I'm setting up my RB5009UG+S+ on ROS 7.5, and I cannot, for the life of me, get traffic flowing when I enable VLAN-filtering on the bridge interface. I'm making ethernet ports 6 and 7 trunk ports for the 4 VLANs, and the system works just fine when I don't enable VLAN-filtering, but fails once I enable it.
What am I doing wrong here? Please see attached and scold me as needed.
Code: Select all
# aug/31/2022 17:17:38 by RouterOS 7.5
# software id = NZ0U-HY3B
#
# model = RB5009UG+S+
# serial number = XYZ
/interface bridge
add admin-mac=XX:YY:ZZ:11:22:33 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Internet uplink"
set [ find default-name=ether2 ] comment="regular port, no VLAN"
set [ find default-name=ether3 ] comment=\
"NOT Ready - IoT Interface, VLAN 200 untagged"
set [ find default-name=ether4 ] comment="regular port, no VLAN"
set [ find default-name=ether5 ] comment=\
"NOT Ready, HOME Interface, VLAN 300 untagged"
set [ find default-name=ether6 ] comment=\
"NOT Ready, Wireless Access Point Port Interface, VLAN trunk, #1"
set [ find default-name=ether7 ] comment=\
"NOT Ready, Wireless Access Point Port Interface, VLAN trunk, #2"
set [ find default-name=ether8 ] comment="regular port, no VLAN"
set [ find default-name=sfp-sfpplus1 ] comment=unused disabled=yes
/interface wireguard
add listen-port=4444 mtu=1420 name=wireguard1
/interface vlan
add comment="Guest VLAN 100" interface=bridge name=VL100Guest vlan-id=100
add comment="IoT VLAN 200" interface=bridge name=VL200IoT vlan-id=200
add comment="Home VLAN 300" interface=bridge name=VL300Home vlan-id=300
add comment="MGMT VLAN 500" interface=bridge name=VL500MGMT vlan-id=500
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.20.202.40-172.20.202.254
add name=POOL100Guest ranges=172.20.210.10-172.20.210.240
add name=POOL200IoT ranges=172.20.220.10-172.20.220.99
add name=POOL300Home ranges=172.20.230.10-172.20.230.200
add name=POOL500MGMT ranges=172.20.250.10-172.20.250.99
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=POOL100Guest interface=VL100Guest name=DHCP100Guest
add address-pool=POOL200IoT interface=VL200IoT name=DHCP200IoT
add address-pool=POOL300Home interface=VL300Home name=DHCP300Home
add address-pool=POOL500MGMT interface=VL500MGMT name=DHCP500MGMT
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether6
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge tagged=ether6,ether7 vlan-ids=100
add bridge=bridge tagged=ether6,ether7 vlan-ids=200
add bridge=bridge tagged=ether6,ether7 vlan-ids=300
add bridge=bridge tagged=ether6,ether7 vlan-ids=500
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=listBridge
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.20.203.2/32 interface=wireguard1 \
public-key="KEY1"
add allowed-address=172.20.203.3/32 interface=\
wireguard1 public-key="KEY2"
/ip address
add address=172.20.202.1/24 comment=defconf interface=bridge network=\
172.20.202.0
add address=172.20.203.1/24 interface=wireguard1 network=172.20.203.0
add address=172.20.210.1/24 interface=VL100Guest network=172.20.210.0
add address=172.20.220.1/24 interface=VL200IoT network=172.20.220.0
add address=172.20.230.1/24 interface=VL300Home network=172.20.230.0
add address=172.20.250.1/24 interface=VL500MGMT network=172.20.250.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.20.202.0/24 comment=defconf dns-server=172.20.202.1 gateway=\
172.20.202.1 netmask=24
add address=172.20.210.0/24 comment="Guest DHCP Server Network" dns-server=\
1.1.1.1 gateway=172.20.210.1
add address=172.20.220.0/24 comment="IoT DHCP Server Network" dns-server=\
172.20.220.1 gateway=172.20.220.1
add address=172.20.230.0/24 comment="Home DHCP Server Network" dns-server=\
172.20.230.1 gateway=172.20.230.1
add address=172.20.250.0/24 comment="MGMT DHCP Server Network" dns-server=\
1.1.1.1 gateway=172.20.250.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=172.20.202.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.20.202.2-172.20.202.254 list=allowed_to_router_1
add address=0.0.0.0/8 comment=RFC6890 list=not_on_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_on_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_on_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_on_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_on_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_on_internet
add address=224.0.0.0/4 comment=Multicast list=not_on_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_on_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_on_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_on_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_on_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_on_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_on_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_on_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_on_internet
add address=172.20.210.2-172.20.210.254 list=allowed_to_router_100
add address=172.20.220.2-172.20.220.254 list=allowed_to_router_200
add address=172.20.230.2-172.20.230.254 list=allowed_to_router_300
add address=172.20.250.2-172.20.250.254 list=allowed_to_router_500
/ip firewall filter
add action=accept chain=input comment="Allow WireGuard" dst-port=4444 \
log-prefix="Allow WireGuard" protocol=udp
add action=accept chain=input comment="Allow WireGuard Traffic" log-prefix=\
"Allow Wireguard Traffic" src-address=172.20.203.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix=#4
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix=#7
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=#12invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=#13!NAT
add action=accept chain=input src-address-list=allowed_to_router_1
add action=accept chain=input log=yes log-prefix=#15Guest src-address-list=\
allowed_to_router_100
add action=accept chain=input src-address-list=allowed_to_router_200
add action=accept chain=input src-address-list=allowed_to_router_300
add action=accept chain=input src-address-list=allowed_to_router_500
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_on_internet in-interface=bridge log=yes log-prefix=\
#19!public_from_LAN out-interface=!bridge
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=#21!public src-address-list=not_on_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
yes log-prefix=#22LAN_!LAN src-address=!172.20.202.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types" log=yes log-prefix=\
#30
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.20.202.0/24,172.20.203.0/24 port=2200
set api disabled=yes
set winbox address=172.20.202.0/24,172.20.203.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=ROS
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nist.gov
/system scheduler
add interval=15m name=DuckDNS-Update-Scheduler on-event=DuckDNS-Updater \
policy=read,test start-date=aug/13/2022 start-time=00:00:00
/system script
add dont-require-permissions=no name=DuckDNS-Updater owner=admin policy=\
read,test source="
\n:log warning message=\"START: DuckDNS.org DDNS Update\"\r\
\n\r\
\n:log warning message=\"END: DuckDNS.org DDNS Update finished\"\r\
\n"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN