I ma just curious is my configuration correct and safe i have 2 routers here:
Primary circuit via rb4011 port one, Internet is on ISP VLAN 10 (PHYSICAL PORT 1 )
4g back up is on RB33G ((PHYSICAL PORT 1 AS WELL)
isp1 -- {port 1} rb4011 {port 10} <--trunk--> {port 1} RB33G --> isp 2 (via 4g)
I am using LTE PASS THOUGHT to VLAN 100 created on both devices to vlan 100 Interface
trunk ports between rb4011 and RB33G allow my internal vlan 10, vlan 20 , vlan 100
I have a firewall list and vlan 100 is in the WAN LIST
So my question is is this a relatively safe configuration?
Code: Select all
MAIN
[admin@MikroTik_RB4011] > export hide-sensitive
# may/11/2021 22:32:27 by RouterOS 6.48.2
# software id = A0JA-PWUH
#
# model = RB4011iGS+
# serial number = D1260BF19E4D
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_PRIMARY_VIA_FIBRE
set [ find default-name=ether2 ] comment=QNAP_BACKUP_1Gb_LINK
set [ find default-name=ether5 ] comment=Main_PC
set [ find default-name=ether8 ] comment=Monitor_VLAN_20
set [ find default-name=ether9 ] comment=Audience_VLAN_10_20 name=ether9-trunk
set [ find default-name=ether10 ] comment=WAN_SECONDARY_VIA_LTE
set [ find default-name=sfp-sfpplus1 ] comment=QNAP_PRIMARY_10Gb_LINK
/interface vlan
add comment=Secondary_WAN_VLAN_100 interface=bridge name=2Degrees_ISP vlan-id=\
100
add comment=Primary_WAN_VLAN_10 interface=ether1 name=Orcon_ISP vlan-id=10
add comment=LAN_VLAN_10 interface=bridge name=vlan10_main vlan-id=10
add comment=LAN_VLAN_20 interface=bridge name=vlan20_guest vlan-id=20
/interface bonding
add mode=active-backup name=qnap_bonding primary=sfp-sfpplus1 slaves=\
sfp-sfpplus1,ether2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=\
sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 \
pfs-group=none
/ip pool
add name=pool_vlan10_main ranges=10.10.0.30-10.10.0.254
add name=pool_vlan20_guest ranges=10.20.0.30-10.20.0.254
add name=pool_ikev2_vpn ranges=10.88.0.1-10.88.0.254
/ip dhcp-server
add address-pool=pool_vlan10_main disabled=no interface=vlan10_main lease-time=\
23h59m59s name=dhcp_vlan10_main
add add-arp=yes address-pool=pool_vlan20_guest disabled=no interface=\
vlan20_guest lease-time=23h59m59s name=dhcp_vlan20_guest
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg static-dns=10.10.0.1 system-dns=\
no
/queue simple
add comment="Shapped Internet Traffic Only via ISP 1" dst=Orcon_ISP max-limit=\
20M/20M name=guest_network_queue_over_primary_ISP target=10.20.0.0/24
/interface bridge port
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether6 pvid=10
add bridge=bridge interface=ether7 pvid=10
add bridge=bridge interface=ether8 pvid=20
add bridge=bridge interface=ether9-trunk
add bridge=bridge interface=ether10 pvid=10
add bridge=bridge interface=qnap_bonding pvid=10
/interface bridge vlan
add bridge=bridge tagged=ether9-trunk,bridge,ether10 untagged=\
ether3,ether4,ether5,ether6,ether7,qnap_bonding vlan-ids=10
add bridge=bridge tagged=ether9-trunk,ether10,bridge untagged=ether8 vlan-ids=\
20
add bridge=bridge tagged=bridge,ether10 vlan-ids=100
/interface list member
add interface=Orcon_ISP list=WAN
add interface=2Degrees_ISP list=WAN
add interface=vlan10_main list=LAN
add interface=vlan20_guest list=LAN
/ip address
add address=10.10.0.1/24 interface=vlan10_main network=10.10.0.0
add address=10.20.0.1/24 interface=vlan20_guest network=10.20.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=no interface=Orcon_ISP use-peer-dns=no
add default-route-distance=2 disabled=no interface=2Degrees_ISP use-peer-dns=no
/ip dhcp-server lease
add address=10.10.0.4 client-id=1:9c:5c:8e:20:b8:c6 comment=MainPC_wired \
mac-address=9C:5C:8E:20:B8:C6 server=dhcp_vlan10_main
add address=10.10.0.14 comment=Kettle mac-address=BC:DD:C2:A8:06:52 server=\
dhcp_vlan10_main
add address=10.10.0.17 client-id=1:d0:73:d5:24:52:2f comment=LIFXBulb \
mac-address=D0:73:D5:24:52:2F server=dhcp_vlan10_main
add address=10.10.0.20 client-id=1:50:ec:50:3a:f7:c5 comment=CCTV mac-address=\
50:EC:50:3A:F7:C5 server=dhcp_vlan10_main
add address=10.10.0.13 comment=NestMini_Living_Room mac-address=\
D4:F5:47:2B:BB:D7 server=dhcp_vlan10_main
add address=10.10.0.8 client-id=1:c0:b5:d7:5b:d7:4e comment=Printer \
mac-address=C0:B5:D7:5B:D7:4E server=dhcp_vlan10_main
add address=10.10.0.18 comment=NestMini_Bed_Room mac-address=D4:F5:47:12:EE:02 \
server=dhcp_vlan10_main
add address=10.10.0.16 comment=LIFXBulb mac-address=D0:73:D5:12:25:E9 server=\
dhcp_vlan10_main
add address=10.10.0.15 client-id=1:ac:d5:64:94:db:dd comment=SonyTV \
mac-address=AC:D5:64:94:DB:DD server=dhcp_vlan10_main
add address=10.20.0.2 client-id=1:76:4d:28:f4:f7:f3 comment=\
MikroTik_Audience_VLAN_20 mac-address=76:4D:28:F4:F7:F3 server=\
dhcp_vlan20_guest
add address=10.10.0.2 client-id=1:74:4d:28:f4:f7:f2 comment=\
MikroTik_Audience_VLAN_10 mac-address=74:4D:28:F4:F7:F2 server=\
dhcp_vlan10_main
add address=10.10.0.19 client-id=1:38:f9:d3:52:a6:be comment=MacbookAir \
mac-address=38:F9:D3:52:A6:BE server=dhcp_vlan10_main
add address=10.10.0.12 client-id=1:0:18:dd:24:1c:fa comment=IPTV_Tuner \
mac-address=00:18:DD:24:1C:FA server=dhcp_vlan10_main
add address=10.10.0.10 client-id=1:0:a:f5:45:bf:ec comment=BookReader \
mac-address=00:0A:F5:45:BF:EC server=dhcp_vlan10_main
add address=10.10.0.6 comment=VOIP_PHONE mac-address=00:0B:82:EA:D2:C4 server=\
dhcp_vlan10_main
add address=10.10.0.5 client-id=1:24:5e:be:1a:4f:37 comment=QNAP mac-address=\
24:5E:BE:1A:4F:37 server=dhcp_vlan10_main
add address=10.10.0.21 client-id=1:2c:26:17:82:8e:2b comment=Oculus_Quest \
mac-address=2C:26:17:82:8E:2B server=dhcp_vlan10_main
add address=10.10.0.9 client-id=1:dc:a6:32:e:48:82 comment=Raspberry_Pi \
mac-address=DC:A6:32:0E:48:82 server=dhcp_vlan10_main
add address=10.10.0.7 client-id=1:88:78:73:d0:27:12 comment=MainPC_wireless \
mac-address=88:78:73:D0:27:12 server=dhcp_vlan10_main
add address=10.10.0.3 client-id=1:c4:ad:34:57:4:93 comment=MikroTik_RBM33G \
mac-address=C4:AD:34:57:04:93 server=dhcp_vlan10_main
add address=10.10.0.11 client-id=1:dc:41:a9:f9:65:c8 comment=Dell_XPS \
mac-address=DC:41:A9:F9:65:C8 server=dhcp_vlan10_main
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1 netmask=24
add address=10.20.0.0/24 dns-server=10.20.0.1 gateway=10.20.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=\
94.140.14.14,94.140.15.15
/ip dns static
add address=10.10.0.8 name=printer.lan
add address=10.10.0.6 name=phone.lan
add address=10.10.0.12 name=tv.lan
add address=10.10.0.1 name=router1.lan
add address=10.10.0.2 name=router2.lan
add address=10.10.0.3 name=router3.lan
add address=10.10.0.1 name=media.lan
add address=10.10.0.1 name=qnap.lan
/ip firewall address-list
add address=10.20.0.0/24 list=guest_simple_queue
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="accept connection to IKEv2 ports" \
dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=\
22,80,88,8291 ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=\
in,ipsec protocol=udp
add action=drop chain=input comment=\
"drop all requests from guest network to management ports of this router" \
dst-address=10.10.0.1 dst-port=22,88,8291 protocol=tcp src-address=\
10.20.0.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"allow emby to respond back to guest network" dst-address=10.20.0.0/24 \
protocol=tcp src-address=10.10.0.5 src-port=8096
add action=accept chain=forward comment="allow acess emby from guest network" \
dst-address=10.10.0.5 dst-port=8096 protocol=tcp src-address=10.20.0.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule for guest network" \
connection-state=established,related dst-address-list=guest_simple_queue
add action=fasttrack-connection chain=forward comment=\
"fasttrack with guest network exclusion" connection-state=\
established,related src-address=!10.20.0.0/24
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"drop all else coming from main to guest " dst-address=10.20.0.0/24 \
src-address=10.10.0.0/24
add action=drop chain=forward comment="drop all else coming from guest to main" \
dst-address=10.10.0.0/24 src-address=10.20.0.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=Orcon_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=\
2Degrees_ISP
/ip ipsec identity
add auth-method=digital-signature certificate=VPN_Server generate-policy=\
port-strict mode-config=IKEv2-cfg peer=IKEv2-peer policy-template-group=\
ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=\
0.0.0.0/0 template=yes
/ip proxy
set enabled=yes port=80
/ip proxy access
add action=deny dst-host=media.lan redirect-to=10.10.0.5:8096
add action=deny dst-host=qnap.lan redirect-to=10.10.0.5:19019
add action=deny dst-address=10.10.0.1 dst-port=80 redirect-to=10.10.0.1:88
add action=deny
/ip route
add comment="for netwatch monitoring" distance=1 dst-address=1.1.1.1/32 \
gateway=121.99
add comment="for netwatch monitoring" distance=200 dst-address=1.1.1.1/32 type=\
unreachable
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=88
set api disabled=yes
set api-ssl disabled=yes
/queue simple
add comment="Shapped Internet Traffic Only via ISP 2" dst=*13 max-limit=5M/5M \
name=guest_network_queue_over_secondary_ISP target=10.20.0.0/24
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_RB4011
/system scheduler
add interval=8w4d name=monthly_reboot on-event="/system reboot" policy=reboot \
start-date=mar/29/2021 start-time=03:00:00
[admin@MikroTik_RB4011] >
//////////////////////
secondary
[admin@MikroTik_RBM33G] > export hide-sensitive
# may/11/2021 22:33:05 by RouterOS 6.48.2
# software id = NVWD-MPDZ
#
# model = RBM33G
# serial number = A2FD0B35515A
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=MikroTik_RB4011_Uplink name=\
ether1-trunk
set [ find default-name=ether2 ] comment=IPTV_Tuner
set [ find default-name=ether3 ] comment=SonyTV
/interface lte
set [ find ] allow-roaming=no band=1,3,8 name=lte1
/interface vlan
add comment=lte_passthrough_via_vlan_100 interface=bridge name=\
2degress_vlan_100 vlan-id=100
add comment=LAN_VLAN_10 interface=bridge name=vlan10_main vlan-id=10
add comment=LAN_VLAN_20 interface=bridge name=vlan20_guest vlan-id=20
/interface lte apn
set [ find default=yes ] apn=direct passthrough-interface=2degress_vlan_100 \
passthrough-mac=auto
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether1-trunk
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether3 pvid=10
/interface bridge vlan
add bridge=bridge tagged=ether1-trunk,bridge untagged=ether2,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether1-trunk vlan-ids=100
add bridge=bridge tagged=ether1-trunk,bridge vlan-ids=20
/ip dhcp-client
add disabled=no interface=vlan20_guest
add disabled=no interface=vlan10_main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_RBM33G
/system scheduler
add interval=8w4d name=monthly_reboot policy=reboot start-date=mar/29/2021 \
start-time=03:30:00
/tool netwatch
add down-script=":local CurDate ([:pick [/system clock get date] 4 6] . \"/\" . \
[:pick [/system clock get date] 0 3] . \"/\" . [:pick [/system clock get dat\
e] 7 11])\r\
\n:local CurTime [/system clock get time]\r\
\n:local HostName \"Primary ISP link\"\r\
\n\r\
\n/tool sms send lte1 \"+64211139090\" message=\"\$HostName is DOWN at \$Cur\
Date \$CurTime\"" host=1.1.1.1 interval=30s up-script=":local CurDate ([:pic\
k [/system clock get date] 4 6] . \"/\" . [:pick [/system clock get date] 0 \
3] . \"/\" . [:pick [/system clock get date] 7 11])\r\
\n:local CurTime [/system clock get time]\r\
\n:local HostName \"Primary ISP link\"\r\
\n\r\
\n/tool sms send lte1 \"+642\" message=\"\$HostName is UP at \$CurDa\
te \$CurTime\""
[admin@MikroTik_RBM33G] >
thanks a lot