Community discussions

MikroTik App
 
tunguskalabs
just joined
Topic Author
Posts: 14
Joined: Tue May 23, 2023 3:36 pm

How to configure a VLAN that acts both on wireless and on wired?

Tue May 23, 2023 5:54 pm

Hi all,

I'm trying to do the classic "home/work" network separation, and it seems that VLAN is the best way to go. I have a RB4011 with wireless, and currently my network looks like this:
network.jpg
I already created VLAN10 (192.168.10.0/24) for guest_2g and VLAN20 (192.168.20.0/24) for work_5g and work_2g, with corresponding bridges (bridge_vlan10 and bridge_vlan20), and with the firewall rules and DHCP servers, it's working fine. The LAN (192.168.1.0/24) traffic is untagged, so not part of a VLAN, and connected to a bridge. The internet connection is on eth1, using PPPoE from my ISP.

What I'm trying to do is to make eth6 a (what I think it should be) hybrid port, so the untagged traffic to my personal laptop is on LAN, and the work laptop is on the vlan20. The printer is wireless, so it connects to work_2g, and sometimes I need to move the work laptop so I use work_5g. I cannot connect the work gear on another port because it's on another floor on the house and passing another cable would be a nightmare.

The VLAN guide seems to not cover this case, so I'm lost on how to make eth6, the port that connects the RB4011 to a dumb switch, that connects to the personal and work gear. Is there a easy way to do it? I would prefer not create a VLAN for LAN, if possible. Thanks!
# may/23/2023 11:47:55 by RouterOS 7.9.1
# software id = <XXXXX>
#
# model = RB4011iGS+5HacQ2HnD
# serial number = <XXXXX>
/interface bridge
add admin-mac=DC:2C:6E:13:F3:B3 auto-mac=no comment=defconf name=bridge
add name=bridge-vlan10
add name=bridge-vlan20
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyac country=brazil disabled=no \
    distance=indoors frequency=5200 frequency-mode=superchannel mode=\
    ap-bridge ssid=loveandrockets wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n channel-width=20/40mhz-XX \
    country=brazil disabled=no distance=indoors frequency=2447 \
    frequency-mode=superchannel mode=ap-bridge ssid=loveandrockets \
    wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mtu=1500 name=\
    pppoe-out1 use-peer-dns=yes user=cliente@cliente
/interface wireless nstreme
set wlan1 disable-csma=yes
/interface wireguard
add disabled=yes listen-port=55555 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=work supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=DE:2C:6E:13:F3:BD master-interface=wlan1 name=\
    wlan3 security-profile=profile ssid=maggie vlan-id=10 vlan-mode=use-tag \
    wds-default-bridge=bridge-vlan10 wps-mode=disabled
add disabled=no mac-address=DE:2C:6E:13:F3:BE master-interface=wlan1 name=\
    wlan4 security-profile=work ssid=workshop vlan-id=20 vlan-mode=use-tag \
    wds-default-bridge=bridge wps-mode=disabled
add disabled=no mac-address=2E:C8:1B:BF:E8:D6 master-interface=wlan2 name=\
    wlan5 security-profile=work ssid=workshop wds-default-bridge=bridge \
    wps-mode=disabled
/interface vlan
add interface=wlan3 name=vlan10 vlan-id=10
add interface=wlan4 name=vlan20 vlan-id=20
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp-guest-pool ranges=192.168.10.100-192.168.10.200
add name=dhcp-pool-work ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=bridge lease-time=1h5m \
    name=defconf server-address=192.168.1.1
add address-pool=dhcp-guest-pool interface=bridge-vlan10 lease-time=10m name=\
    dhcp-guest
add address-pool=dhcp-pool-work interface=bridge-vlan20 lease-time=10m name=\
    dhcp-work
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 3 remote=192.168.1.2
add bsd-syslog=yes name=browsinglog remote=192.168.1.2 syslog-severity=info \
    target=remote
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*16
# no interface
add action=drop chain=forward out-interface=*16
# no interface
add action=drop chain=forward in-interface=*17
# no interface
add action=drop chain=forward out-interface=*17
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge disabled=yes interface=*10
add bridge=bridge interface=*11
add bridge=bridge disabled=yes interface=zt1
add bridge=bridge disabled=yes interface=*16
add bridge=bridge disabled=yes interface=*17
add bridge=bridge-vlan10 interface=wlan3
add bridge=bridge-vlan10 interface=vlan10
add bridge=bridge-vlan20 interface=wlan4
add bridge=bridge-vlan20 interface=vlan20
add bridge=bridge-vlan20 interface=wlan5
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=bridge-vlan10 list=LAN
add interface=bridge-vlan20 list=LAN
/interface wireless access-list
add authentication=no forwarding=no interface=wlan2 mac-address=\
    F8:4D:89:86:44:94
add authentication=no forwarding=no interface=wlan2 mac-address=\
    7C:2A:DB:8D:97:CA
/interface wireless sniffer
set multiple-channels=yes receive-errors=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.0.5.3 interface=wireguard1 network=10.0.5.0
add address=192.168.10.1/24 interface=bridge-vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=bridge-vlan20 network=192.168.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,1.1.1.1,1.0.0.1,9.9.9.9 \
    domain=tunguska.cc gateway=192.168.1.1 netmask=24 ntp-server=192.168.1.1
add address=192.168.10.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=300 \
    max-concurrent-tcp-sessions=100 query-server-timeout=1s \
    query-total-timeout=2s servers=1.1.1.1,1.0.0.1,9.9.9.9
/ip firewall address-list
add address=8.8.8.8 comment="google DNS" list=GOOGLE_DNS
add address=8.8.4.4 comment="google DNS" list=GOOGLE_DNS
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.1.1-192.168.1.254 list=allowed_to_router
add address=10.0.5.1-10.0.5.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=log chain=forward comment="forward log to NAS" connection-state=\
    new dst-port=80,443 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment="allow SSH" dst-port=22 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow Wireguard" disabled=yes \
    dst-port=55555 protocol=udp
add action=accept chain=forward disabled=yes dst-address=192.168.1.0/24 \
    in-interface=wireguard1
add action=accept chain=input comment="allow WireGuard traffic" disabled=yes \
    src-address=10.0.5.0/24
add action=drop chain=forward comment="Drop google DNS" dst-address-list=\
    GOOGLE_DNS
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=notlan
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="block traffic from guest to lan" \
    in-interface=bridge-vlan10 out-interface=bridge
add action=drop chain=forward comment="block traffic from work to lan" \
    in-interface=bridge-vlan20 out-interface=bridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
# no interface
add action=masquerade chain=srcnat out-interface=*16 src-address=\
    192.168.10.0/24
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.1.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set pptp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip service
set telnet address=192.168.1.0/24,192.168.88.0/24 disabled=yes
set ftp address=192.168.1.0/24 disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh address=192.168.1.0/24,10.0.5.0/24,10.0.1.0/24
set www-ssl address=192.168.0.0/16,10.0.5.0/24,10.0.1.0/24 certificate=\
    tunguska.cc.crt_0 disabled=no tls-version=only-1.2
set api address=192.168.1.0/24 disabled=yes
set winbox address=192.168.1.0/24 disabled=yes
set api-ssl certificate=tunguska.cc.crt_0 disabled=yes
/ip smb
set allow-guests=no
/ip ssh
set forwarding-enabled=local host-key-size=4096 strong-crypto=yes
/ip traffic-flow
set active-flow-timeout=1m enabled=yes
/ip traffic-flow target
add dst-address=192.168.1.2 v9-template-timeout=1m
/ip upnp interfaces
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=\
    yes log-prefix=ipv6,invalid
add action=drop chain=forward log-prefix=IPV6
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept v6 established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment=\
    "defconf: drop all v6 not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
    dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
    jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
    "defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
    "defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
    hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
    icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
    2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
    3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
    4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
    icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
    icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
    icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
    icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
    icmpv6
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
    dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
    jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
    "defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
    "defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=routertunguska
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add action=browsinglog topics=firewall
add action=browsinglog prefix=dhcp topics=dhcp
add action=remote topics=info
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=200.189.40.8
add address=200.160.7.197
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
Last edited by tunguskalabs on Thu May 25, 2023 3:46 am, edited 1 time in total.
 
tunguskalabs
just joined
Topic Author
Posts: 14
Joined: Tue May 23, 2023 3:36 pm

Re: Another question about VLAN and hybrid ports with wireless in the mix

Thu May 25, 2023 3:42 am

Either my question is too basic or already answered somewhere. In any case, I don't know how to do this, so can any kind soul point me to the f*cking manual so I can make this work? Thanks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to configure a VLAN that acts both on wireless and on wired?

Mon May 29, 2023 4:02 am

Okay you have some misconceptions.
First, its one bridge, and I prefer the bridge ONLY do bridging,
In other words take your 192.168.X network and make it a vlan like the other.

Second, replace the dumb switch with a managed switch so that you can successfully configure and control all the ports on the switches and allows for optimal use of vlans.
I do not recommend attempting vlans over dumb switches.

viewtopic.php?t=143620
 
tunguskalabs
just joined
Topic Author
Posts: 14
Joined: Tue May 23, 2023 3:36 pm

Re: How to configure a VLAN that acts both on wireless and on wired?  [SOLVED]

Sat Feb 03, 2024 2:26 pm

I finally came around and finished this, with a working configuration. It's here: viewtopic.php?t=203918. Thanks.

Who is online

Users browsing this forum: unhuzpt and 24 guests