I decided to play with my existing configuration using "legacy" 1 bridge per 1 vlan and changed that to vlan filtering and only one bridge for all.
I did not use pvid (when I tried the router becomes unmanageable ) per bridge port as it looks like rb4011 does not support hardware switching, so I created 2 vlan interfaces for vlan 10 and 20 and then inside bridge I split them without pvid.
I guess it works but not dhcp, dhcp is runs on vlan interfaces assignee to bridge, but no matter what I do clients cannot get a lease :(
can you please advise what did I do wrong?
thanks a lot
Code: Select all
[admin@MikroTik_RB4011] > /export hide-sensitive
# may/07/2021 21:27:56 by RouterOS 6.48.2
# software id = A0JA-PWUH
#
# model = RB4011iGS+
# serial number = D1260BF19E4D
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_PRIMARY_VIA_FIBRE
set [ find default-name=ether2 ] comment=QNAP_BACKUP_1Gb_LINK
set [ find default-name=ether5 ] comment=Main_PC
set [ find default-name=ether8 ] comment=Monitor_VLAN_20
set [ find default-name=ether9 ] comment=Audience_VLAN_10_20 name=ether9-trunk
set [ find default-name=ether10 ] comment=WAN_SECONDARY_VIA_LTE
set [ find default-name=sfp-sfpplus1 ] comment=QNAP_PRIMARY_10Gb_LINK
/interface vlan
add comment=Secondary_WAN_VLAN_100 interface=bridge name=2Degrees_ISP vlan-id=100
add comment=Primary_WAN_VLAN_10 interface=ether1 name=Orcon_ISP vlan-id=10
add comment=LAN_VLAN_10 interface=bridge name=vlan10_main vlan-id=10
add comment=LAN_VLAN_20 interface=bridge name=vlan20_guest vlan-id=20
/interface bonding
add mode=active-backup name=qnap_bonding primary=sfp-sfpplus1 slaves=sfp-sfpplus1,ether2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip pool
add name=pool_vlan10_main ranges=10.10.0.30-10.10.0.254
add name=pool_vlan20_guest ranges=10.20.0.30-10.20.0.254
add name=pool_ikev2_vpn ranges=10.88.0.1-10.88.0.254
/ip dhcp-server
add address-pool=pool_vlan10_main disabled=no interface=vlan10_main lease-time=23h59m59s name=\
dhcp_vlan10_main
add add-arp=yes address-pool=pool_vlan20_guest disabled=no interface=vlan20_guest lease-time=23h59m59s name=\
dhcp_vlan20_guest
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg static-dns=10.10.0.1 system-dns=no
/queue simple
add comment="Shapped Internet Traffic Only via ISP 1" dst=Orcon_ISP max-limit=20M/20M name=\
guest_network_queue_over_primary_ISP target=10.20.0.0/24
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9-trunk
add bridge=bridge interface=ether10
add bridge=bridge interface=qnap_bonding
/interface bridge vlan
add bridge=bridge tagged=ether9-trunk untagged=ether3,ether4,ether5,ether6,ether7,ether10,qnap_bonding \
vlan-ids=10
add bridge=bridge tagged=ether9-trunk untagged=ether8 vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=Orcon_ISP list=WAN
add interface=2Degrees_ISP list=WAN
add interface=bridge list=LAN
/ip address
add address=10.10.0.1/24 interface=vlan10_main network=10.10.0.0
add address=10.20.0.1/24 interface=vlan20_guest network=10.20.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=no interface=Orcon_ISP use-peer-dns=no
/ip dhcp-server lease
add address=10.10.0.4 client-id=1:9c:5c:8e:20:b8:c6 comment=MainPC_wired mac-address=9C:5C:8E:20:B8:C6 \
server=dhcp_vlan10_main
add address=10.10.0.14 comment=Kettle mac-address=BC:DD:C2:A8:06:52 server=dhcp_vlan10_main
add address=10.10.0.17 client-id=1:d0:73:d5:24:52:2f comment=LIFXBulb mac-address=D0:73:D5:24:52:2F server=\
dhcp_vlan10_main
add address=10.10.0.20 client-id=1:50:ec:50:3a:f7:c5 comment=CCTV mac-address=50:EC:50:3A:F7:C5 server=\
dhcp_vlan10_main
add address=10.10.0.13 comment=NestMini_Living_Room mac-address=D4:F5:47:2B:BB:D7 server=dhcp_vlan10_main
add address=10.10.0.8 client-id=1:c0:b5:d7:5b:d7:4e comment=Printer mac-address=C0:B5:D7:5B:D7:4E server=\
dhcp_vlan10_main
add address=10.10.0.18 comment=NestMini_Bed_Room mac-address=D4:F5:47:12:EE:02 server=dhcp_vlan10_main
add address=10.10.0.16 comment=LIFXBulb mac-address=D0:73:D5:12:25:E9 server=dhcp_vlan10_main
add address=10.10.0.15 client-id=1:ac:d5:64:94:db:dd comment=SonyTV mac-address=AC:D5:64:94:DB:DD server=\
dhcp_vlan10_main
add address=10.20.0.2 client-id=1:76:4d:28:f4:f7:f3 comment=MikroTik_Audience_VLAN_20 mac-address=\
76:4D:28:F4:F7:F3 server=dhcp_vlan20_guest
add address=10.10.0.2 client-id=1:74:4d:28:f4:f7:f2 comment=MikroTik_Audience_VLAN_10 mac-address=\
74:4D:28:F4:F7:F2 server=dhcp_vlan10_main
add address=10.10.0.19 client-id=1:38:f9:d3:52:a6:be comment=MacbookAir mac-address=38:F9:D3:52:A6:BE \
server=dhcp_vlan10_main
add address=10.10.0.12 client-id=1:0:18:dd:24:1c:fa comment=IPTV_Tuner mac-address=00:18:DD:24:1C:FA server=\
dhcp_vlan10_main
add address=10.10.0.10 client-id=1:0:a:f5:45:bf:ec comment=BookReader mac-address=00:0A:F5:45:BF:EC server=\
dhcp_vlan10_main
add address=10.10.0.6 comment=VOIP_PHONE mac-address=00:0B:82:EA:D2:C4 server=dhcp_vlan10_main
add address=10.10.0.5 client-id=1:24:5e:be:1a:4f:37 comment=QNAP mac-address=24:5E:BE:1A:4F:37 server=\
dhcp_vlan10_main
add address=10.10.0.21 client-id=1:2c:26:17:82:8e:2b comment=Oculus_Quest mac-address=2C:26:17:82:8E:2B \
server=dhcp_vlan10_main
add address=10.10.0.9 client-id=1:dc:a6:32:e:48:82 comment=Raspberry_Pi mac-address=DC:A6:32:0E:48:82 \
server=dhcp_vlan10_main
add address=10.10.0.7 client-id=1:88:78:73:d0:27:12 comment=MainPC_wireless mac-address=88:78:73:D0:27:12 \
server=dhcp_vlan10_main
add address=10.10.0.3 client-id=1:c4:ad:34:57:4:93 comment=MikroTik_RBM33G mac-address=C4:AD:34:57:04:93 \
server=dhcp_vlan10_main
add address=10.10.0.11 client-id=1:dc:41:a9:f9:65:c8 comment=Dell_XPS mac-address=DC:41:A9:F9:65:C8 server=\
dhcp_vlan10_main
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1 netmask=24
add address=10.20.0.0/24 dns-server=10.20.0.1 gateway=10.20.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=94.140.14.14,94.140.15.15
/ip dns static
add address=10.10.0.8 name=printer.lan
add address=10.10.0.6 name=phone.lan
add address=10.10.0.12 name=tv.lan
add address=10.10.0.1 name=router1.lan
add address=10.10.0.2 name=router2.lan
add address=10.10.0.3 name=router3.lan
add address=10.10.0.1 name=media.lan
add address=10.10.0.1 name=qnap.lan
/ip firewall address-list
add address=10.20.0.0/24 list=guest_simple_queue
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=22,80,88,8291 ipsec-policy=in,ipsec \
protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment=\
"drop all requests from guest network to management ports of this router" dst-address=10.10.0.1 \
dst-port=22,88,8291 protocol=tcp src-address=10.20.0.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="allow emby to respond back to guest network" dst-address=\
10.20.0.0/24 protocol=tcp src-address=10.10.0.5 src-port=8096
add action=accept chain=forward comment="allow acess emby from guest network" dst-address=10.10.0.5 \
dst-port=8096 protocol=tcp src-address=10.20.0.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule for guest network" connection-state=\
established,related dst-address-list=guest_simple_queue
add action=fasttrack-connection chain=forward comment="fasttrack with guest network exclusion" \
connection-state=established,related src-address=!10.20.0.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop all else coming from main to guest " dst-address=10.20.0.0/24 \
src-address=10.10.0.0/24
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address=10.10.0.0/24 \
src-address=10.20.0.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=Orcon_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=2Degrees_ISP
/ip ipsec identity
add auth-method=digital-signature certificate=VPN_Server generate-policy=port-strict mode-config=IKEv2-cfg \
peer=IKEv2-peer policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes
/ip proxy
set enabled=yes port=80
/ip proxy access
add action=deny dst-host=media.lan redirect-to=10.10.0.5:8096
add action=deny dst-host=qnap.lan redirect-to=10.10.0.5:19019
add action=deny dst-address=10.10.0.1 dst-port=80 redirect-to=10.10.0.1:88
add action=deny
/ip route
add comment="for netwatch monitoring" distance=1 dst-address=1.1.1.1/32 gateway=121.99.224.1
add comment="for netwatch monitoring" distance=200 dst-address=1.1.1.1/32 type=unreachable
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=88
set api disabled=yes
set api-ssl disabled=yes
/queue simple
add comment="Shapped Internet Traffic Only via ISP 2" dst=*13 max-limit=5M/5M name=\
guest_network_queue_over_secondary_ISP target=10.20.0.0/24
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_RB4011
/system scheduler
add interval=8w4d name=monthly_reboot on-event="/system reboot" policy=reboot start-date=mar/29/2021 \
start-time=03:00:00
[admin@MikroTik_RB4011] >