
/ip dhcp-server
add address-pool=pool-11 disabled=no interface=vlan11 name=server-11
add address-pool=pool-21 disabled=no interface=vlan21 name=server-21
add address-pool=pool-22 disabled=no interface=vlan22 name=server-22
/interface bridge port
add bridge=bridge-lan interface=ether1 pvid=21
add bridge=bridge-lan interface=ether2 pvid=21
add bridge=bridge-lan interface=ether3 pvid=22
add bridge=bridge-lan interface=ether4 pvid=22
add bridge=bridge-lan interface=ether23 pvid=11
/interface bridge vlan
add bridge=bridge-lan tagged="ether1,ether2,ether3,ether4,bridge-lan" untagged="ether23" vlan-ids=11
add bridge=bridge-lan tagged="ether3,bridge-lan" untagged="ether1,ether2" vlan-ids=21
add bridge=bridge-lan tagged="ether1,bridge-lan" untagged="ether3,ether4" vlan-ids=22
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=drop chain=input src-address=!172.28.11.0/24 # disables management access unless it's coming from the management subnet
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether24 src-address=172.28.11.0/24
add action=masquerade chain=srcnat out-interface=ether24 src-address=172.28.21.0/24
add action=masquerade chain=srcnat out-interface=ether24 src-address=172.28.22.0/24
Code: Select all
/interface bridge
add name=bridge-lan-A
add name=bridge-lan-B
/interface wireless
set wlan1 mode=ap-bridge band=2ghz-b/g/n ssid="Apt A"
set wlan2 mode=ap-bridge band=5ghz-a/n/ac ssid="Apt A"
add name=wlan3 master-interface=wlan1 ssid="Apt B"
add name=wlan4 master-interface=wlan2 ssid="Apt B"
# VLANs the old way, since bridge VLAN filtering on non-CRS3xx devices kills hw offloading
/interface vlan
add interface=ether1 name=vlan11 vlan-id=11
add interface=ether1 name=vlan22 vlan-id=22
/interface bridge port
add bridge=bridge-lan-A interface=ether1
add bridge=bridge-lan-A interface=ether2
add bridge=bridge-lan-A interface=ether3
add bridge=bridge-lan-A interface=ether4
add bridge=bridge-lan-A interface=ether5
add bridge=bridge-lan-A interface=wlan1
add bridge=bridge-lan-A interface=wlan2
add bridge=bridge-lan-B interface=wlan3
add bridge=bridge-lan-B interface=wlan4
add bridge=bridge-lan-B interface=vlan22
/ip address add address=172.28.21.2/24 network=172.28.21.0 interface=bridge-lan-A
/ip dhcp-client add interface=vlan11 disabled=no
With this setup I'm able to /ping 172.28.21.2 from apt. B's hAP (which has a static address 172.28.22.2 and another obtained from the DHCP client on the management subnet, e.g. 172.28.11.253). I should very much like to not be able to ping it :-) any ideas?