Community discussions

MUM Europe 2020
 
barracuda
newbie
Topic Author
Posts: 25
Joined: Thu Jul 09, 2015 12:41 am

I needa help to config vlan3999 from siol provider

Mon Jan 13, 2020 6:11 pm

Hello!
My router is RouterBOARD 941-2nD and I've been trying to configure my router lately so I can only use one cable from siol modem trunk port(siol modem is on bridge mode) and make both internet and iptv to work on my computer and siol box on other router port(or the same if is posible)..I know siol is using for iptv vlan3999, So far I created vlan3999 on ether1 where the router connects to the modem via PPPoE and then gave that vlan to the bridge. The internet and iptv work on my computer, but the box does not. Can any of you know how to do this to and please fix my export file so that I could give these commands via the terminal because I really don't have knowledge about such a config.
Here is my export file









MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.46.1 (c) 1999-2019 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > export hide-sensitive
# jan/13/2020 16:22:26 by RouterOS 6.46.1
# software id = UH34-V159
#
# model = RouterBOARD 941-2nD
# serial number = 5B3205DA01D3
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-13411A wireless-protocol=802.11
/interface bridge
add admin-mac=E4:8D:8C:13:41:17 auto-mac=no comment=defconf igmp-snooping=yes \
name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=rbrnot1
/interface vlan
add interface=ether1 name="vlan-siol IN" vlan-id=3999
add interface=ether3 name=vlan-siol-OUT vlan-id=3999
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface="vlan-siol IN"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.82 client-id=1:0:9:34:2a:3e:e9 mac-address=\
00:09:34:2A:3E:E9 server=defconf
add address=192.168.88.100 client-id=1:5c:fa:0:0:e:2b mac-address=\
5C:FA:00:00:0E:2B server=defconf use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN

/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Ljubljana
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
thank you!
 
mkx
Forum Guru
Forum Guru
Posts: 3616
Joined: Thu Mar 03, 2016 10:23 pm

Re: I needa help to config vlan3999 from siol provider

Mon Jan 13, 2020 10:39 pm

You have it a bit awkward. My suggestion is to use single VLANaware bridge. ether1 will be used to connect to innbox (trunk port) and ether3 to connect Box. Box will get internet via LAN (so it will be able to play multimedia from your PCs if they are DLNA enabled). You can adapt config to allow IPTV via another port if you wish.

Below is configuration only for specific configuration sections. I suggest you to start from empty (no config - reset without config ... that's not factory default). Connect using winbox via MAC connectivity, which will cause least disruptions during reconfiguration.

/interface bridge
add admin-mac=E4:8D:8C:13:41:17 auto-mac=no igmp-snooping=yes name=bridge
/interface bridge port
# WAN will be VLAN=11 internally 
# set multicast router to enable IGMP proxy operation
add bridge=bridge ingress-filtering=yes interface=ether1 pvid=11 multicast-router=permanent 
# LAN will be VLAN=22 internally
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=22
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=22
add bridge=bridge ingress-filtering=yes interface=ether4 pvid=22
add bridge=bridge ingress-filtering=yes interface=wlan1 pvid=22
/interface bridge vlan
# configure VLANs on ports ... both tagged (IPTV) and untagged
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=11
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,wlan1 vlan-ids=22
# below tagged ports for IPTV - ether1 for innbox and ether3 for Box
add bridge=bridge tagged=ether1,ether3 vlan-ids=3999
#
/interface vlan
add interface=bridge name=vlanWAN vlan-id=11
add interface=bridge name=vlanLAN vlan-id=22
#
/interface list member
add interface=vlanWAN list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether1 list=WAN
add interface=vlanLAN list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
# the following is copied from your old config ... doesn't seem secured!!!
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-13411A wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlanWAN name=pppoe-out1 use-peer-dns=yes user=rbrnot1
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlanLAN name=defconf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip address
add address=192.168.88.1/24 interface=vlanLAN network=192.168.88.0
/ip dhcp-client
add interface=vlanWAN
/ip dhcp-server lease
add address=192.168.88.82 client-id=1:0:9:34:2a:3e:e9 mac-address=00:09:34:2A:3E:E9 server=defconf
add address=192.168.88.100 client-id=1:5c:fa:0:0:e:2b mac-address=5C:FA:00:00:0E:2B server=defconf use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Ljubljana

Now comes the tricky part: if not everything regarding VLANs is right, then you might loose management access when running the next few commands. So do enable safe mode (there's a button for it in winbox and if you're using CLI just press ctrl-X to toggle it - when it's enabled, the command prompt changes). If you loose connectivity while in safe mode, router reverts config to the one before enabling safe mode and you should be able to re-connect after around 20 seconds.
/interface bridge
set [ find name=bridge ] vlan-filtering=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
If the commands above went fine, exit safe mode before closing admin connection.

The whole firewall filter section is still missing. I don't want to copy-paste the default settings (and you're running pretty much default firewall right now), so execute command /system default-configuration print, scroll down until you see beginning of code block /ip firewall { and copy-paste it entirely (until closing curly brace). Be sure to have realy wide terminal window to capture whole config lines (they are not wrapped-around, they simply end with character ">").

Meni podobno skonfiguriran RB deluje super.
BR,
Metod
 
barracuda
newbie
Topic Author
Posts: 25
Joined: Thu Jul 09, 2015 12:41 am

Re: I needa help to config vlan3999 from siol provider

Tue Jan 14, 2020 12:11 am

Thank you very much for your fast answer and clear explanation.I could deal with this for another month, but for shore I would not succeed..
I will try this configuration tomorrow..
 
romihg
newbie
Posts: 33
Joined: Tue Jun 24, 2014 9:07 am
Location: SLOVENIA

Re: I needa help to config vlan3999 from siol provider

Tue Jan 14, 2020 2:36 am

Nekaj slovencev pa je na tem forumu

Translation of above sentence: Some slovenian guys are here on this forum.
 
romihg
newbie
Posts: 33
Joined: Tue Jun 24, 2014 9:07 am
Location: SLOVENIA

Re: I needa help to config vlan3999 from siol provider

Tue Jan 14, 2020 2:49 am

/interface vlan
add interface=ether1 name="ether1 - VLAN 3999" vlan-id=3999
add interface=ether5 name="ether5 - VLAN 3999" vlan-id=3999
/interface bridge port
add bridge=bridgeTV interface="ether1 - VLAN 3999"
add bridge=bridgeTV interface="ether5 - VLAN 3999"

You also need have ether port 5 in same bridge as internet

add bridge=bridge comment=defconf interface=ether5

Basically you need have two bridges. One for internet one for iptv.
 
barracuda
newbie
Topic Author
Posts: 25
Joined: Thu Jul 09, 2015 12:41 am

Re: I needa help to config vlan3999 from siol provider

Tue Jan 14, 2020 8:37 pm

@mkx
oprosti za tale post!

Today I tried your configuration but when I entered all the commands in to winbox terminal the router did not connect to the internet.The PPPoE client was on vlan Wan interface but when I added the username and password it was status connecting .... but offline.
However, when I added the following commands:
/ interface bridge
set [find name = bridge] vlan-filtering = yes
/ tool mac-server
set allowed-interface-list = LAN
/ tool mac-server mac-winbox
set allowed-interface-list = LAN
the winbox immediately reset
looks like something's wrong but i don't know what ..

Here is also my latest working export:
[admin@MikroTik] > export hide-sensitive
# jan/14/2020 23:31:53 by RouterOS 6.46.1
# software id = UH34-V159
#
# model = RouterBOARD 941-2nD
# serial number = 5B3205DA01D3
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-13411A wireless-protocol=802.11
/interface bridge
add admin-mac=E4:8D:8C:13:41:17 auto-mac=no comment=defconf igmp-snooping=yes \
name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=rbrnot1
/interface vlan
add interface=ether1 name=siolIn vlan-id=3999
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=siolIn
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.82 client-id=xxxxx mac-address=\
xxxxxxxx server=defconf
add address=192.168.88.100 client-id=1:5c:fa:0:0:e:2b mac-address=\
5xxxxxxxxxxxx server=defconf use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=17550 protocol=tcp to-addresses=\
192.168.88.100 to-ports=17550
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Ljubljana
/system scheduler
add interval=15m name=dnsexit on-event="/system script run dnsexit" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add comment="DNSEXIT RUN AT STARTUP" name=Up_Dnsexit on-event=\
":delay 60;\r\
\n/system script run dnsexit\r\
\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add comment="DNSEXIT SCRIPT" dont-require-permissions=no name=dnsexit owner=\
admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="###\
## Script Settings #####\r\
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[admin@MikroTik] >
 
mkx
Forum Guru
Forum Guru
Posts: 3616
Joined: Thu Mar 03, 2016 10:23 pm

Re: I needa help to config vlan3999 from siol provider

Wed Jan 15, 2020 11:21 am

Today I tried your configuration but when I entered all the commands in to winbox terminal the router did not connect to the internet.The PPPoE client was on vlan Wan interface but when I added the username and password it was status connecting .... but offline.
However, when I added the following commands:
/ interface bridge
set [find name = bridge] vlan-filtering = yes
/ tool mac-server
set allowed-interface-list = LAN
/ tool mac-server mac-winbox
set allowed-interface-list = LAN
the winbox immediately reset
looks like something's wrong but i don't know what ..

It is expected that my whole setup doesn't work correctly until vlan-filtering=yes is set on bridge. And when I think of it, it's also expected that winbox connection drops after that setting is enabled ... because the connection between winbox and ROS now takes different path (internal VLAN instead of direct ether-bridge path).

Anyway, if your current setup works as expected, then keep it ...
BR,
Metod
 
barracuda
newbie
Topic Author
Posts: 25
Joined: Thu Jul 09, 2015 12:41 am

Re: I needa help to config vlan3999 from siol provider

Wed Jan 15, 2020 8:03 pm

You are right, Iptv works fine on my computer, also the internet only the box alone does not work.It will need to install another cable for box but it will be fine.
All I can say is that the microtick router is really amazing if you know how to set it properly, which is a little harder for us laymen, so thanks to all those who are willing to share their knowledge!
In my case especially mkx!
 
romihg
newbie
Posts: 33
Joined: Tue Jun 24, 2014 9:07 am
Location: SLOVENIA

Re: I needa help to config vlan3999 from siol provider

Thu Jan 16, 2020 2:07 pm

Moja konfiguracija na Siolu z omogočeno iptv. Iptv dela tako tudi dela lokalna mreža in internet na siol boxih

Sorry guys for slovenian language.


# jan/16/2020 13:03:12 by RouterOS 6.46.1
# software id = U9SD-JKHU
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 96890A689AF2
/interface bridge
add admin-mac=74:4D:28:4A:D4:8B auto-mac=no comment=defconf name=bridge
add name=bridgeTV
/interface ethernet
set [ find default-name=ether10 ] poe-out=forced-on
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=\
disabled name=pppoe-out1 use-peer-dns=yes user=gromih1
/interface vlan
add interface=ether2 name=Ether2 vlan-id=3999
add interface=ether1 name="ether1 - VLAN 3999" vlan-id=3999
add interface=ether5 name="ether5 - VLAN 3999" vlan-id=3999
add interface=ether7 name="ether7 - VLAN 3999" vlan-id=3999
add interface=ether8 name="ether8 - VLAN 3999" vlan-id=3999
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile1 \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-n/ac channel-width=\
20/40/80mhz-XXXX country=no_country_set disabled=no distance=indoors \
frequency-mode=manual-txpower installation=indoor mode=ap-bridge \
security-profile=profile1 ssid=MikroTik-5Ghz wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-g/n channel-width=\
20/40mhz-XX country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
security-profile=profile1 ssid="LAN of Milk and Honey" wireless-protocol=\
802.11
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\
bridge lease-time=1h name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridgeTV interface="ether1 - VLAN 3999"
add bridge=bridgeTV interface="ether5 - VLAN 3999"
add bridge=bridgeTV interface="ether7 - VLAN 3999"
add bridge=bridgeTV interface="ether8 - VLAN 3999"
add bridge=bridgeTV interface=Ether2
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set accept-source-route=yes
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname interface=\
ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
192.168.88.1,193.189.160.13,193.189.160.23 domain=clarkynet.com gateway=\
192.168.88.1 netmask=24 ntp-server=193.2.1.117,193.2.1.92
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.254 name=i7-3770 ttl=10m
/ip firewall address-list
add address=96890A689AF2.sn.mynetname.net list=WANIP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=HAIRPIN dst-address=\
192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="template port forward" disabled=yes \
dst-address-list=WANIP dst-port=8080 protocol=tcp to-addresses=\
192.168.1.2
add action=dst-nat chain=dstnat comment="template port forward" disabled=yes \
dst-address-list=WANIP dst-port=8080 protocol=tcp to-addresses=\
192.168.1.2
add action=dst-nat chain=dstnat comment="template port forward" disabled=yes \
dst-address-list=WANIP dst-port=8080 protocol=tcp to-addresses=\
192.168.1.2
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ipv6 address
add address=::1 from-pool=SiOL_IPv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=SiOL_IPv6 \
rapid-commit=no request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
set [ find default=yes ] advertise-mac-address=no hop-limit=64
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name="Main Router"
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=193.77.204.19 secondary-ntp=193.2.1.117
/system package update
set channel=development
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
barracuda
newbie
Topic Author
Posts: 25
Joined: Thu Jul 09, 2015 12:41 am

Re: I needa help to config vlan3999 from siol provider

Thu Jan 16, 2020 9:46 pm

@romihg

I'm still pretty much in the dark with so kind of configuration like you have.
I see that your hardware is a lot different from my router, (10 ports) so I don't know what to exclude from your config. I now have a 4 port router, but I'm thinking of getting 5 port with a better processor. I also don't have IPv6.
Can you tell me what configuration I can exclude(delete) from your config for 4 or 5 port router ?

hvala!

Who is online

Users browsing this forum: Chupaka, cornepiek, Google [Bot], Google Feedfetcher, LinusN, normis and 150 guests