Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Please review my Gateway+AP+Multiple VLANS configs

Post Reply
 
thebox
just joined
Topic Author
Posts: 2
Joined: Thu Jan 04, 2024 6:22 pm

Please review my Gateway+AP+Multiple VLANS configs

Mon Feb 05, 2024 10:39 pm

Hi all,

I'm new to networking/routing, and even if I am an IT guy, is not my competence!
I'm seeking tuning/better configuration tips/settings, as for sure there will be some beginner mistakes.
Thanks in advance for any corrections/better configurations!

My network diagram is kind of/like this (apologies for the incorrect diagram icons!) https://drive.google.com/file/d/15KrwVi ... drive_link

this is the configuration of GW00-TBUK
Code: Select all
# 2024-02-05 20:18:46 by RouterOS 7.13.3
# software id = JFZQ-1JBT
#
# model = RB960PGS
# serial number = HFA098RB8ZH
/interface bridge
add admin-mac=78:9A:18:A4:7D:F4 auto-mac=no name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=IT_wireguard
/interface vlan
add interface=ether2 name=gst_vlan200 vlan-id=200
add interface=ether2 name=iot_vlan30 vlan-id=30
add interface=ether2 name=mmx_vlan20 vlan-id=20
add interface=ether2 name=net_vlan10 vlan-id=10
add interface=ether2 name=vit_vlan40 vlan-id=40
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=XXXXXXXXX
/interface list
add name=WAN
add name=LAN
add name=IT_LAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=mgm_pool ranges=192.168.88.10-192.168.88.254
add name=vit_pool ranges=192.168.40.20-192.168.40.254
add name=gst_pool ranges=192.168.200.20-192.168.200.254
add name=net_pool ranges=192.168.10.20-192.168.10.254
add name=mmx_pool ranges=192.168.20.20-192.168.20.254
add name=iot_pool ranges=192.168.30.20-192.168.30.254
/ip dhcp-server
add address-pool=mgm_pool interface=bridge lease-time=1w1d name=main_dhcp
add address-pool=gst_pool interface=gst_vlan200 lease-time=5m name=gst_dhcp
add address-pool=net_pool interface=net_vlan10 lease-time=1d name=net_dhcp
add address-pool=mmx_pool interface=mmx_vlan20 lease-time=1d name=mmx_dhcp
add address-pool=iot_pool interface=iot_vlan30 lease-time=2d name=iot_dhcp
add address-pool=vit_pool interface=vit_vlan40 name=vit_dhcp
/ip vrf
add interfaces=IT_LAN name=it_vrf
/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
add interface=net_vlan10 list=LAN
add interface=mmx_vlan20 list=LAN
add interface=gst_vlan200 list=LAN
add interface=iot_vlan30 list=LAN
add interface=vit_vlan40 list=IT_LAN
add interface=IT_wireguard list=IT_LAN
add interface=UK_wireguard list=UK_LAN
add interface=vuk_vlan41 list=UK_LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=149.102.237.129 endpoint-port=51820 interface=\
    IT_wireguard persistent-keepalive=25m private-key="XXXXXX" public-key="XXXXXX"
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.200.1/24 interface=gst_vlan200 network=192.168.200.0
add address=192.168.10.1/24 interface=net_vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=mmx_vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=iot_vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=vit_vlan40 network=192.168.40.0
add address=10.2.0.2 interface=IT_wireguard network=10.2.0.0
add address=10.2.0.3 disabled=yes interface=UK_wireguard network=10.2.0.0
add address=192.168.41.1/24 disabled=yes interface=vuk_vlan41 network=192.168.41.0
/ip dhcp-server lease
add address=192.168.20.20 client-id=1:4:b9:e3:f5:f8:ca comment="MMX Tv" mac-address=XXXXXXX server=mmx_dhcp
add address=192.168.30.128  mac-address=XXXXXXX server=iot_dhcp
add address=192.168.10.88  mac-address=XXXXXXX server=net_dhcp
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=10.2.0.1,192.168.40.1 gateway=192.168.40.1
add address=192.168.41.0/24 dns-server=10.2.0.1,192.168.41.1 gateway=192.168.41.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=gateway.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=IT_wireguard src-address=192.168.40.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=IT_wireguard@it_vrf routing-table=it_vrf \
    suppress-hw-offload=no
add disabled=no distance=1 dst-address=XXXXXX/32 gateway=pppoe-out1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=\
    udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=\
    546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system identity
set name=GW00-TBUK
/system note
set show-at-login=no
/tool graphing interface
add interface=mmx_vlan20
add interface=net_vlan10
add interface=iot_vlan30
add interface=gst_vlan200
add interface=vit_vlan40
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether2 streaming-enabled=yes streaming-server=192.168.10.80

this is the configuration of AP00-TBUK
Code: Select all
# 2024-02-05 20:26:06 by RouterOS 7.13.3
# software id = UYDE-VHID
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HF8090WQCPE
/interface bridge
add admin-mac=78:9A:18:94:B4:2A auto-mac=no disabled=yes name=lan_bridge \
    port-cost-mode=short
add frame-types=admit-only-untagged-and-priority-tagged name=wan_bridge \
    protocol-mode=mstp vlan-filtering=yes
/interface vlan
add disabled=yes interface=ether1 name=vlan40 vlan-id=40
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=net_2ax skip-dfs-channels=10min-cac width=\
    20/40mhz
add band=5ghz-ax disabled=no name=net_5ax skip-dfs-channels=10min-cac width=\
    20/40/80mhz
add band=2ghz-ax disabled=no name=iot_2ax skip-dfs-channels=10min-cac width=\
    20/40mhz
add band=5ghz-ax disabled=no name=iot_5ax skip-dfs-channels=10min-cac width=\
    20/40/80mhz
add band=2ghz-ax disabled=no name=vit_2ax
add band=5ghz-ax disabled=no name=vit_5ax
add band=2ghz-ax disabled=no name=mmx_2ax skip-dfs-channels=10min-cac width=\
    20/40mhz
add band=5ghz-ax disabled=no name=mmx_5ax skip-dfs-channels=10min-cac width=\
    20/40/80mhz
add band=5ghz-ax disabled=no name=gst_5ax skip-dfs-channels=10min-cac width=\
    20/40/80mhz
add band=2ghz-ax disabled=no name=gst_2ax skip-dfs-channels=10min-cac width=\
    20/40mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=\
    net_sec
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=\
    mmx_sec
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=\
    gst_sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=vit_sec
add authentication-types=wpa-psk,wpa2-psk connect-priority=0 disabled=no name=\
    iot_sec
/interface wifi configuration
add channel=net_5ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
    name=net_5g_conf security=net_sec security.connect-priority=0 ssid=XS4TBNET
add channel=gst_2ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
    name=gst_2g_conf security=gst_sec security.connect-priority=0 ssid=XS4TBGST
add channel=mmx_5ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \
    name=mmx_5g_conf security=mmx_sec security.connect-priority=0 ssid=XS4TBMMX
add channel=net_2ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
    name=net_2g_conf security=net_sec security.connect-priority=0 ssid=XS4TBNET
add channel=mmx_2ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \
    name=mmx_2g_conf security=mmx_sec security.connect-priority=0 ssid=XS4TBMMX
add channel=gst_5ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
    name=gst_5g_conf security=gst_sec security.connect-priority=0 ssid=XS4TBGST
add channel=iot_5ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \
    name=iot_5g_conf security=iot_sec security.connect-priority=0 ssid=XS4TBIOT
add channel=iot_2ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \
    name=iot_2g_conf security=iot_sec security.connect-priority=0 ssid=XS4TBIOT
add channel=vit_5ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
    name=vit_5g_conf security=vit_sec security.connect-priority=0 ssid=XS4TBVIT
add channel=vit_2ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
    name=vit_2g_conf security=vit_sec security.connect-priority=0 ssid=XS4TBVIT
/interface wifi
set [ find default-name=wifi2 ] configuration=net_2g_conf configuration.mode=ap \
    disabled=no name=net_wifi_2G
set [ find default-name=wifi1 ] configuration=net_5g_conf \
    configuration.hide-ssid=yes .mode=ap disabled=no name=net_wifi_5G \
    security.connect-priority=0
add channel=vit_2ax configuration=vit_2g_conf configuration.mode=ap disabled=no \
    mac-address=7A:9A:18:94:B4:2E master-interface=net_wifi_2G name=vit_wifi_2g \
    security.connect-priority=0
add channel=gst_5ax configuration=gst_5g_conf configuration.mode=ap disabled=no \
    mac-address=7A:9A:18:94:B4:31 master-interface=net_wifi_5G name=gst_wifi_5G \
    security.connect-priority=0
add channel=iot_2ax configuration=iot_2g_conf configuration.mode=ap disabled=no \
    mac-address=7A:9A:18:94:B4:2F master-interface=net_wifi_2G name=iot_wifi_2g \
    security.connect-priority=0
add channel=iot_5ax configuration=iot_5g_conf configuration.mode=ap \
    mac-address=7A:9A:18:94:B4:2F master-interface=net_wifi_5G name=iot_wifi_5g \
    security.connect-priority=0
add channel=mmx_5ax configuration=mmx_5g_conf configuration.mode=ap disabled=no \
    mac-address=7A:9A:18:94:B4:32 master-interface=net_wifi_5G name=mmx_wifi_5g
/ip pool
add name=pool ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=pool disabled=yes interface=lan_bridge name=dhcp
/interface bridge port
add bridge=wan_bridge interface=net_wifi_5G internal-path-cost=10 path-cost=10 \
    pvid=10 tag-stacking=yes
add bridge=wan_bridge interface=ether1 internal-path-cost=20 path-cost=20
add bridge=wan_bridge interface=ether3 pvid=10 tag-stacking=yes
add bridge=wan_bridge interface=ether2 pvid=20 tag-stacking=yes
add bridge=wan_bridge interface=ether4 pvid=10 tag-stacking=yes
add bridge=wan_bridge interface=ether5 pvid=40 tag-stacking=yes
add bridge=wan_bridge interface=gst_wifi_5G pvid=200 tag-stacking=yes
add bridge=wan_bridge interface=mmx_wifi_5g pvid=20 tag-stacking=yes
add bridge=wan_bridge interface=iot_wifi_5g pvid=30 tag-stacking=yes
add bridge=wan_bridge interface=vit_wifi_2g pvid=40 tag-stacking=yes
add bridge=wan_bridge interface=net_wifi_2G internal-path-cost=10 path-cost=10 \
    pvid=10 tag-stacking=yes
add bridge=wan_bridge interface=iot_wifi_2g pvid=30 tag-stacking=yes
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=wan_bridge tagged=ether1 untagged=\
    net_wifi_2G,net_wifi_5G,wan_bridge,ether4,ether3 vlan-ids=10
add bridge=wan_bridge tagged=ether1 untagged=mmx_wifi_5g,ether2 vlan-ids=20
add bridge=wan_bridge tagged=ether1 untagged=gst_wifi_5G vlan-ids=200
add bridge=wan_bridge tagged=ether1 untagged=iot_wifi_2g,iot_wifi_5g vlan-ids=\
    30
add bridge=wan_bridge tagged=ether1 untagged=vit_wifi_2g,ether5 vlan-ids=40
/interface detect-internet
set detect-interface-list=all
/interface list member
add disabled=yes interface=lan_bridge list=LAN
add interface=wan_bridge list=WAN
/ip address
add address=192.168.1.1/24 disabled=yes interface=lan_bridge network=\
    192.168.1.0
/ip dhcp-client
add interface=wan_bridge
add disabled=yes interface=vlan40
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add action=drop chain=forward disabled=yes in-interface=lan_bridge \
    out-interface=*19
add action=drop chain=forward disabled=yes in-interface=*19 out-interface=\
    lan_bridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system identity
set name=AP00-TBUK
/system note
set show-at-login=no
/tool graphing interface
add interface=*17
add interface=gst_wifi_5G
add interface=*19
add interface=*34
/tool sniffer
set filter-interface=ether3
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19404
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Please review my Gateway+AP+Multiple VLANS configs

Tue Feb 06, 2024 2:59 pm

The first config, you have all the vlans assigned to vlan2, and thus your bridge ports should NOT include ether2 ???

Typically following this excellent article: viewtopic.php?t=143620
The idea is one bridge, and all vlans associated to the bridge, and thus either remove bridge port 2 ( easiest fix ) or
add all the vlans to the bridge, and make the .88 subnet a vlan...........

Set detect internet to none, its not useful in this scenario and could cause issues.
Set neighbours discovery to LAN, not all.

Since the wireguard connection is client for handshake..........
What is the purpose for this router and wireguard....... to connect to another MT router over wireguard??
or to a third party VPN provider, if the latter, then suggest the wireguard interface should be part of the WAN interface list.

It would appear from the diagram you simply need the other MT to act solely as an AP switch.
Suggest you also use one bridge
The only interface list item needed is lets say MGMT.
The only vlan requiring identification is the vlan where the AP gets its IP from ( trusted subnet ).
This is the only vlan requiring tagging on the bridge itself, the rest just flow in from ether1 to whatever lan port or wlan port they need to go out of.
If you do have a spare port on the AP, setup an ip address just for that port, OFF the bridge so the AP is accessible independently during configuration.
Top
 
thebox
just joined
Topic Author
Posts: 2
Joined: Thu Jan 04, 2024 6:22 pm

Re: Please review my Gateway+AP+Multiple VLANS configs

Tue Feb 06, 2024 11:01 pm

The first config, you have all the vlans assigned to vlan2, and thus your bridge ports should NOT include ether2 ???

Typically following this excellent article: viewtopic.php?t=143620
The idea is one bridge, and all vlans associated to the bridge, and thus either remove bridge port 2 ( easiest fix ) or
add all the vlans to the bridge, and make the .88 subnet a vlan...........

Set detect internet to none, its not useful in this scenario and could cause issues.
Set neighbours discovery to LAN, not all.
Thanks! I realised my mistakes meanwhile I was reading your message!. below is the updated configuration (also for Internet Discovery and neightbours). the subnet .88 I am not sure to keep, maybe only for "mgmn" purposes (over all devices).
I have only one question, as you see looks like the DHCP can't work on a "slave" interface, this means that i can't allocate my IP over the respective VLAN ID... how to fix this?
Code: Select all
# 2024-02-06 20:30:55 by RouterOS 7.13.3
# software id = JFZQ-1JBT
#
# model = RB960PGS
# serial number = HFA098RB8ZH
/interface bridge
add admin-mac=78:9A:18:A4:7D:F4 auto-mac=no name=bridge

/interface vlan
add interface=ether2 name=gst_vlan200 vlan-id=200
add interface=ether2 name=iot_vlan30 vlan-id=30
add interface=ether2 name=mmx_vlan20 vlan-id=20
add interface=ether2 name=net_vlan10 vlan-id=10
add interface=ether2 name=vit_vlan40 vlan-id=40

/interface list
add name=WAN
add name=LAN
add name=IT_LAN
/ip pool
add name=mgm_pool ranges=192.168.88.10-192.168.88.254
add name=vit_pool ranges=192.168.40.20-192.168.40.254
add name=gst_pool ranges=192.168.200.20-192.168.200.254
add name=net_pool ranges=192.168.10.20-192.168.10.254
add name=mmx_pool ranges=192.168.20.20-192.168.20.254
add name=iot_pool ranges=192.168.30.20-192.168.30.254
/ip dhcp-server
add address-pool=mgm_pool interface=bridge lease-time=1w1d name=main_dhcp
# DHCP server can not run on slave interface!
add address-pool=gst_pool interface=gst_vlan200 lease-time=5m name=gst_dhcp
# DHCP server can not run on slave interface!
add address-pool=net_pool interface=net_vlan10 lease-time=1d name=net_dhcp
# DHCP server can not run on slave interface!
add address-pool=mmx_pool interface=mmx_vlan20 lease-time=1d name=mmx_dhcp
# DHCP server can not run on slave interface!
add address-pool=iot_pool interface=iot_vlan30 lease-time=2d name=iot_dhcp
add address-pool=vit_pool interface=vit_vlan40 name=vit_dhcp
/ip vrf
add interfaces=IT_LAN name=it_vrf
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=sfp1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=iot_vlan30 pvid=\
    30
add bridge=bridge frame-types=admit-only-vlan-tagged interface=mmx_vlan20 pvid=\
    20
add bridge=bridge frame-types=admit-only-vlan-tagged interface=net_vlan10 pvid=\
    10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=gst_vlan200 \
    pvid=200
/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge tagged=iot_vlan30 vlan-ids=30
add bridge=bridge tagged=mmx_vlan20 vlan-ids=20
add bridge=bridge tagged=net_vlan10 vlan-ids=10
add bridge=bridge tagged=gst_vlan200 vlan-ids=200
/interface list member
add interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
add interface=vit_vlan40 list=IT_LAN
add interface=IT_wireguard list=IT_LAN

/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.200.1/24 interface=gst_vlan200 network=192.168.200.0
add address=192.168.10.1/24 interface=net_vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=mmx_vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=iot_vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=vit_vlan40 network=192.168.40.0
add address=10.2.0.2 interface=IT_wireguard network=10.2.0.0

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=10.2.0.1,192.168.40.1 gateway=\
    192.168.40.1
add address=192.168.41.0/24 dns-server=10.2.0.1,192.168.41.1 gateway=\
    192.168.41.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1




/system identity
set name=GW00-TBUK
Since the wireguard connection is client for handshake..........
What is the purpose for this router and wireguard....... to connect to another MT router over wireguard??
or to a third party VPN provider, if the latter, then suggest the wireguard interface should be part of the WAN interface list.
The purpose is that only the VLAN 40 will connect/tunnel over Wireguard which is configured with a VPN provider for Italy geolocation.
All the other WireGuard and all the VLAN will go directly via PPPoE (PPPoE will connect to the ISP router via ether1).
It would appear from the diagram you simply need the other MT to act solely as an AP switch.
Suggest you also use one bridge
The only interface list item needed is lets say MGMT.
yeah, I'm using like as AP, probably not at full potential. In future, I might have more AP, which means that the GW will serve multiple AP with all the VLANs
I'm using only one bridge, the other one is disabled... and I will delete it. I will add as well the MGMT, i got the meaning.
The only vlan requiring identification is the vlan where the AP gets its IP from ( trusted subnet ).
This is the only vlan requiring tagging on the bridge itself, the rest just flow in from ether1 to whatever lan port or wlan port they need to go out of.
I don't get this... can you explain with some examples?
If you do have a spare port on the AP, setup an ip address just for that port, OFF the bridge so the AP is accessible independently during configuration.
Will do, got the meaning.
Top
Post Reply

Who is online

Users browsing this forum: Airiasas and 12 guests
  4. RouterOS
  5. Beginner Basics