I am not a total beginner, but also not an expert in networking.
My current home network works well and it looks like this:
Mikrotik RB750gr3
- Port #1 => WAN (Internet)
- Port #2 => Switch #1 (dumb/plug and play) => My workstations (LAN cable)
- Port #3 => Switch #2 (dumb/plug and play) => My other workstations (LAN cable) and Asus XT8 (AP mode)
Due to the increase in IoT devices and wireless devices that I do not trust, I plan to do this:
Mikrotik RB750gr3
- Port #1 => WAN (Internet)
- Port #2 => Switch #1 (dumb/plug and play) => My workstations (LAN cable)
- Port #3 => Switch #2 (dumb/plug and play) => My other workstations (LAN cable)
- Port #4 => Asus XT8 (AP mode) => Trusted WIFI devices
- Port #5 => A new AP (IoT and non-trusted WIFI devices)
Port #2, #3 and #4 will be on VLAN 10 (IP range 192.168.0.0/24)
Port#5 on VLAN40 (IP range 10.1.0.0/24)
How should I configure the router to achieve that?
NOTE: I tried to create VLAN40 and was able to get DHCP to run on Port #5, but no Internet.
Current setup =>
Code: Select all
# jun/02/2021 15:02:15 by RouterOS 6.48.1
# software id = EICN-1U0B
#
# model = RB750Gr3
# serial number = 8B010ADE8295
/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan500 keepalive-timeout=\
disabled max-mru=1492 max-mtu=1492 name=unifi user=inetuser@unifi
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.135-192.168.0.175
add name=vpn ranges=192.168.89.120-192.168.89.135
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=1w name=dhcp1
/ppp profile
set *FFFFFFFE local-address=dhcp remote-address=vpn
/system logging action
set 0 memory-lines=3500
add email-start-tls=yes email-to=inetuser@email.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add interface=unifi list=WAN
add interface=bridge1 list=LAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
add address=10.1.0.0 network=10.1.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server config
set store-leases-disk=30m
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,208.67.222.222 gateway=\
192.168.0.1 netmask=24
/ip dns
set servers=8.8.8.8,208.67.222.222
/ip dns static
add address=8.8.8.8 name=google-dns
add address=208.67.222.222 name=opendns
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=allowed_to_router
add address=192.168.89.120-192.168.89.135 list=allowed_to_router
add address=216.218.206.0/24 list=manual-blocked-ip
add address=213.108.134.0/24 list=manual-blocked-ip
add address=192.241.200.0/21 list=manual-blocked-ip
add address=192.241.224.0/19 list=manual-blocked-ip
add disabled=yes list=enemy-within
/ip firewall filter
add action=drop chain=input comment="drop manually blocked ip" \
src-address-list=manual-blocked-ip
add action=add-src-to-address-list address-list=syn-flood-protect \
address-list-timeout=2w chain=input comment=\
"addr-list: syn-flood-protect" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="drop syn flooders" src-address-list=\
syn-flood-protect
add action=add-src-to-address-list address-list=port-scan-protect \
address-list-timeout=2w chain=input comment=\
"addr-list: port-scan-protect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="drop port scanners" src-address-list=\
port-scan-protect
add action=drop chain=input comment="l2tp bruteforce block" connection-state=\
new dst-port=500,1701,4500 protocol=udp src-address-list=l2tp-bruteforce
add action=add-src-to-address-list address-list=l2tp-bruteforce \
address-list-timeout=2w chain=input connection-state=new dst-port=1701 \
protocol=udp src-address-list=l2tp-probe3
add action=add-src-to-address-list address-list=l2tp-probe3 \
address-list-timeout=15m chain=input connection-state=new dst-port=1701 \
protocol=udp src-address-list=l2tp-probe2
add action=add-src-to-address-list address-list=l2tp-probe2 \
address-list-timeout=8m chain=input connection-state=new dst-port=1701 \
protocol=udp src-address-list=l2tp-probe1
add action=add-src-to-address-list address-list=l2tp-probe1 \
address-list-timeout=5m chain=input connection-state=new dst-port=\
500,1701,4500 protocol=udp
add action=drop chain=input comment="drop DNS request from WAN" dst-port=53 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="accept established, related (input)" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=input comment="drop ping" protocol=icmp
add action=drop chain=input comment="drop invalid (input)"
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment=\
"accept established, related (forward)" connection-state=\
established,related
add action=drop chain=forward comment="drop invalid (forward)" \
connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24,192.168.89.0/24
set ssh address=192.168.0.0/24,192.168.89.0/24
set winbox address=192.168.0.0/24,192.168.89.0/24
/ppp secret
add name=myvpn profile=default-encryption
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system logging
set 0 topics=info,!firewall,!dhcp
set 3 action=email
add topics=account,system
add action=email topics=l2tp,info,!ppp
add action=email topics=pptp,info
add action=email topics=ipsec,error
add action=email topics=system,health
add action=email topics=l2tp,ppp,info,account
add action=email topics=pptp,ppp,error
/tool e-mail
set address=152.92.72.214 from=inetuser@email.com port=587 start-tls=yes \
user=inetuser@hotmail.com