Sun Apr 28, 2024 8:33 pm
I have following questions:
--WIREGUARD SETUP---
I would like to connect to setup wireguard tunnel. I need to be able to connect from this tunnel to devices on all vlans. VLAN 10 is my mngmnt network. Ideally I would like wireguard tunnel to have ip from this network.
-- FW SETUP--
Best way to restrict access to VLAN 12(servers) and VLAN 30(smarthome) for users on VLAN 100.
Current VLAN setup should stay the same.
Any help would be appreciated. Thank you.
Here is my current configuration:
# 2024-04-28 20:13:56 by RouterOS 7.14.1
# model = RB5009UG+S+
/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=\
"ether1-LAN-Trunk(switch)"
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Trunk
set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ether3-LAN-Trunk
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add comment="Management VLAN" interface=br-Uplink name=Management-10 vlan-id=\
10
add comment="Smart Home VLAN" interface=br-Uplink name="Smart Home-30" \
vlan-id=30
add comment="Users VLAN" interface=br-Uplink name=Users-100 vlan-id=100
add comment="Servers VLAN" interface=br-Uplink name=vlan20-Servers vlan-id=20
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=\
dhcp-management
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users
add address-pool=dhcp_smarthome_pool interface="Smart Home-30" name=\
"dhcp-smart home"
add address-pool=dhcp_servers_pool interface=vlan20-Servers name=dhcp-servers
/interface bridge port
add bridge=br-Uplink comment="for KNX on the switch" interface=\
"ether1-LAN-Trunk(switch)" internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink interface=ether2-LAN-Trunk pvid=20
add bridge=br-Uplink interface=ether3-LAN-Trunk pvid=30
add bridge=br-Uplink interface=ether4-LAN pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=br-Uplink comment="Smart Home LAN" tagged=\
ether2-LAN-Trunk,br-Uplink untagged=\
"ether1-LAN-Trunk(switch),ether3-LAN-Trunk" vlan-ids=30
add bridge=br-Uplink comment="wifi users" tagged=\
"ether1-LAN-Trunk(switch),br-Uplink,ether2-LAN-Trunk" vlan-ids=100
add bridge=br-Uplink tagged=\
"ether1-LAN-Trunk(switch),br-Uplink,ether2-LAN-Trunk" vlan-ids=10
add bridge=br-Uplink tagged="ether1-LAN-Trunk(switch),br-Uplink" untagged=\
ether2-LAN-Trunk vlan-ids=20
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
/ip address
add address=XXX.XXX.32.41/24 interface=ether8-WAN-Static network=XXX.XXX.32.0
add address=192.168.12.1/24 interface=vlan20-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface="Smart Home-30" network=192.168.30.0
/ip dhcp-server lease
add address=192.168.10.250 client-id=1:d8:d0:90:1b:5b:af comment=\
"Lubo Yoga Wired" mac-address=D8:D0:90:1B:5B:AF server=dhcp-management
add address=192.168.10.6 client-id=1:1c:61:b4:14:a0:2c comment=\
"TP Link EAP 615 Bedroom" mac-address=1C:61:B4:14:A0:2C server=\
dhcp-management
add address=192.168.10.5 client-id=1:1c:61:b4:14:a9:a8 comment=\
"TP Link EAP 615 Living Room" mac-address=1C:61:B4:14:A9:A8 server=\
dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment="Sonos ARC" \
mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=\
"iPad Living Room" mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment="Sonos SUB" \
mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=\
"Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=\
"Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=\
"Home Assistant" mac-address=02:78:7F:7F:66:2E server="dhcp-smart home"
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=\
"Apple TV Bedroom - Wireless" mac-address=64:D2:C4:E1:F5:DC server=\
"dhcp-smart home"
add address=192.168.30.3 comment="ABB IPS2.1 (KNX)" mac-address=\
00:0C:DE:93:50:5A server="dhcp-smart home"
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
"YOGA camelot" mac-address=B0:A4:60:9A:8C:1A server="dhcp-smart home"
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
"YOGA castle" mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME \
mac-address=00:24:6D:02:A6:6C server="dhcp-smart home"
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=\
"Apple TV Bedroom - Wired" mac-address=64:D2:C4:D4:FB:C7 server=\
"dhcp-smart home"
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt gateway=192.168.10.1
add address=192.168.12.0/24 comment=servers gateway=192.168.12.1
add address=192.168.30.0/24 comment="smart home" gateway=192.168.30.1
add address=192.168.100.0/24 comment=users gateway=192.168.100.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.10.248/29 list=Admins
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=192.168.12.248/29 list=Admins
add address=192.168.30.248/29 list=Admins
add address=192.168.100.248/29 list=Admins
add address=88.203.229.253 list=Svetulcho
/ip firewall filter
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward comment="Allow HTTPS from WAN to nginx proxy" \
dst-address=192.168.12.254 dst-port=443 in-interface=ether8-WAN-Static \
protocol=tcp
add action=accept chain=forward comment="Allow access from WAN to Plex" \
dst-address=192.168.12.140 dst-port=32400 in-interface=ether8-WAN-Static \
protocol=tcp
add action=accept chain=input comment="Svetulcho remote access" dst-port=8291 \
protocol=tcp src-address-list=Svetulcho
add action=drop chain=input comment="Drop All Incoming Traffic from WAN" \
in-interface=ether8-WAN-Static
add action=accept chain=forward comment="allow access from LAN to Plex" \
dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=\
LAN
add action=drop chain=forward comment=\
"block users from access to servers LAN list" dst-address-list=Servers \
src-address=192.168.100.0/24
add action=drop chain=forward comment=\
"block Users access to Smart Home Network" dst-address-list=SmartHome \
src-address=192.168.100.0/24
add action=accept chain=input comment="Allow Access to Mikrotik for Admins" \
dst-port=22,23,8291,8728 protocol=tcp src-address=192.168.30.248/29
add action=accept chain=input comment="Allow Access to Mikrotik for Admins" \
dst-port=22,23,8291,8728 protocol=tcp src-address=192.168.10.248/29
add action=drop chain=input comment="Restrict Access to Mikrotik for LAN" \
dst-port=22,23,8291,8728 protocol=tcp src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment="port 443 to nginx proxy" dst-port=\
443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=\
192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment="port 32400 to Plex" dst-port=32400 \
in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140 \
to-ports=32400
add action=masquerade chain=srcnat comment="hairpin rule for LAN interfaces" \
dst-address=192.168.12.0/24 src-address-list=LAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXX.XXX.32.1 routing-table=main \
suppress-hw-offload=no
/system clock
set time-zone-name=Europe/XXX
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool sniffer
set filter-interface=ether2-LAN-Trunk