Currently i only have this device, later i want to add a managed switch to the trunk ports. So i was trying multiple times to apply Router-Switch-AP (all in one) but removed the wifi settings and added a ethernet port for the management. Problem is that when i apply the setup in the terminal (after Removing the default configuration) I am not able to connect to the router anymore, not even via mac address. I imagine there might be something missing with the eth2 vlan port that prevents me the access the configuration to see what is happening.
Connections:
eth1 WAN
eth2 RED - MGMT PC connected here
eth3 BLUE
eth4 GREEN
eth5 TRUNK
eth6 TRUNK
eth7 TRUNK
eth8 TRUNK
I reset the router with the reset button. It starts up with defualt config. I log in with WInbox and remove Configuration and set admin password. Then i paste the below script in:
Code: Select all
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="RouterSwitchAP"
#######################################
# VLAN Overview
#######################################
# 1 = BASE (MGMT) VLAN RED
# 10 = BLUE
# 20 = GREEN
#######################################
# WIFI Setup
#
# Example wireless settings only. Do
# NOT use in production!
#######################################
# Blue SSID
#/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
#/interface wireless set [ find default-name=wlan1 ] ssid=BLUE frequency=auto mode=ap-bridge disabled=no
# Green SSID
#/interface wireless security-profiles add name=guest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
#/interface wireless add name=wlan2 ssid=GREEN master-interface=wlan1 security-profile=guest disabled=no
# Optional: BASE SSID, admin level access to Winbox the device. Use a local ethernet port if preferred.
#/interface wireless security-profiles add name=Base authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
#/interface wireless add name=wlan3 ssid=BASE master-interface=wlan1 security-profile=Base disabled=no
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# BASE_VLAN
add bridge=BR1 interface=ether2 pvid=1
# Blue VLAN
add bridge=BR1 interface=ether3 pvid=10
# Green VLAN
add bridge=BR1 interface=ether4 pvid=20
# egress behavior, handled automatically
# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=1]
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=1
/ip address add address=192.168.88.1/24 interface=BASE_VLAN
# set ether1 to be dhcp-client for WAN connection
/ip dhcp-client add comment=defconf interface=ether1
## I am skipping the below and USE DHCP Client
# DNS server, set to cache for LAN
#/ip dns set allow-remote-requests=yes servers="9.9.9.9"
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
# Yellow WAN facing port with IP Address provided by ISP
#/ip address add interface=ether1 address=192.168.1.196/24 network=192.168.1.0
# router's gateway provided by ISP
#/ip route add distance=1 gateway=192.168.1.1
#######################################
# IP Services
#######################################
# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24
/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=20
/ip address add interface=GREEN_VLAN address=10.0.20.1/24
/ip pool add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
#set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
#set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
#set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]
#######################################
# MAC Server settings
#######################################
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set cpu-frequency=auto
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
On the MGMT PC i do a cmd with ipconfig /release. I do not receive a new IP and am not able to connect to the RB5009 anymore. Only way to reconnect is to use the rest button to reload the default config.
Really appreciate the help.
UPDATE: I just changed how I upload the config by typing in the console (Is this the correct way?):
/system reset-configuration no-defaults=yes
/import verbose=yes file-name=MyCustomConfig.rsc
With this i was able to still be connected with Winbox after the upload and was able to export the applied config:
Code: Select all
# jan/06/2022 12:06:14 by RouterOS 7.1.1
# software id = C5MD-RX8K
#
# model = RB5009UG+S+
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=1
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether2
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether4 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.88.1/24 interface=BASE_VLAN network=192.168.88.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterSwitchAP
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=VLAN
/tool mac-server mac-winbox
set allowed-interface-list=VLAN
Toby