Community discussions

MikroTik App
 
protoontje
just joined
Topic Author
Posts: 6
Joined: Sun Nov 22, 2020 4:13 pm

configure CCR1009-7G-1C 2 svi's, 2 dhcp servers and access port's

Sun Nov 22, 2020 4:50 pm

Hi all,

I'm pretty new here and I only have some experience with Cisco devices.
But I was planning to build a home network with the following router CCR1009-7G-1C.

My plan goes as followed:

My Router (CCR1009) gets a DHCP IP from my ISP and I would like to source nat this 2 SVI's both with there own subnets lets say:

interface vlan1
192.168.1.0/24
interface vlan10
192.168.2.0/24

Then I would like these 2 SVI's configured with DHCP servers so I have 2 completely separated networks.
Then I would like to configure 1 port as a trunk with both VLANs 1 and 10 to my access point, so I can make 2 separated SSID.
all other ports I would like to configure as switch ports so I can use them all for VLAN 1

What are the best practices I can use, because I have tried several configs but I can't get a DHCP request to my test device.

this is my configuration:

/interface bridge
add name=bridge_vlan1
add name=bridge_vlan10
/interface vlan
add interface=bridge_vlan1 name=vlan1 vlan-id=1
add interface=bridge_vlan10 name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.11-192.168.1.200
add name=dhcp_pool1 ranges=192.168.2.11-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan1 lease-time=1h name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan10 lease-time=1h name=dhcp2
/interface bridge port
add bridge=bridge_vlan1 interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan10 network=192.168.2.0
/ip dhcp-client
add interface=combo1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=combo1
/ip route
add distance=1 gateway=combo1

Thank you in advance.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: configure CCR1009-7G-1C 2 svi's, 2 dhcp servers and access port's

Wed Nov 25, 2020 4:46 pm

I also have the same model and will assist where i can.

I have approximately 12 vlans, one of which is a management/home/trusted vlan.
I use bridge vlan filtering to a mix of managed (MT, DLINK, Netgear etc) , un-managed switches, and vlan aware access points (MT and TPLINK).

First thing is DONT USE vlan1, its the default vlan that works in the background and is the default of VLAN1..........
So use VLAN101 instead for example.

Second thing is you only need one bridge!

The best thing you can do is read this reference and give it another shot.........
viewtopic.php?t=143620
 
protoontje
just joined
Topic Author
Posts: 6
Joined: Sun Nov 22, 2020 4:13 pm

Re: configure CCR1009-7G-1C 2 svi's, 2 dhcp servers and access port's

Thu Nov 26, 2020 9:05 pm

Hi Anav,

Thank you for your reply so I think I figured it out.
you were right about the vlan1 so i changed it to 10 and 20.
see my config:


/interface bridge
add name=bridge-LAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] name=WAN
set [ find default-name=ether7 ] name=ether7_Management
/interface vlan
add comment=LAN interface=bridge-LAN name=vlan10 vlan-id=10
add comment=DMZ interface=bridge-LAN name=vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.11-192.168.1.200
add name=dhcp_pool1 ranges=192.168.2.11-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10 lease-time=10h name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan20 lease-time=10h name=dhcp2
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 \
pvid=10
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether1 vlan-ids=20
add bridge=bridge-LAN tagged=bridge-LAN,ether1 vlan-ids=10
/ip address
add address=192.168.1.1/24 interface=vlan10 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan20 network=192.168.2.0
/ip dhcp-client
add interface=WAN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.1.2-192.168.1.254 list=allowed_to_router1
add address=192.168.2.2-192.168.2.254 list=allowed_to_router2
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=WAN log=yes \
log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge-LAN log=yes log-prefix=!public_from_LAN out-interface=!bridge-LAN
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge-LAN log=\
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge-LAN log=\
yes log-prefix=LAN_!LAN src-address=!192.168.2.0/24
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input comment=allowed_to_router1 src-address-list=allowed_to_router1
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=input comment=allowed_to_router2 src-address-list=allowed_to_router2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip route
add distance=1 gateway=WAN pref-src=192.168.2.1
add distance=1 gateway=WAN pref-src=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=8192 strong-crypto=yes

Everything seems to work with DHCP wise, I have to test if my Ubiquiti AP will work with 2 VLANs.
I'm still waiting for my provider to deliver my modem so till then I need to wait with testing the AP.

Do you have any other recommendations for my config?
 
mada3k
Long time Member
Long time Member
Posts: 687
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: configure CCR1009-7G-1C 2 svi's, 2 dhcp servers and access port's

Thu Nov 26, 2020 9:35 pm

I agree that you really should't use VLAN ID 1 in a serious envoriment.

Here is my take on you config, if I understand correctly
### method 1 ###

# separate bridges
/interface bridge
add name=vlan1
add name=vlan10

# vlan interfaces
/interface vlan
add interface=ether1 name=ether1.1 vlan-id=1
add interface=ether1 name=ether1.10 vlan-id=10

# put those in bridges
/interface bridge port
add bridge=vlan1 interface=ether1.1
add bridge=vlan10 interface=ether1.10
add bridge=vlan1 interface=ether2...7

### method 2 ###

# create vlan-aware bridge
/interface bridge
add name=bridge

# add trunk port
/interface bridge port
add interface=ether1
add interface=ether2...7 frame-types=admit-only-untagged-and-priority-tagged pvid=1

# activate vlans in bridge
/interface bridge vlan
add tagged=ether1,bridge untagged=ether2...7 vlan-ids=1
add tagged=ether1,bridge vlan-ids=10

# create "SVI's" on bridge
/interface vlan
add interface=bridge vlan-id=1 name=vlan1
add interface=bridge vlan-id=10 name=vlan10

###  then the rest ###

/ip pool
add name=dhcp_pool0 ranges=192.168.1.11-192.168.1.200
add name=dhcp_pool1 ranges=192.168.2.11-192.168.2.200

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan1 lease-time=1h name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan10 lease-time=1h name=dhcp2

/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan10 network=192.168.2.0

/ip dhcp-client
add interface=combo1

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: configure CCR1009-7G-1C 2 svi's, 2 dhcp servers and access port's

Thu Nov 26, 2020 11:08 pm

Q1: What about the other interfaces, hard to know what they are intended for without a diagram or definition...........
/interface bridge
add name=bridge-LAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] name=WAN
set [ find default-name=ether7 ] name=ether7_Management



Q2. Typically I dont use ingress filtering on untagged access ports but I guess there is no harm and probably better security just not sure. So what I gather only etherports 1 is a trunk port headed for a smart device that can read vlan tags, and the rest are going to 'dumb devices'
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 \
pvid=10


Q3. Why none. Its best to use your mngmnt vlan here so that to ensure the device is discoverable by winbox for example.
/ip neighbor discovery-settings
set discover-interface-list=none


Q4. I prefer to stated untagged ports (2,3,4,5,6) for vlan-id=10 , just so I can understand the config but not necessary........... what you have is fine.
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether1 vlan-ids=20
add bridge=bridge-LAN tagged=bridge-LAN,ether1 untagged=???? vlan-ids=10


The rest is commentary on your Firewall Rules. I am a minimalist and thus consider what you have is slightly bloated.
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.1.2-192.168.1.254 list=allowed_to_router1
add address=192.168.2.2-192.168.2.254 list=allowed_to_router2
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=WAN log=yes \
log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge-LAN log=yes log-prefix=!public_from_LAN out-interface=!bridge-LAN
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge-LAN log=\
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge-LAN log=\
yes log-prefix=LAN_!LAN src-address=!192.168.2.0/24
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input comment=allowed_to_router1 src-address-list=allowed_to_router1
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=input comment=allowed_to_router2 src-address-list=allowed_to_router2


Here is what I would shorten it to!!
/ip firewall address-list
add address=adminlaptop list=adminaccess
add address=admindesktop list=adminaccess
add address=adminipad list=adminaccess

note these two rules, have good intent but best accomplished by interfaces. I use firewall address lists for sub selections of interfaces or single IPs across subnets etc........... Not bad what you do here but I prefer interfaces for entire subnets!! Further, and to the point, the entire set of LAN users trusted or otherwise DO NOT and should not need FULL access to the router. Only the specific services required should be permitted.
add address=192.168.1.2-192.168.1.254 list=allowed_to_router1
add address=192.168.2.2-192.168.2.254 list=allowed_to_router2


ALSO it drives me bonkers when people mix input chain (to the router) and forward chain (through the router) in the config. YOu are THE FIRST ever to put the Forward chain in order in front of the input chain. SO THANKYOU, at least they are not mixed up and which comes first really doesnt matter.
The rules with no change or included in small italics

/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN [assumes all lan users need internet access]

**** add any other allow rules required, admin to dmz vlan for example, or perhaps dmz folks need access to a shared printer on the regular vlan****
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20

add action=accept chain=forward comment="allow port forwarding" \ [becomes an optional rule you can disable until you need port forwarding]
connection-nat-state=dstnat connection-state=new in-interface=WAN
add action=drop chain=forward comment='drop all else' (one simple rule to drop all other not allowed/defined traffic above)

[input chain]
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allowed admin to router" \
in-interface=vlan10 src-address-list=adminaccess

add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp

add action=drop chain=input


For completeness.........
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Mngmt

/interface list member
add comment=defconf interface=ether?? list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan10 list=Mngmt

So for example......
ip neighbor discovery-settings
set discover-interface-list=Mngmt
Last edited by anav on Tue Dec 01, 2020 5:01 am, edited 1 time in total.
 
protoontje
just joined
Topic Author
Posts: 6
Joined: Sun Nov 22, 2020 4:13 pm

Re: configure CCR1009-7G-1C 2 svi's, 2 dhcp servers and access port's

Sat Nov 28, 2020 6:15 pm

So this is what i want to build.
You do not have the required permissions to view the files attached to this post.
 
protoontje
just joined
Topic Author
Posts: 6
Joined: Sun Nov 22, 2020 4:13 pm

Re: configure CCR1009-7G-1C 2 svi's, 2 dhcp servers and access port's

Mon Nov 30, 2020 12:25 am

First of all, I want to thank you for the very thorough answer.
I finally got the new modem set in bridge mode and connect to my MT.
Plus the VLAN taggings seem to work for my trunking port.

I have to admit I'm not fully understanding the firewall side so I used this page and try to translate to my network:
https://wiki.mikrotik.com/wiki/Manual:S ... o_a_router
So the 3 main goals are VLAN 10 can access 20 but 20 can't access 10.
Both VLANs can access the internet.
Secure my environment from the outside so that's why I tried with the website above and used the Bogans block list.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: configure CCR1009-7G-1C 2 svi's, 2 dhcp servers and access port's

Tue Dec 01, 2020 4:59 am

The only thing you have to do to the above config I laid out is
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
I added it in pink.........
Keep it simple avoid all the bloat from those links............

Who is online

Users browsing this forum: GoogleOther [Bot] and 60 guests