Community discussions

MikroTik App
 
Deftywork
just joined
Topic Author
Posts: 2
Joined: Tue Jan 19, 2021 4:21 pm

2 DHCP Server, 2 VLAN, 1 eth IF

Sat Apr 10, 2021 11:23 pm

Hey guys, I do have a little problem with one of my clients mikrotik router...
I can not figure out why his Vlans doesnt work as we want to .
We need to separate VLAN X from the itnertnet, but not the VLAN Y .. but we need access from VLAN Y to VLAN X subnet...

We managed that we got ipv4 via dhcp from the vlans.. i made some firewall rules, but still no luck ..
Can somebody help me out?
There is a PPPOE-Client connection on ether 1 and we have a def bridgeLocal with subnet 2.0/24.... we want to keep that, the owner using that address for his CCTV...
# apr/10/2021 22:14:32 by RouterOS 6.48
# software id = 1175-ZUNW
#
# model = 951G-2HnD
# serial number = 642E06719978
/interface bridge
add disabled=yes name=br-vl03
add disabled=yes name=br-vl04
add name=br-vls
add admin-mac=6C:3B:6B:29:58:90 arp=proxy-arp auto-mac=no name=bridgeLocal
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n channel-width=\
    20/40mhz-eC country="new zealand" disabled=no frequency=2442 \
    frequency-mode=manual-txpower mode=ap-bridge ssid=DIGI-fxJ8 \
    station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" speed=\
    100Mbps
set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" speed=\
    100Mbps
set [ find default-name=ether3 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" speed=\
    100Mbps
set [ find default-name=ether4 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" speed=\
    100Mbps
set [ find default-name=ether5 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" speed=\
    100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=xxxxxxxxxxxxxx
/interface vlan
add interface=br-vls name=vlan3-offline vlan-id=3
add interface=br-vls name=vlan4-online vlan-id=4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=6E:3B:6B:29:58:95 master-interface=wlan1 name=\
    wlan2 security-profile=profile ssid=Vendeg station-roaming=enabled
/ip pool
add name=dhcp ranges=192.168.2.120-192.168.2.200
add name=openvpn ranges=10.0.0.2-10.0.0.10
add name=pool-vl03 ranges=192.168.3.10-192.168.3.200
add name=pool-vl04 ranges=192.168.4.10-192.168.4.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridgeLocal name=dhcp1
add address-pool=pool-vl03 disabled=no interface=vlan3-offline lease-time=30m \
    name=dhcp-vl03
add address-pool=pool-vl04 disabled=no interface=vlan4-online name=dhcp-vl04
/ppp profile
add dns-server=192.168.2.254 local-address=192.168.2.1 name=openvpn \
    remote-address=dhcp use-encryption=required
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridgeLocal hw=no interface=ether2
add bridge=bridgeLocal hw=no interface=ether4
add bridge=bridgeLocal hw=no interface=ether5
add bridge=bridgeLocal interface=wlan1
add bridge=bridgeLocal interface=wlan2
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add independent-learning=no ports=ether3 switch=switch1 vlan-id=3
add independent-learning=no ports=ether3 switch=switch1 vlan-id=4
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=bridgeLocal list=LAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Server-Cert cipher=aes256 default-profile=openvpn \
    enabled=yes require-client-certificate=yes
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=ether1 interfaces=wlan1
/ip address
add address=192.168.2.254/24 interface=bridgeLocal network=192.168.2.0
add address=192.168.3.254 interface=vlan3-offline network=192.168.3.254
add address=192.168.4.254 interface=vlan4-online network=192.168.4.254
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.2.100 client-id=1:d8:d:17:63:65:78 mac-address=\
    D8:0D:17:63:65:78 server=dhcp1
add address=192.168.2.129 client-id=1:98:da:c4:85:f1:44 mac-address=\
    98:DA:C4:85:F1:44 server=dhcp1
add address=192.168.2.130 client-id=1:0:d8:61:13:3c:9e mac-address=\
    00:D8:61:13:3C:9E server=dhcp1
add address=192.168.2.162 client-id=1:4:d9:f5:ce:d2:25 mac-address=\
    04:D9:F5:CE:D2:25 server=dhcp1
add address=192.168.2.169 client-id=1:70:85:c2:8b:ec:70 mac-address=\
    70:85:C2:8B:EC:70 server=dhcp1
add address=192.168.2.147 client-id=1:24:4b:fe:79:60:55 mac-address=\
    24:4B:FE:79:60:55 server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254,1.1.1.1 gateway=\
    192.168.2.254 netmask=24
add address=192.168.3.0/24 dns-server=192.168.3.254,1.1.1.1 gateway=\
    192.168.3.254
add address=192.168.4.0/24 dns-server=192.168.4.254,1.1.1.1 gateway=\
    192.168.4.254
/ip dns
set allow-remote-requests=yes servers=192.168.2.254,192.168.4.254,1.1.1.1
/ip dns static
add address=192.168.2.252 name=mail.szeraj.eu ttl=30m
/ip firewall filter
add action=drop chain=forward comment="INTRA - INTER  - DROP PKS" \
    out-interface=pppoe-out1 src-address=192.168.3.0/24
add action=accept chain=input dst-port=1194 protocol=tcp src-port=""
add action=accept chain=input dst-port=10000 protocol=tcp src-port=""
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=!ether1 src-address=192.168.2.0/24
add action=accept chain=input in-interface=!ether1 src-address=192.168.3.0/24
add action=drop chain=forward comment="DROP PKS - NM - " out-interface=\
    pppoe-out1 src-mac-address=60:32:B1:6C:9C:29
add action=drop chain=forward comment="DROP PKS - BSZ - " out-interface=\
    pppoe-out1 src-mac-address=60:32:B1:6C:79:70
add action=drop chain=forward comment="DROP PKS - DA - " out-interface=\
    pppoe-out1 src-mac-address=60:32:B1:6C:79:BE
add action=drop chain=forward comment="DROP PKS - RT" out-interface=\
    pppoe-out1 src-mac-address=60:32:B1:6C:8C:BE
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established
add action=accept chain=forward comment=\
    "allow already established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" \
    connection-state=related
add action=accept chain=forward dst-address=192.168.3.0/24 src-address=\
    192.168.4.0/24
add action=accept chain=forward dst-address=192.168.4.0/24 src-address=\
    192.168.3.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
    in-interface=ether1 protocol=tcp src-port=25
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
    in-interface=ether1 protocol=tcp src-port=465
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
    in-interface=ether1 protocol=tcp src-port=587
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
    in-interface=ether1 protocol=tcp src-port=143
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
    in-interface=ether1 protocol=tcp src-port=993
add action=accept chain=forward disabled=yes dst-address=192.168.2.252 \
    in-interface=ether1 protocol=tcp src-port=995
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid disabled=yes
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid disabled=yes protocol=tcp
add action=drop chain=forward disabled=yes src-address=0.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=0.0.0.0/8
add action=drop chain=forward disabled=yes src-address=127.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
add action=drop chain=forward disabled=yes src-address=224.0.0.0/3
add action=drop chain=forward disabled=yes dst-address=224.0.0.0/3
add action=jump chain=forward disabled=yes jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=yes jump-target=udp protocol=udp
add action=jump chain=forward disabled=yes jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" disabled=yes dst-port=69 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=yes \
    dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=yes \
    dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=yes dst-port=137-139 \
    protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=yes dst-port=445 \
    protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=yes dst-port=2049 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=yes dst-port=\
    12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=yes dst-port=20034 \
    protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=yes dst-port=\
    3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=yes dst-port=67-68 \
    protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=yes dst-port=69 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=yes \
    dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=yes \
    dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=yes dst-port=137-139 \
    protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=yes dst-port=2049 \
    protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=yes dst-port=\
    3133 protocol=udp
add action=drop chain=icmp comment="deny all other types" disabled=yes
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    disabled=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=\
    yes dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=forward in-interface=vlan4-online out-interface=\
    ether1
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes log=yes log-prefix=\
    2.147_ new-packet-mark=TrafficLog_ passthrough=yes src-address=\
    192.168.2.147
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    0.0.0.0/0
add action=dst-nat chain=dstnat dst-port=1194 log=yes log-prefix=openvpn_log_ \
    protocol=tcp to-addresses=192.168.2.254 to-ports=1194
add action=dst-nat chain=dstnat dst-port=25 in-interface-list=WAN protocol=\
    tcp src-port="" to-addresses=192.168.2.252 to-ports=25
add action=dst-nat chain=dstnat dst-port=10000 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=10000
add action=dst-nat chain=dstnat dst-port=143 in-interface-list=WAN protocol=\
    tcp src-port="" to-addresses=192.168.2.252 to-ports=143
add action=dst-nat chain=dstnat dst-port=465 in-interface-list=WAN protocol=\
    tcp src-port="" to-addresses=192.168.2.252 to-ports=465
add action=dst-nat chain=dstnat dst-port=587 in-interface-list=WAN protocol=\
    tcp src-port="" to-addresses=192.168.2.252 to-ports=587
add action=dst-nat chain=dstnat dst-port=993 in-interface-list=WAN protocol=\
    tcp src-port="" to-addresses=192.168.2.252 to-ports=993
add action=dst-nat chain=dstnat dst-port=995 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.2.252 to-ports=995
add action=dst-nat chain=dstnat dst-port=110 in-interface-list=WAN protocol=\
    tcp src-port="" to-addresses=192.168.2.252 to-ports=110
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
    tcp src-port="" to-addresses=192.168.2.252 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 protocol=tcp \
    src-port="" to-addresses=192.168.2.249 to-ports=8080
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=\
    tcp src-port="" to-addresses=192.168.2.252 to-ports=80
add action=dst-nat chain=dstnat dst-port=8000 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.2.249 to-ports=8000
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.4.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=kleinadam profile=openvpn service=ovpn
add name=szenasirajmund profile=openvpn service=ovpn
add name=da profile=openvpn service=ovpn
add name=szr profile=openvpn service=ovpn
/system clock
set time-zone-name=Europe/Budapest
/system leds
set 0 interface=wlan1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Sorry for the long code... the owner of this device have a bunch of inactive firewall rules...

best regards,

Ben
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 DHCP Server, 2 VLAN, 1 eth IF

Sun Apr 11, 2021 12:07 am

THis config is so messy and bloated I dont think there is a quick fix.
I would use only one bridge and put all subnets as vlans with interface bridge and each vlan has their own dhcp service. AND start with default firewall rules.
Then come back here and explain clearly what is to be allowed for traffic flow.
Not worth it for me to try and go through this one line by line.
YES, recommending scrapping the monster you have created.

add bridge=OneBridge
vlan10, vlan3, vlan4 for example.
Then explain users and devices and associated subnets and WLANs they should access normally
Then explain what cross contact they may need (shared printer for example).

Who is online

Users browsing this forum: GoogleOther [Bot], JDF, manigk, netmas, RHWwijk, scoobyn8 and 80 guests