I can not figure out why his Vlans doesnt work as we want to .
We need to separate VLAN X from the itnertnet, but not the VLAN Y .. but we need access from VLAN Y to VLAN X subnet...
We managed that we got ipv4 via dhcp from the vlans.. i made some firewall rules, but still no luck ..
Can somebody help me out?
There is a PPPOE-Client connection on ether 1 and we have a def bridgeLocal with subnet 2.0/24.... we want to keep that, the owner using that address for his CCTV...
Code: Select all
# apr/10/2021 22:14:32 by RouterOS 6.48
# software id = 1175-ZUNW
#
# model = 951G-2HnD
# serial number = 642E06719978
/interface bridge
add disabled=yes name=br-vl03
add disabled=yes name=br-vl04
add name=br-vls
add admin-mac=6C:3B:6B:29:58:90 arp=proxy-arp auto-mac=no name=bridgeLocal
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n channel-width=\
20/40mhz-eC country="new zealand" disabled=no frequency=2442 \
frequency-mode=manual-txpower mode=ap-bridge ssid=DIGI-fxJ8 \
station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-half,10M-full,100M-half,100M-f\
ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" speed=\
100Mbps
set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-f\
ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" speed=\
100Mbps
set [ find default-name=ether3 ] advertise="10M-half,10M-full,100M-half,100M-f\
ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" speed=\
100Mbps
set [ find default-name=ether4 ] advertise="10M-half,10M-full,100M-half,100M-f\
ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" speed=\
100Mbps
set [ find default-name=ether5 ] advertise="10M-half,10M-full,100M-half,100M-f\
ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" speed=\
100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=xxxxxxxxxxxxxx
/interface vlan
add interface=br-vls name=vlan3-offline vlan-id=3
add interface=br-vls name=vlan4-online vlan-id=4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=6E:3B:6B:29:58:95 master-interface=wlan1 name=\
wlan2 security-profile=profile ssid=Vendeg station-roaming=enabled
/ip pool
add name=dhcp ranges=192.168.2.120-192.168.2.200
add name=openvpn ranges=10.0.0.2-10.0.0.10
add name=pool-vl03 ranges=192.168.3.10-192.168.3.200
add name=pool-vl04 ranges=192.168.4.10-192.168.4.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridgeLocal name=dhcp1
add address-pool=pool-vl03 disabled=no interface=vlan3-offline lease-time=30m \
name=dhcp-vl03
add address-pool=pool-vl04 disabled=no interface=vlan4-online name=dhcp-vl04
/ppp profile
add dns-server=192.168.2.254 local-address=192.168.2.1 name=openvpn \
remote-address=dhcp use-encryption=required
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridgeLocal hw=no interface=ether2
add bridge=bridgeLocal hw=no interface=ether4
add bridge=bridgeLocal hw=no interface=ether5
add bridge=bridgeLocal interface=wlan1
add bridge=bridgeLocal interface=wlan2
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add independent-learning=no ports=ether3 switch=switch1 vlan-id=3
add independent-learning=no ports=ether3 switch=switch1 vlan-id=4
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=bridgeLocal list=LAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Server-Cert cipher=aes256 default-profile=openvpn \
enabled=yes require-client-certificate=yes
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=ether1 interfaces=wlan1
/ip address
add address=192.168.2.254/24 interface=bridgeLocal network=192.168.2.0
add address=192.168.3.254 interface=vlan3-offline network=192.168.3.254
add address=192.168.4.254 interface=vlan4-online network=192.168.4.254
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.2.100 client-id=1:d8:d:17:63:65:78 mac-address=\
D8:0D:17:63:65:78 server=dhcp1
add address=192.168.2.129 client-id=1:98:da:c4:85:f1:44 mac-address=\
98:DA:C4:85:F1:44 server=dhcp1
add address=192.168.2.130 client-id=1:0:d8:61:13:3c:9e mac-address=\
00:D8:61:13:3C:9E server=dhcp1
add address=192.168.2.162 client-id=1:4:d9:f5:ce:d2:25 mac-address=\
04:D9:F5:CE:D2:25 server=dhcp1
add address=192.168.2.169 client-id=1:70:85:c2:8b:ec:70 mac-address=\
70:85:C2:8B:EC:70 server=dhcp1
add address=192.168.2.147 client-id=1:24:4b:fe:79:60:55 mac-address=\
24:4B:FE:79:60:55 server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254,1.1.1.1 gateway=\
192.168.2.254 netmask=24
add address=192.168.3.0/24 dns-server=192.168.3.254,1.1.1.1 gateway=\
192.168.3.254
add address=192.168.4.0/24 dns-server=192.168.4.254,1.1.1.1 gateway=\
192.168.4.254
/ip dns
set allow-remote-requests=yes servers=192.168.2.254,192.168.4.254,1.1.1.1
/ip dns static
add address=192.168.2.252 name=mail.szeraj.eu ttl=30m
/ip firewall filter
add action=drop chain=forward comment="INTRA - INTER - DROP PKS" \
out-interface=pppoe-out1 src-address=192.168.3.0/24
add action=accept chain=input dst-port=1194 protocol=tcp src-port=""
add action=accept chain=input dst-port=10000 protocol=tcp src-port=""
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=!ether1 src-address=192.168.2.0/24
add action=accept chain=input in-interface=!ether1 src-address=192.168.3.0/24
add action=drop chain=forward comment="DROP PKS - NM - " out-interface=\
pppoe-out1 src-mac-address=60:32:B1:6C:9C:29
add action=drop chain=forward comment="DROP PKS - BSZ - " out-interface=\
pppoe-out1 src-mac-address=60:32:B1:6C:79:70
add action=drop chain=forward comment="DROP PKS - DA - " out-interface=\
pppoe-out1 src-mac-address=60:32:B1:6C:79:BE
add action=drop chain=forward comment="DROP PKS - RT" out-interface=\
pppoe-out1 src-mac-address=60:32:B1:6C:8C:BE
add action=accept chain=input comment="Allow Established connections" \
connection-state=established
add action=accept chain=forward comment=\
"allow already established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" \
connection-state=related
add action=accept chain=forward dst-address=192.168.3.0/24 src-address=\
192.168.4.0/24
add action=accept chain=forward dst-address=192.168.4.0/24 src-address=\
192.168.3.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
in-interface=ether1 protocol=tcp src-port=25
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
in-interface=ether1 protocol=tcp src-port=465
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
in-interface=ether1 protocol=tcp src-port=587
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
in-interface=ether1 protocol=tcp src-port=143
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
in-interface=ether1 protocol=tcp src-port=993
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
in-interface=ether1 protocol=tcp src-port=995
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 \
protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid disabled=yes
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=yes protocol=tcp
add action=drop chain=forward disabled=yes src-address=0.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=0.0.0.0/8
add action=drop chain=forward disabled=yes src-address=127.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
add action=drop chain=forward disabled=yes src-address=224.0.0.0/3
add action=drop chain=forward disabled=yes dst-address=224.0.0.0/3
add action=jump chain=forward disabled=yes jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=yes jump-target=udp protocol=udp
add action=jump chain=forward disabled=yes jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" disabled=yes dst-port=69 \
protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=yes \
dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=yes \
dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=yes dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=yes dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=yes dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=yes dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=yes dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=yes dst-port=\
3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=yes dst-port=67-68 \
protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=yes dst-port=69 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=yes \
dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=yes \
dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=yes dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=yes dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=yes dst-port=\
3133 protocol=udp
add action=drop chain=icmp comment="deny all other types" disabled=yes
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
disabled=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=\
yes dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=forward in-interface=vlan4-online out-interface=\
ether1
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes log=yes log-prefix=\
2.147_ new-packet-mark=TrafficLog_ passthrough=yes src-address=\
192.168.2.147
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
0.0.0.0/0
add action=dst-nat chain=dstnat dst-port=1194 log=yes log-prefix=openvpn_log_ \
protocol=tcp to-addresses=192.168.2.254 to-ports=1194
add action=dst-nat chain=dstnat dst-port=25 in-interface-list=WAN protocol=\
tcp src-port="" to-addresses=192.168.2.252 to-ports=25
add action=dst-nat chain=dstnat dst-port=10000 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.2.111 to-ports=10000
add action=dst-nat chain=dstnat dst-port=143 in-interface-list=WAN protocol=\
tcp src-port="" to-addresses=192.168.2.252 to-ports=143
add action=dst-nat chain=dstnat dst-port=465 in-interface-list=WAN protocol=\
tcp src-port="" to-addresses=192.168.2.252 to-ports=465
add action=dst-nat chain=dstnat dst-port=587 in-interface-list=WAN protocol=\
tcp src-port="" to-addresses=192.168.2.252 to-ports=587
add action=dst-nat chain=dstnat dst-port=993 in-interface-list=WAN protocol=\
tcp src-port="" to-addresses=192.168.2.252 to-ports=993
add action=dst-nat chain=dstnat dst-port=995 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.2.252 to-ports=995
add action=dst-nat chain=dstnat dst-port=110 in-interface-list=WAN protocol=\
tcp src-port="" to-addresses=192.168.2.252 to-ports=110
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
tcp src-port="" to-addresses=192.168.2.252 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 protocol=tcp \
src-port="" to-addresses=192.168.2.249 to-ports=8080
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=\
tcp src-port="" to-addresses=192.168.2.252 to-ports=80
add action=dst-nat chain=dstnat dst-port=8000 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.2.249 to-ports=8000
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.4.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=kleinadam profile=openvpn service=ovpn
add name=szenasirajmund profile=openvpn service=ovpn
add name=da profile=openvpn service=ovpn
add name=szr profile=openvpn service=ovpn
/system clock
set time-zone-name=Europe/Budapest
/system leds
set 0 interface=wlan1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
best regards,
Ben