I am new to RouterOS and Mikrotik. I bought a RB2011UiAS-2HnD-IN (with Atheros8327 and Atheros8227) and used a guide from here (viewtopic.php?t=143620) as my starting point for connecting my RB2011UiAS to the Internet (PPPoE Client) and to a Cisco Catalyst 3750G switch through a trunk port. After many experiments I managed to have 4 working VLANs and interVLAN routing, but I cannot setup correctly the DNS. I can ping for example 8.8.8.8 but cannot ping www.google.com (so no Internet). My configuration for the RB2011UiAS is as follows:
Code: Select all
###############################################################################
# Topic: MyRouter VLAN networks and Routing
# Example: Mikrotik Router with Cisco Switch
# Web: https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching
# Router: RB2011UiAS-2HnD-IN with Atheros8327 and Atheros8227
# RouterOS: 7.2.3
# Date: 30-06-2022
# Notes: Start with a reset (/system reset-configuration)
###############################################################################
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="My_Router"
#######################################
# VLAN Overview
#######################################
# 52 = BLUE (LAN)
# 54 = YELLOW (CAMERAS)
# 56 = RED (WIFI)
# 99 = PINK (MGMT)
#######################################
# Bridge
#######################################
# create one bridge
/interface bridge
add name=bridge1
#######################################
#
# -- Trunk Ports --
#
#######################################
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=sfp1 hw=yes
/interface ethernet switch vlan
add ports=sfp1,ether2,switch1-cpu switch=switch1 vlan-id=52
add ports=sfp1,ether2,switch1-cpu switch=switch1 vlan-id=54
add ports=sfp1,ether2,switch1-cpu switch=switch1 vlan-id=56
add ports=sfp1,ether2,ether3,switch1-cpu switch=switch1 vlan-id=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
# LAN facing Router's IP address on the MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=leave-as-is
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=99
set sfp1 vlan-mode=secure vlan-header=leave-as-is
set switch1-cpu vlan-mode=secure vlan-header=leave-as-is
#######################################
# IP Addressing & Routing
#######################################
# !!! DNS server, set to cache for LAN (maybe this is not needed)
#/ip dns set allow-remote-requests=yes servers="9.9.9.9"
#PPPoE Scanner allows scanning all active PPPoE servers in the layer2 broadcast domain. Command to run scanner is as follows:
#/interface pppoe-client scan
/interface pppoe-client
add name=pppoe-otenet user=myuser password=mypassword interface=ether1 \
disabled=no add-default-route=yes use-peer-dns=yes
#if you know service name then previous command becomes
#service-name=internet disabled=no add-default-route=yes use-peer-dns=yes
# Ether1 port with IP Address provided by ISP
#/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0
# router's gateway provided by ISP
#/ip route add distance=1 gateway=b.b.b.b
#######################################
# IP Services
#######################################
# Blue VLAN interface creation, IP assignment, no DHCP service
/interface vlan add interface=bridge1 name=VLAN52 vlan-id=52
/ip address add interface=VLAN52 address=192.168.52.254/24
# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=VLAN54 vlan-id=54
/ip address add interface=VLAN54 address=192.168.54.1/24
/ip pool add name=VLAN54_POOL ranges=192.168.54.50-192.168.54.254
/ip dhcp-server add address-pool=VLAN54_POOL interface=VLAN54 name=VLAN54_DHCP disabled=no
/ip dhcp-server network add address=192.168.54.0/24 dns-server=192.168.99.1 gateway=192.168.54.1
#or dns-server=9.9.9.9 or ISP provided
# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=VLAN56 vlan-id=56
/ip address add interface=VLAN56 address=192.168.56.1/24
/ip pool add name=VLAN56_POOL ranges=192.168.56.50-192.168.56.254
/ip dhcp-server add address-pool=VLAN56_POOL interface=VLAN56 name=VLAN56_DHCP disabled=no
/ip dhcp-server network add address=192.168.56.0/24 dns-server=192.168.99.1 gateway=192.168.56.1
#or dns-server=9.9.9.9 or ISP provided
# Optional: Create a DHCP instance for MGMT VLAN. Convenience feature for an admin.
# /ip pool add name=MGMT_POOL ranges=192.168.99.10-192.168.99.254
# /ip dhcp-server add address-pool=MGMT_POOL interface=MGMT name=MGMT_DHCP disabled=no
# /ip dhcp-server network add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
#or dns-server=9.9.9.9 or ISP provided
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=MGMTlist
/interface list member
#add interface=ether1 list=WAN
add interface=pppoe-otenet list=WAN
add interface=MGMT list=VLAN
add interface=VLAN52 list=VLAN
add interface=VLAN54 list=VLAN
add interface=VLAN56 list=VLAN
add interface=MGMT list=MGMTlist
##################
# INPUT CHAIN
##################
# VLAN aware firewall. Order is important.
/ip firewall filter
#Allow Estab & Related
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
#Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
#Allow MGMT_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface-list=MGMTlist comment="Allow MGMT_Vlan Full Access"
#Allow list of IPs to access Router
add action=accept chain=input src-address-list=allowed_to_router
#Allow ICMP
add action=accept chain=input protocol=icmp comment="Allow ICMP"
#Drop all else and log them
add chain=input action=drop comment="Drop" log=yes
#Allowed IPs to Router (this is not done previously by allowing MGMTlist, it also needs this)
/ip firewall address-list
add address=192.168.99.2-192.168.99.254 list=allowed_to_router
#add address=192.168.52.1-192.168.52.254 list=allowed_to_router
##################
# FORWARD CHAIN
##################
#Create list of inhibited IPs
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
# VLAN aware firewall. Order is important.
/ip firewall filter
#Allow Estab & Related
add chain=forward action=fasttrack-connection connection-state=established,related comment=FastTrack
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
#!!!!Allow all VLANs to access the Internet only, NOT each other (maybe this is needed)
#add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-otenet log=yes log-prefix=!NAT
add action=jump chain=forward protocol=icmp jump-target=icmp comment="jump to ICMP filters"
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=pppoe-otenet log=yes log-prefix=!public src-address-list=not_in_internet
#add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" \
#in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.52.0/24
#Drop everything else
add chain=forward action=drop comment="Drop"
#Allow only needed icmp codes in "icmp" chain:
/ip firewall filter
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
##################
# IPv6 Firewall
##################
/ipv6 firewall address-list
add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
add list=bad_ipv6 address=::1 comment="defconf: lo"
add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
/ipv6 firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
add chain=input action=drop in-interface=!bridge1 comment="drop everything else not coming from bridge"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
add chain=forward action=drop in-interface=!bridge1 comment="drop everything else not coming from bridge"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
#######################################
# VLAN Security
#######################################
# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp1]
#######################################
# MAC Server settings
#######################################
# Ensure visibility and availability only from bridge
#/interface list add name=listBridge
#/interface list member add list=listBridge interface=bridge1
#/ip neighbor discovery-settings set discover-interface-list=listBridge
#/tool mac-server mac-winbox set allowed-interface-list=listBridge
#/tool mac-server set allowed-interface-list=listBridge
#######################################
# Turn on VLAN mode
#######################################
#/interface bridge set bridge1 vlan-filtering=yes
# not for RB2011UiAS-2HnD-IN with Atheros8327 and Atheros8227
#######################################
# Routing
#######################################
#/ip route