I've been utilizing my hAP ax³ now for about a year and have enjoyed the nice control RouterOS provides over my old TP-Link running stock firmware. I have a small amount of experience making minor changes to rules (firewall rules, queues, interface changes), but I've been struggling a bit with my latest project: Implementing VLANs as a security and QoS solution. The hAP ax³ is the only networking device on the network. Everything else is either a computer, phone, or IoT-type device.
I have a few different IoT devices like printers that should be accessible from other devices, but should not be able to initiate the connection first. I also wanted to implement restrictions on inter-device communication. Further, these devices should be able to access the internet.
I felt like the easiest way to do this was to create a VLAN and subnet for each device and use firewall rules to allow or deny access between VLANs. I know this seems a bit excessive, but I only have about 10 devices in total and felt like it was the safest way to ensure I have full control over the inter-device communication design.
I've implemented it using interfaces, addresses, and pools (see config below).
The issue is when I attempt to connect to the network through ether3 using the computer with the MAC address provided in the "ip dhcp-server lease add" line and allow the computer to be assigned an address, it receives a 192.168.1.x address instead of the 192.168.10.x address. If I go to the ether3 bridge port and change the PVID to 10, I am assigned a 192.168.10.x address as expected.
I'm hoping to keep VLANs completely separate from the port that a device is connected to, so I'm looking for some advice on how I can assign devices to a VLAN simply through pre-assigned static dhcp-server leases. Even if I set a static IP address on the computer to a 192.168.10.x address, it will not join the lease and just fail to be issued an address, and I have to connect winbox via MAC address.
Thanks in advance for your time.
Initial setup config:
Code: Select all
/interface bridge add name=bridge1
/interface bridge set bridge1 vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] poe-out=off
# Actual information changed for privacy
/interface wifi set [ find default-name=wifi1 ] configuration.mode=ap .ssid="SSID 5GHz" disabled=no security.authentication-types=wpa2-psk .passphrase=secret
/interface wifi set [ find default-name=wifi2 ] configuration.mode=ap .ssid="SSID 2.4GHz" disabled=no security.authentication-types=wpa2-psk .passphrase=secret
/ip dhcp-client add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dns set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2
/interface list add name=LAN
/interface list add name=WAN
/interface list member add interface=ether1 list=WAN
/interface list member add interface=bridge1 list=LAN
/interface bridge port add bridge=bridge1 hw=no interface=ether2
/interface bridge port add bridge=bridge1 hw=no interface=ether3
/interface bridge port add bridge=bridge1 hw=no interface=ether4
/interface bridge port add bridge=bridge1 hw=no interface=ether5
/interface bridge port add bridge=bridge1 interface=wifi1
/interface bridge port add bridge=bridge1 interface=wifi2
/ip neighbor discovery-settings set discover-interface-list=LAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
This is a sample of how I am setting up the VLANs:
Code: Select all
/interface vlan add name=vlan10 vlan-id=10 interface=bridge1
/ip address add address=192.168.10.1/24 interface=vlan10
# This below line I'm just using for debugging to ensure I don't lose connectivity in testing
/ip address add address=192.168.1.1/24 interface=bridge1
/ip pool add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
/ip pool add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/ip dhcp-server add address-pool=dhcp_pool10 interface=vlan10 name=dhcp10
/ip dhcp-server network add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.1.1 gateway=192.168.10.1
# Actual address changed for privacy
/ip dhcp-server lease add address=192.168.10.10 client-id=1:12:34:56:78:90:0a comment=sample mac-address=12:34:56:78:90:0a server=dhcp10
Firewall setup:
Code: Select all
/ip firewall filter add chain=forward connection-state=established,related action=accept comment="Allow established or related traffic"
/ip firewall filter add chain=input src-address=192.168.0.0/16 dst-address=192.168.1.1 action=accept comment="Allow 192.168.0.0/16 to access router management"
# I added the below line thinking that maybe devices were not able to communicate to the DHCP server, but this did not seem to fix it.
/ip firewall filter add chain=forward src-address=192.168.10.0/24 dst-address=192.168.10.0/24 action=accept comment="Allow talking within vlan"
/ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.10.0/24 action=drop comment="Block 192.168.1.0/24 from VLAN 10"
/ip firewall filter add chain=forward src-address=192.168.10.0/24 dst-address=192.168.0.0/16 action=drop comment="Block inter-VLAN for VLAN 10"
/ip firewall filter add chain=forward src-address=192.168.0.0/16 out-interface-list=WAN action=accept comment="Allow all VLANs internet access"
# Generic rules
/ip firewall filter add action=accept chain=input comment="accept established,related,(previously also untracked)" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="accept all from lan" in-interface-list=LAN
/ip firewall filter add action=drop chain=input comment="drop everything else"
/ip firewall filter add action=fasttrack-connection chain=forward comment="fasttrack for established,related" connection-state=established,related hw-offload=no
/ip firewall filter add action=accept chain=forward comment="accept established,related,(previously also untracked)" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="drop new to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="allow all lan to wan" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="allow port forwarded" connection-nat-state=dstnat
/ip firewall filter add action=drop chain=forward comment="drop everything else"
/ip firewall mangle add action=change-ttl chain=prerouting connection-nat-state="" disabled=yes new-ttl=set:64 passthrough=no
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes