/interface bridge vlan
add bridge=bridge tagged=ether2 vlan-ids=100
add bridge=bridge tagged=ether3 vlan-ids=200
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4 untagged=ether2 vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4 untagged=ether3 vlan-ids=200
Have a look at Gigaset GO Box 100 for a more minimalistic solution, both in terms of hardware and software. It's available for under 14€. There are also several other products around, search for voip dect base station.Another challenge for me is the integration of the VoIp phone (AVM FritzFon). Agreed: I will not miss the rest from the mother-in-law . The idea is to use a Fritzbox only as a DECT<->Ethernet "converter". Whereby this is actually too wasteful for me energetically. Unfortunately I have no other idea.
/interface bridge
add admin-mac=2C:C8:1B:B1:3A:82 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_intern
set [ find default-name=ether3 ] name=ether3_guests
set [ find default-name=ether4 ] name=ether4_AP
/interface vlan
add interface=ether1_WAN name=vlan10_netcologne_data vlan-id=10
add interface=ether1_WAN name=vlan20_netcologne_voip vlan-id=20
add interface=bridge name=vlan100_intern vlan-id=100
add interface=bridge name=vlan200_guests vlan-id=200
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10_netcologne_data name=\
PPPoE_Out use-peer-dns=yes user=myusername@autoprov.netcologne.de
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_intern ranges=192.168.1.100-192.168.1.200
add name=dhcp_guests ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_intern disabled=no interface=vlan100_intern lease-time=\
3d name=dhcp_intern relay=192.168.1.1
add address-pool=dhcp_guests disabled=no interface=vlan200_guests lease-time=\
3d name=dhcp_guests relay=192.168.2.1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_intern pvid=100
add bridge=bridge comment=defconf interface=ether3_guests pvid=200
add bridge=bridge comment=defconf interface=ether4_AP
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether2_intern \
vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether3_guests \
vlan-ids=200
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=vlan100_intern network=\
192.168.1.0
add address=192.168.2.1/24 interface=vlan200_guests network=192.168.2.0
/ip dhcp-client
add comment=defconf interface=ether1_WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=lisa.lan
add address=192.168.2.1 name=lisa.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.2.0/24
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=lisa
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.104
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/system reset-configuration no-defaults=yes
<Setting Admin PW>
/import b4.rsc
Infos:
RouterOS 6.49 (stable)
software id = MVBS-WA5G
model = RB4011iGS+
/interface bridge
add admin-mac=2C:C8:1B:B1:3A:82 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_intern
set [ find default-name=ether3 ] name=ether3_guests
set [ find default-name=ether4 ] name=ether4_AP
/interface vlan
add interface=ether1_WAN name=vlan10_netcologne_data vlan-id=10
add interface=ether1_WAN name=vlan20_netcologne_voip vlan-id=20
add interface=bridge name=vlan100_intern vlan-id=100
add interface=bridge name=vlan200_guests vlan-id=200
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10_netcologne_data name=\
PPPoE_Out use-peer-dns=yes user=nc-myusername@autoprov.netcologne.de
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_intern ranges=192.168.1.100-192.168.1.200
add name=dhcp_guests ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_intern disabled=no interface=vlan100_intern name=\
dhcp_intern
add address-pool=dhcp_guests disabled=no interface=vlan200_guests name=\
dhcp_guests
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_intern pvid=100
add bridge=bridge comment=defconf interface=ether3_guests pvid=200
add bridge=bridge comment=defconf interface=ether4_AP
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether2_intern \
vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether3_guests \
vlan-ids=200
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
/ip address
add address=192.168.1.1 interface=vlan100_intern network=192.168.1.0
add address=192.168.2.1 interface=vlan200_guests network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=lan gateway=\
192.168.1.1 ntp-server=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 domain=guests gateway=\
192.168.2.1 ntp-server=192.168.2.1
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1_WAN \
protocol=icmp
add action=drop chain=input comment="block everything else" in-interface=\
ether1_WAN
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
"drop access to clients behind NAT form WAN" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.1.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/ip dns
set allow-remote-requests=yes
/interface bridge
add admin-mac=2C:C8:1B:B1:3A:82 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_intern
set [ find default-name=ether3 ] name=ether3_guests
set [ find default-name=ether4 ] name=ether4_AP
/interface vlan
add interface=ether1_WAN name=vlan10_netcologne_data vlan-id=10
add interface=ether1_WAN name=vlan20_netcologne_voip vlan-id=20
add interface=bridge name=vlan100_intern vlan-id=100
add interface=bridge name=vlan200_guests vlan-id=200
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10_netcologne_data name=\
PPPoE_Out use-peer-dns=yes user=nc-myusername@autoprov.netcologne.de
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_intern ranges=192.168.1.100-192.168.1.200
add name=dhcp_guests ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_intern disabled=no interface=vlan100_intern lease-time=\
3d name=dhcp_intern
add address-pool=dhcp_guests disabled=no interface=vlan200_guests lease-time=\
3d name=dhcp_guests
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_intern pvid=100
add bridge=bridge comment=defconf interface=ether3_guests pvid=200
add bridge=bridge comment=defconf interface=ether4_AP
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether2_intern \
vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether3_guests \
vlan-ids=200
/interface list member
add comment=defconf interface=ether1_WAN list=WAN
add interface=vlan100_intern list=LAN
add interface=vlan200_guests list=LAN
add interface=bridge list=LAN
/ip address
add address=192.168.1.1 interface=vlan100_intern network=192.168.1.0
add address=192.168.2.1 interface=vlan200_guests network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=lan gateway=\
192.168.1.1 ntp-server=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 domain=guests gateway=\
192.168.2.1 ntp-server=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1_WAN \
protocol=icmp
add action=drop chain=input comment="block everything else" in-interface=\
ether1_WAN
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
"drop access to clients behind NAT form WAN" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.1.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
client:~$ ifconfig enp0s31f6
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.148 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::cc8b:d84b:12e8:fe0f prefixlen 64 scopeid 0x20<link>
ether e8:6a:64:e7:ad:77 txqueuelen 1000 (Ethernet)
RX packets 288070 bytes 279155714 (279.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 227385 bytes 19457310 (19.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xec200000-ec220000
client:~$ route
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 20100 0 0 enp0s31f6
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s31f6
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s31f6
client:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) Bytes Daten.
^Z
[3]+ Angehalten ping 192.168.1.1
/ip address
add address=192.168.1.1/24 interface=vlan100_intern network=192.168.1.0
add address=192.168.2.1/24 interface=vlan200_guests network=192.168.2.0
/interface list member
add comment=defconf interface=PPPoE_Out list=WAN
/interface bridge
add admin-mac=2C:C8:1B:B1:3A:82 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_intern
set [ find default-name=ether3 ] name=ether3_guests
set [ find default-name=ether4 ] name=ether4_AP
set [ find default-name=ether5 ] name=ether5_VOIP
set [ find default-name=ether10 ] name=ether10_emerg
/interface vlan
add interface=ether1_WAN name=vlan10_netcologne_data vlan-id=10
add interface=ether1_WAN name=vlan20_netcologne_voip vlan-id=20
add interface=bridge name=vlan100_intern vlan-id=100
add interface=bridge name=vlan200_guests vlan-id=200
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10_netcologne_data name=\
PPPoE_Out use-peer-dns=yes user=nc-myusername@autoprov.netcologne.de
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_intern ranges=192.168.1.100-192.168.1.200
add name=dhcp_guests ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_intern disabled=no interface=vlan100_intern lease-time=\
3d name=dhcp_intern
add address-pool=dhcp_guests disabled=no interface=vlan200_guests lease-time=\
3d name=dhcp_guests
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_intern pvid=100
add bridge=bridge comment=defconf interface=ether3_guests pvid=200
add bridge=bridge comment=defconf interface=ether4_AP
add bridge=bridge comment=defconf interface=ether5_VOIP pvid=20
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP vlan-ids=200
/interface list member
add comment=defconf interface=PPPoE_Out list=WAN
add interface=vlan100_intern list=LAN
add interface=vlan200_guests list=LAN
add interface=bridge list=LAN
add interface=ether10_emerg list=LAN
/ip address
add address=192.168.1.1/24 interface=vlan100_intern network=192.168.1.0
add address=192.168.2.1/24 interface=vlan200_guests network=192.168.2.0
add address=192.168.10.1/24 interface=ether10_emerg network=192.168.10.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=home.lan gateway=\
192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 domain=home.guests gateway=\
192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=lisa.home.lan
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=drop chain=input comment="block everything else" \
in-interface-list=WAN
add action=drop chain=input comment="drop guests to intern" dst-address=\
192.168.1.0/24 src-address=192.168.2.0/24
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
"drop access to clients behind NAT form WAN" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop guests to intern" dst-address=\
192.168.1.0/24 src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.1.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.104
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
This is true, but my perspective is not unsuspecting innocent family members, its foreign actors that gain access to home computers due to mistakes by family members etc.....)8: Oh, I didn't know that. Yes exactly, I just want to "provide" a trustful NTP time to the clients. Now it should be implemented, testing is pending.
/ip dhcp-client
add add-default-route=no disabled=no interface=bridge_vlan123 use-peer-dns=no use-peer-ntp=no
seen reply assured confirmed fasttrack srcnat
Src. Address 192.168.1.134:5060
Dst. Address 172.17.66.118:5060
Reply Src. Address 172.17.66.118:5060
Reply Dst. Address 89.0.41.149:5060
Protocol 17 (udp)