Community discussions

MikroTik App
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Moving to VLANs - Isolation and Access to my Router

Mon Mar 28, 2022 9:29 pm

I am very much an amateur enthusiast wrt networking. I've used a single subnet for years on my Mikrotik and want to move to using VLANs for Guest (VLAN 66) and IoT (VLAN 68). I want to isolate the VLANs from each other so machines on one cannot see the machines the other VLANs, yet have internet access.

I've managed to set up the VLANs for but have left off doing anything to my main subnet (64) just in case I mess something up.
I have put the VLANs under a single Bridge (hopefully that is best practice).

I would be very grateful if someone has the time to help me answer a few questions:
  1. I can ping from 66 to 68 - I assumed VLANs would stop be doing that. How do I stop being able to ping between these VLANs? Is this anything to do with turning on "VLAN-Filtering"?
  2. Will I lock myself out of my router if I move my main subnet (64) to a VLAN? How do I avoid that?
  3. How do I move my main subnet (64) to a VLAN? What do I have to be careful of?

I have put my config here - I think it is getting quite complex - I hope to move my French VPN to Wireguard soon (after upgrading to v7). My Android phone doesn't like L2TP/IPSec anymore.
If you spot any howlers in my config, please let me know!!

Thank you in advance,

Charlie
# mar/28/2022 18:40:02 by RouterOS 6.48.6
# software id = YCNI-BQ6N
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B8E30B14AB4C
/interface bridge add admin-mac=C4:AD:34:60:79:47 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 5520/20-eCee/ac/DP(24dBm)+5210/80/P(17dBm), SSID: athome, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge secondary-channel=auto ssid=MikroTik-607951 station-roaming=enabled wireless-protocol=802.11
/interface wireless
# managed by CAPsMAN
# channel: 2437/20-eC/gn(17dBm), SSID: athome, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-C64D6C station-roaming=enabled wireless-protocol=802.11
/interface ethernet set [ find default-name=ether1 ] comment="To Internet 1" name="ether1 Internet" rx-flow-control=auto speed=100Mbps tx-flow-control=auto
/interface ethernet set [ find default-name=ether2 ] comment="To Internet 2"
/interface ethernet set [ find default-name=ether3 ] name="ether3 RPi4"
/interface ethernet set [ find default-name=ether4 ] name="ether4 Cat"
/interface ethernet set [ find default-name=ether6 ] comment="To LondonPi" name="ether6 - LondonPi"
/interface ethernet set [ find default-name=ether7 ] auto-negotiation=no comment="To Synology" name="ether7 - Synology"
/interface ethernet set [ find default-name=ether8 ] comment="To Kitchen"
/interface ethernet set [ find default-name=ether9 ] auto-negotiation=no comment="To UpUp Router" name="ether9 - UpUp"
/interface ethernet set [ find default-name=ether10 ] comment="To Up Router" name="ether10 - Up"
/interface ethernet set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan add interface=bridge name=vlan_guest_66 vlan-id=66
/interface vlan add disabled=yes interface=bridge name=vlan_main_64 vlan-id=64
/interface vlan add interface=bridge name=vlan_seperate_68 vlan-id=68
/caps-man rates add basic=12Mbps name=rate1 supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security add authentication-types=wpa2-psk name=default_security
/caps-man security add authentication-types=wpa2-psk name=guest_security
/caps-man security add authentication-types=wpa2-psk name=seperate_security
/interface ethernet switch port set 0 default-vlan-id=0
/interface ethernet switch port set 1 default-vlan-id=0
/interface ethernet switch port set 2 default-vlan-id=0
/interface ethernet switch port set 3 default-vlan-id=0
/interface ethernet switch port set 4 default-vlan-id=0
/interface ethernet switch port set 5 default-vlan-id=0
/interface ethernet switch port set 6 default-vlan-id=0
/interface ethernet switch port set 7 default-vlan-id=0
/interface ethernet switch port set 8 default-vlan-id=0
/interface ethernet switch port set 9 default-vlan-id=0
/interface ethernet switch port set 10 default-vlan-id=0
/interface ethernet switch port set 11 default-vlan-id=0
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=2GHz
/interface list add name=5GHz
/caps-man datapath add bridge=bridge client-to-client-forwarding=yes interface-list=LAN local-forwarding=no name=default_datapath
/caps-man datapath add bridge=bridge client-to-client-forwarding=no interface-list=LAN local-forwarding=no name=guest_datapath vlan-id=66 vlan-mode=use-tag
/caps-man datapath add bridge=bridge client-to-client-forwarding=no interface-list=LAN local-forwarding=no name=seperate_datapath vlan-id=68 vlan-mode=use-tag
/caps-man configuration add channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.frequency=2412 country="united kingdom" datapath=default_datapath datapath.interface-list=2GHz installation=indoor mode=ap name="Up2 - Channel 1 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.frequency=2437 country="united kingdom" datapath=default_datapath datapath.interface-list=2GHz installation=indoor mode=ap name="Down2 - Channel 6 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.frequency=2462 country="united kingdom" datapath=default_datapath datapath.interface-list=2GHz installation=indoor mode=ap name="UpUp2 - Channel 11 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=5ghz-onlyac channel.reselect-interval=1d channel.save-selected=yes country="united kingdom" datapath=default_datapath datapath.interface-list=5GHz installation=indoor name="Down5 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=5ghz-onlyac channel.reselect-interval=1d channel.save-selected=yes country="united kingdom" datapath=default_datapath datapath.interface-list=5GHz installation=indoor name="Up5 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=5ghz-onlyac channel.reselect-interval=1d channel.save-selected=yes country="united kingdom" datapath=default_datapath datapath.interface-list=5GHz installation=indoor name="UpUp5 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=5ghz-onlyac channel.reselect-interval=1d channel.save-selected=yes country="united kingdom" datapath=default_datapath datapath.interface-list=5GHz installation=indoor mode=ap name=General_5Gz rates=rate1 security=default_security ssid=athome5
/caps-man configuration add datapath=default_datapath datapath.interface-list=5GHz hide-ssid=yes name=athome5 rates=rate1 security=default_security ssid=athome5
/caps-man configuration add datapath=default_datapath datapath.interface-list=2GHz name=athome2 rates=rate1 security=default_security ssid=athome2
/caps-man configuration add datapath=guest_datapath name=guest_network security=guest_security ssid=athome_guest
/caps-man configuration add datapath=seperate_datapath name=seperate_network security=seperate_security ssid=athome_seperate
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile add dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha512 name="profile_France VPN"
/ip ipsec peer add address=xxxxx comment=FranceLondon exchange-mode=ike2 name=peerFrance profile="profile_France VPN"
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool add name=dhcp_pool_home_64 ranges=192.168.64.70-192.168.64.150
/ip pool add name=vpn-pool ranges=192.168.64.201-192.168.64.250
/ip pool add name=dhcp_pool_guest_66 ranges=192.168.66.151-192.168.66.250
/ip pool add name=dhcp_pool_seperate_68 ranges=192.168.68.2-192.168.68.254
/ip dhcp-server add address-pool=dhcp_pool_home_64 disabled=no interface=bridge 
/ip dhcp-server add address-pool=dhcp_pool_guest_66 disabled=no interface=vlan_guest_66 lease-time=1h name=guest_dhcp_66
/ip dhcp-server add address-pool=dhcp_pool_home_64 interface=vlan_main_64 lease-time=1h name=home_vlan_dhcp_64
/ip dhcp-server add address-pool=dhcp_pool_seperate_68 disabled=no interface=vlan_seperate_68 name=seperate_dhcp_68
/ppp profile set *0 local-address=192.168.64.1 remote-address=vpn-pool
/ppp profile set *FFFFFFFE local-address=192.168.64.1 remote-address=vpn-pool
/queue simple add disabled=yes dst="ether1 Internet" max-limit=16M/200M name="All Bandwidth" target=""
/queue simple add disabled=yes max-limit=10M/10M name="Charlie L13" parent="All Bandwidth" target=192.168.64.5/32
/queue simple add disabled=yes max-limit=1M/1M name=Pixel4 parent="All Bandwidth" target=192.168.64.68/32
/system logging action set 1 disk-lines-per-file=10000
/system logging action set 3 bsd-syslog=yes remote=192.168.64.6
/system logging action add disk-file-count=20 disk-file-name=InterfaceInfo disk-lines-per-file=60000 disk-stop-on-full=yes name=InfoDebug target=disk
/system logging action add disk-file-count=10 disk-file-name=Testlog disk-lines-per-file=10000 name=Test target=disk
/system logging action add disk-file-count=1 disk-file-name=Interface name=Interface target=disk
/user group add name=simple policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=simple
/caps-man manager set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning add action=create-dynamic-enabled comment=Down2G master-configuration="Down2 - Channel 6 - athome" name-format=prefix-identity name-prefix=Down2G radio-mac=74:4D:28:C6:4D:6C slave-configurations=guest_network
/caps-man provisioning add action=create-dynamic-enabled comment=Up2G master-configuration="Up2 - Channel 1 - athome" name-format=prefix-identity name-prefix=Up2G radio-mac=64:D1:54:04:7E:1B slave-configurations=guest_network
/caps-man provisioning add action=create-dynamic-enabled comment=UpUp2G master-configuration="UpUp2 - Channel 11 - athome" name-format=prefix-identity name-prefix=UpUp2GRed radio-mac=4C:5E:0C:B8:9D:9B slave-configurations=guest_network
/caps-man provisioning add action=create-dynamic-enabled comment=Down5G master-configuration="Down5 - athome" name-format=prefix-identity name-prefix=Down5G radio-mac=C4:AD:34:60:79:51 slave-configurations=athome5,guest_network
/caps-man provisioning add action=create-dynamic-enabled comment=UpUp5G disabled=yes master-configuration="UpUp5 - athome" name-format=prefix-identity name-prefix=UpUp5G radio-mac=CC:2D:E0:EB:1D:7F slave-configurations=guest_network
/caps-man provisioning add action=create-dynamic-enabled comment=Up5G master-configuration="Up5 - athome" name-format=prefix-identity name-prefix=Up5G radio-mac=64:D1:54:04:7E:1A slave-configurations=guest_network,seperate_network
/caps-man provisioning add action=create-dynamic-enabled disabled=yes hw-supported-modes=ac master-configuration=General_5Gz name-format=prefix-identity name-prefix=Caps_5G
/caps-man provisioning add disabled=yes hw-supported-modes=b,g,gn master-configuration="Down2 - Channel 6 - athome" name-format=prefix-identity
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface="ether3 RPi4"
/interface bridge port add bridge=bridge comment=defconf interface="ether4 Cat"
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface="ether6 - LondonPi"
/interface bridge port add bridge=bridge comment=defconf interface="ether7 - Synology"
/interface bridge port add bridge=bridge comment=defconf interface=ether8
/interface bridge port add bridge=bridge comment=defconf interface="ether9 - UpUp"
/interface bridge port add bridge=bridge comment=defconf interface="ether10 - Up"
/interface bridge port add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface bridge port add bridge=bridge comment=defconf interface=wlan1
/interface bridge port add bridge=bridge comment=defconf interface=wlan2
/interface bridge port add bridge=bridge interface=vlan_guest_66 pvid=66
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface detect-internet set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=LAN
/interface l2tp-server server set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface="ether1 Internet" list=WAN
/interface list member add interface=l2tp-in-CharlieW10 list=LAN
/interface list member add interface=l2tp-in-Nexus list=LAN
/interface list member add disabled=yes interface=ether2 list=WAN
/interface list member add disabled=yes list=LAN
/interface list member add disabled=yes list=LAN
/interface list member add interface=bridge_guest list=LAN
/interface list member add interface=vlan_guest_66 list=LAN
/interface ovpn-server server set auth=sha1 certificate=server cipher=aes256 default-profile=default-encryption require-client-certificate=yes
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip address add address=192.168.64.1/24 comment=defconf interface=bridge network=192.168.64.0
/ip address add address=192.168.66.1/24 interface=vlan_guest_66 network=192.168.66.0
/ip address add address=192.168.68.1/24 interface=vlan_seperate_68 network=192.168.68.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add disabled=no interface="ether1 Internet" 
/ip dns set servers=8.8.8.8,8.8.4.4
/ip firewall filter add action=accept chain=forward disabled=yes dst-address=192.168.64.6 dst-port=23 log=yes log-prefix="Allow Telnet  to Synology" protocol=tcp
/ip firewall filter add action=drop chain=forward comment="Drop Facebook" disabled=yes dst-port=443 log=yes log-prefix="Drop Facebook" protocol=tcp tls-host=*facebook.com
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="CH_Track invalid"
/ip firewall filter add action=log chain=forward comment="Drop from Blacklist sites" disabled=yes log-prefix="CH_Track fwd from Blacklist" src-address=192.168.64.5
/ip firewall filter add action=drop chain=forward disabled=yes log=yes log-prefix=BADorNOT: src-address=192.168.64.144
/ip firewall filter add action=drop chain=input disabled=yes log=yes log-prefix=BADorNOT: src-address=192.168.64.144
/ip firewall filter add action=drop chain=forward comment="Drop to Blacklist sites" disabled=yes dst-address-list=myblacklist log=yes log-prefix="CH_Track fwd to Blacklist"
/ip firewall filter add action=accept chain=forward comment="Wireguard Port" dst-port=47111 protocol=udp
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix="CH_Track invalid"
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related dst-address=!192.168.65.192/28 src-address=!192.168.65.192/28
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="Camera Out" log=yes log-prefix="Block Camera out:" out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=add-dst-to-address-list address-list=OtherIPAddresses address-list-timeout=none-static chain=forward comment=70-150 disabled=yes log-prefix="CH_Track: Other IP Addresses" src-address=192.168.64.70-192.168.64.150
/ip firewall filter add action=add-dst-to-address-list address-list=Catdoor_going_to address-list-timeout=none-static chain=forward comment="Cat Door" log-prefix=Cat src-address-list=CatDoor
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN ipsec-policy=in,none
/ip firewall filter add action=add-src-to-address-list address-list=TryingToGetToSynology address-list-timeout=none-static chain=forward comment="Stop access to Synology except from 64 65 AllowAccesstoBlackSyno" disabled=yes dst-address=192.168.64.6 log=yes log-prefix="CH_Track Blocked access to Black Synology" src-address-list=!AllowedAccessToBlackSynology
/ip firewall filter add action=drop chain=forward comment="Stop access to Synology except from 64 65 AllowAccesstoBlackSyno" disabled=yes dst-address=192.168.64.6 log=yes log-prefix="CH_Track Blocked access to Black Synology" src-address-list=!AllowedAccessToBlackSynology
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN ipsec-policy=in,none log=yes log-prefix="CH_Track !public" src-address-list=not_in_internet
/ip firewall filter add action=drop chain=input comment="Drop input from blacklist" disabled=yes log-prefix="CH_Track input from myblacklist" src-address-list=myblacklist
/ip firewall filter add action=accept chain=input comment="accept input established,related,untracked" connection-state=established,related,untracked log-prefix="accept input established,related,untracked"
/ip firewall filter add action=drop chain=forward comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
/ip firewall filter add action=drop chain=forward protocol=tcp src-port=0
/ip firewall filter add action=drop chain=forward comment="Block from Guest Network to Main Network" disabled=yes dst-address=192.168.64.0/24 log=yes src-address=192.168.66.0/24
/ip firewall filter add action=drop chain=forward comment="Block from Guest Network to Main Network" disabled=yes log=yes log-prefix="CH_Track FWD ip not known" src-address-list=!MainNetwork
/ip firewall filter add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
/ip firewall filter add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=none-static chain=input comment="Add SRC to maybeblacklist" log=yes log-prefix="CH_Track add SRC to maybeBlacklist" port=1701,500,4500 protocol=udp src-address-list=!whitelist
/ip firewall filter add action=accept chain=input comment=VPN1 log-prefix="CH_Track VPN1" port=1701,500,4500 protocol=udp
/ip firewall filter add action=accept chain=input comment=VPN2 log=yes log-prefix="CH_Track VPN2" protocol=ipsec-esp
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=1w3d chain=input in-interface-list=WAN log-prefix="[BadIP Ladder] to maybeBlacklist" src-address-list=mygreylist3
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist3 address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=mygreylist2
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist2 address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=mygreylist
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=!whitelist
/ip firewall filter add action=drop chain=input comment="Drop everything else that has got through" in-interface-list=WAN ipsec-policy=in,none log-prefix="CH_Track Last rule: Input"
/ip firewall filter add action=log chain=input comment="Drop everything else that has got through" disabled=yes ipsec-policy=in,none log-prefix="CH_Track Last rule: Input" src-address-list=!MainNetwork
/ip firewall filter add action=drop chain=input comment="Drop everything else that has got through" ipsec-policy=in,none log=yes log-prefix="CH_Track Last rule: Input" 
/ip firewall filter add action=drop chain=forward comment="Drop everything else that has got through" in-interface-list=WAN ipsec-policy=in,none log-prefix="CH_Track Last Rule: Forward: Drop"
/ip firewall filter add action=drop chain=output dst-address-list=myblacklist log=yes log-prefix="Drop FW Output"
/ip firewall nat add action=dst-nat chain=dstnat comment="Send RDP packets to 64.11" disabled=yes dst-port=15092 log=yes log-prefix="CH_Track NAT RDP" protocol=tcp to-addresses=192.168.64.11 to-ports=3389
/ip firewall nat add action=dst-nat chain=dstnat comment="Send telnet packets to Synology on 64.6" disabled=yes dst-port=23 log=yes log-prefix=Telnet protocol=tcp to-addresses=192.168.64.6 to-ports=23
/ip firewall nat add action=dst-nat chain=dstnat comment="Send packets to wireguard server 64.7" dst-port=47111 protocol=udp src-port="" to-addresses=192.168.64.7 to-ports=47111
/ip firewall nat add action=accept chain=srcnat comment="Wireguard VPN" dst-address=10.100.0.0/24 src-address=192.168.64.0/24
/ip firewall nat add action=accept chain=srcnat comment=FranceLondon dst-address=192.168.65.0/24 src-address=192.168.64.0/24
/ip firewall nat add action=accept chain=dstnat comment=FranceLondon dst-address=192.168.64.0/24 src-address=192.168.65.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=0.0.0.0/0
/ip firewall nat add action=accept chain=srcnat disabled=yes src-address=192.168.64.21
/ip firewall raw add action=drop chain=prerouting log-prefix="Drop Raw" src-address-list=myblacklist
/ip firewall raw add action=drop chain=prerouting dst-address-list=myblacklist log=yes log-prefix="CH_Track Drop PreOut Raw"
/ip firewall raw add action=drop chain=output dst-address-list=myblacklist log=yes log-prefix="CH_Track Drop Output Raw"
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=192.168.65.0/24
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=192.168.64.0/24
/ip ipsec identity add peer=peerFrance
/ip ipsec policy add disabled=yes dst-address=192.168.70.0/24 src-address=0.0.0.0/0 template=yes
/ip ipsec policy add comment=FranceLondon-Laptop dst-address=192.168.65.192/28 peer=peerFrance src-address=0.0.0.0/0 tunnel=yes
/ip ipsec policy add comment=FranceLondon dst-address=192.168.65.0/24 peer=peerFrance src-address=192.168.64.0/24 tunnel=yes
/ip route add distance=2 dst-address=10.100.0.0/24 gateway=192.168.64.7 pref-src=192.168.64.1
/ip route add comment=FranceLondon distance=1 dst-address=192.168.65.0/24 gateway="ether1 Internet" pref-src=192.168.64.1
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www-ssl certificate=LocalCA disabled=no
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip traffic-flow set active-flow-timeout=1m enabled=yes
/ip traffic-flow target add dst-address=192.168.64.18 port=1234
/system clock set time-zone-name=Europe/London
/system identity set name=RB4011
/system leds add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
/system leds add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
/system leds add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging set 0 topics=info,!caps,!dhcp,!system
/system logging set 3 action=memory
/system logging add disabled=yes topics=ipsec,account,info
/system logging add disabled=yes topics=ppp,!debug
/system logging add topics=account
/system logging add disabled=yes topics=wireless,debug
/system logging add disabled=yes topics=caps,debug
/system logging add disabled=yes topics=caps,info
/system logging add disabled=yes topics=l2tp,info
/system logging add disabled=yes topics=ipsec,!packet,!debug
/system logging add topics=health
/system logging add disabled=yes topics=system
/system logging add disabled=yes topics=info,!caps,!interface,!system,!dhcp,!ipsec
/system logging add disabled=yes
/system logging add topics=ovpn
/system logging add disabled=yes topics=info
/system logging add disabled=yes topics=ssh,!packet
/system logging add disabled=yes topics=ipsec
/system logging add disabled=yes topics=caps
/system ntp client set enabled=yes primary-ntp=162.159.200.1 secondary-ntp=178.79.160.57
/system ntp server set enabled=yes
/system package update set channel=long-term
/system scheduler add disabled=yes interval=1h name="Update Time" on-event="/ip cloud set update-time=yes" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/22/2017 start-time=23:38:00
/system scheduler add disabled=yes interval=1d name="Update Blacklists" on-event=RunAddDeleteBlacklists policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/09/2017 start-time=03:30:00
/system scheduler add disabled=yes interval=1d name=UsageReport on-event=Usage2 policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/10/2017 start-time=03:00:00
/system scheduler add comment="sep/29/2018 10:52:34" disabled=yes interval=30m name=VPN_Connections on-event=VPN_Connections policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/17/2017 start-time=16:36:00
/system scheduler add disabled=yes interval=1m name=ipsec-peer-update-FranceLondon on-event="/system script run ipsec-peer-update-FranceLondon" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=aug/06/2018 start-time=22:06:53
/system scheduler add disabled=yes interval=10m name=ip-cloud-forceupdate on-event="/ip cloud force-update" policy=read,write start-date=aug/06/2018 start-time=22:06:59
/system scheduler add comment=20220328182326 interval=30m name=LogMonitor on-event=LogMonitor policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/17/2018 start-time=22:23:25
/system scheduler add disabled=yes interval=15m name=MittensPing on-event=MittensPing policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=nov/17/2018 start-time=15:44:14
/system scheduler add interval=1d name="Update Software" on-event=UpdateSoftwareScript policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/09/2019 start-time=01:00:00
/system scheduler add interval=1d name="Update Firmware" on-event=UpdateFirmwareScript policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/09/2019 start-time=01:15:00
/system scheduler add comment="Runs every 30 seconds" disabled=yes interval=30s name=Channels on-event=Channels policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/07/2020 start-time=09:35:22
/system scheduler add disabled=yes interval=1d name="Update Hosts" on-event=updateHosts policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/23/2021 start-time=04:00:00
/system scheduler add disabled=yes name=ip_Blacklist_StartUp on-event=ip_Blacklist_StartUp policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system scheduler add disabled=yes interval=1h name=CheckIPAddr on-event=CheckIPAddr policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/03/2021 start-time=16:01:02
/system scheduler add interval=1m name=AbuseIPDB on-event="######################################################################\
    \n# Only run if another version is not running\
    \n######################################################################\
    \n:if ([ /system script job find where script=\"AbuseIPDB\" ]=\"\") do={\
    \n#    /log info \"[AbuseIPDB] going to running\"\
    \n    /system script run AbuseIPDB\
    \n} else={\
    \n    /log info \"[AbuseIPDB] another currently running\"\
    \n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/06/2021 start-time=19:00:00
/system scheduler add interval=1d name=DailyJob on-event=DailyJob policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/02/2021 start-time=01:00:00
/system scheduler add interval=1d name=PrintLogFileAroundMidnight on-event="/log print terse file=LogFileAroundMidnight" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/09/2021 start-time=00:30:00
/system scheduler add interval=1d name=PrintLogFileAfterOne on-event="/log print terse file=LogFileAfterOne" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/09/2021 start-time=01:30:00
/tool bandwidth-server set enabled=no
/tool graphing interface add interface="ether1 Internet"
/tool graphing interface add interface=bridge
/tool graphing resource add
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool netwatch add comment=ipsec-peer-update-FranceLondon disabled=yes down-script="/system scheduler enable ipsec-peer-update-FranceLondon\
    \n/system scheduler enable ip-cloud-forceupdate" host=192.168.65.100 up-script="/system scheduler disable ip-cloud-forceupdate\
    \n/system scheduler disable ipsec-peer-update-FranceLondon"
/tool netwatch add comment="France Router" down-script=Netwatch host=192.168.65.1 interval=10s up-script=Netwatch

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Moving to VLANs - Isolation and Access to my Router

Tue Mar 29, 2022 2:20 pm

edit: nm not bridge vlan filtering method........
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Moving to VLANs - Isolation and Access to my Router

Tue Mar 29, 2022 2:26 pm

Anav,

I don't understand your response. Please could you expand?

Charlie
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Moving to VLANs - Isolation and Access to my Router

Tue Mar 29, 2022 2:36 pm

vlan filtering not turned on and no /interface bridge vlan settings so assuming you are using the switch chip method of configuring.
https://help.mikrotik.com/docs/display/ ... p+Features

https://www.youtube.com/watch?v=Rj9aPoyZOPo&t=3s

vice this method.....\
viewtopic.php?t=143620

https://help.mikrotik.com/docs/display/ ... VLAN+Table
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11437
Joined: Thu Mar 03, 2016 10:23 pm

Re: Moving to VLANs - Isolation and Access to my Router

Tue Mar 29, 2022 5:58 pm

Old manual page, still current for all v6 versions (including 6.48.6 used by @OP), lists switch chip RTL8367 (built in RB4011) as not having support for VLANs. We all know it actually does, but ROS doesn't configure it, hence it doesn't.

Which means that whatever VLAN stuff one configures under /interface ethernet switch is ignored and device keeps acting as dumb switch.

Which in turn means that even if @OP configured it all wrong (I'm not saying he did, I won't even bother to examine the config), things would still seem to be working.

For RB4011, regardless ROS version (either v6 or v7), the only way of doing VLAN switching/bridging right, is the bridge vlan filtering way. The only difference between v6 and v7 is performance (the later can offload L2 functions to switch chips).

Unrelated question for OP: is there any good reason for having local-forwarding=no configured in CAPsMAN? While this setting can be useful in certain use cases, most of time it only causes wireless performance degradation and reduced set of "knobs to turn" when fine-tuning wireless performance.

Edit: the new wiki page (linked by @anav) has the following warning about switch chip VLAN config:
Devices with MT7621, RTL8367, 88E6393X, 88E6191X switch chips support HW offloaded vlan-filtering in RouterOS v7. VLAN-related configuration on the "/interface ethernet switch" menu is not available.
Last edited by mkx on Tue Mar 29, 2022 6:11 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Moving to VLANs - Isolation and Access to my Router

Tue Mar 29, 2022 6:11 pm

Thanks mkx that makes it clearer, stick with vlan bridge filtering (new way) for RB4011 and vers7 make make it more efficient.
As for capsman, if the only MT wifi is the RB4011 I would not use it unless there was some special case.
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Moving to VLANs - Isolation and Access to my Router

Tue Mar 29, 2022 10:25 pm

Thanks both.
  1. Really basic question!! When you talk about "vlan bridge filtering", how do I know I am doing that rather than anything else? I have one bridge and 2 VLANs.
  2. When you talk about "vlan bridge filtering", I presume you mean the "VLAN Filtering" on the Bridge menu?
  3. I turned "VLAN Filtering" on but was still able to ping between my guest WiFi network and my main network - I presume that is because it is Wi-Fi traffic rather than gong through the RB4011 switch - I think you both were discussing traffic going over ethernet connections
  4. Do I use my firewall to restrict access between my VLANs?
I used CapsMan for my other two MK Caps. I didn't know about "Local Forwarding". I tried to interpret the documentation a few months ago and obviously got it wrong! I've turned in on now.

Charlie
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Moving to VLANs - Isolation and Access to my Router

Tue Mar 29, 2022 10:41 pm

The links provided should be read prior to asking any questions.
Firewall rules are very much the place to ensure traffic that is accepted is allowed, traffic that is not, or DONT KNOW about should be dropped.
Hence, I like the clean drop all traffic at the end of both input chain and forward chain.

viewtopic.php?t=180838
 
amorales944
just joined
Posts: 1
Joined: Fri Dec 20, 2019 10:58 pm

Re: Moving to VLANs - Isolation and Access to my Router

Thu Jan 12, 2023 8:04 am

For client isolation go to IP/Firewall/Filter Rules, create a rule
General/Chain select forward.
Advanced/Src. Address List - here select your VLAN you want to isolate
Dst. Address List - here select your VLAN you want to isolate
Action: Reject
Reject With: icmp network unreachable

Click apply then you can add a note to distinguish your rule. Click Ok to finish.

Who is online

Users browsing this forum: No registered users and 46 guests