I do realize the server PC should be attached to the managed switch but until I am comfortable with VLAN'ing my D-Link switches, this will suffice. I am planning the next stage of the net where I have 3 VLANs trunked to the switches and WiFi APs.
For the most part my code is working, but there is one particular rule that I am stuck on which is supposed to block VLAN10 from accessing BaseLAN. Also I am not sure about the Masquerade rule being used the way I did it, but it does work the way I want.
Code: Select all
add action=drop chain=forward comment=\
"*************** Drop anything from VLAN10 to LAN" dst-address=\
192.168.88.0/24 src-address=192.168.10.0/24
Complete config:
Code: Select all
# 2024-08-28 19:01:04 by RouterOS 7.15.3
# software id =
#
# model = RB960PGS
# serial number =
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface vlan
add interface=bridge name=CamNet vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=88.xxx-dhcp ranges=192.168.88.10-192.168.88.254
add name=CamNET_pool1 ranges=192.168.10.10-192.168.10.100
add name=dhcp_pool3 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool4 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=88.xxx-dhcp comment="Base LAN Pool (VLAN1) " interface=\
bridge name=88.xxx_dhcp
add address-pool=dhcp_pool4 comment="Pool for testing CamNET (VLAN10)" \
interface=CamNet name=10.xxx_dhcp
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment="This interface to be used for VLAN10" interface=\
ether5 pvid=10
add bridge=bridge comment="Set ether1 set as Bridge SFP1 to WAN" interface=\
ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether5 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.10.1/24 interface=CamNet network=192.168.10.0
/ip dhcp-client
add comment=defconf interface=sfp1
/ip dhcp-server network
add address=192.168.10.0/24 comment="CamNET DHCP" dns-server=192.168.88.1 \
gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"*************** Allow VLAN1 to access VLAN10" dst-address=\
192.168.10.0/24 src-address=192.168.88.0/24
add action=drop chain=forward comment=\
"*************** Drop anything from VLAN10 to WAN" \
out-interface-list=WAN src-address=192.168.10.0/24
add action=drop chain=input comment=\
"*************** Drop anything from WAN to VLAN10" dst-address=\
192.168.10.0/24 in-interface-list=WAN
add action=drop chain=forward comment=\
"*************** Drop anything from VLAN10 to LAN" dst-address=\
192.168.88.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="Allows VLAN1 onto VLAN10" \
dst-address=192.168.10.0/24 dst-address-list="" ipsec-policy=out,none \
src-address=192.168.88.0/24 src-address-list=""
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=America/Vancouver
/system note
set show-at-login=no
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN