Community discussions

MikroTik App
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

VLAN

Thu Aug 04, 2022 2:24 pm

Hello:
I have a VLAN created on the 1st router (eth3) and it works fine.

I connect a second router eth3 to eth1 trunk port, and in the winbox I don't see it.

But if I connect through another port on the first router eth5 to eth1 I see it in winbox.
Is my configuration correct in the second router?

# jul/25/2022 18:32:03 by RouterOS 6.49
# software id = 7DE5-ZHUJ
#
# model = 951G-2HnD
# serial number =
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge \
ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment="VLAN INVITADOS"
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.10.1-192.168.10.253
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan10 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=10
add bridge=bridge1 interface=wlan1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether1,vlan10 vlan-ids=10
/ip address
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: VLAN

Thu Aug 04, 2022 2:44 pm

just change this, if u want to use e1 as a tagged interface

/interface bridge port
add bridge=bridge1 interface=ether1 pvid=1


/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=10


(dont do copy/paste, jusy edit)
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Thu Aug 04, 2022 3:34 pm

I dont see in winbox


# jul/25/2022 19:38:06 by RouterOS 6.49
# software id = 7DE5-ZHUJ
#
# model = 951G-2HnD
# serial number =
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge \
ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment="VLAN INVITADOS"
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.10.1-192.168.10.253
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan10 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=10
/ip address
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254
You do not have the required permissions to view the files attached to this post.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: VLAN

Fri Aug 05, 2022 12:03 am

do u have second router?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Fri Aug 05, 2022 12:45 am

Post config for both routers and please add a network diagram that shows internet connectivity, the ports on connected devices the subnets flowing through them.
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Aug 05, 2022 10:01 am

# aug/05/2022 08:29:14 by RouterOS 6.48.6
# software id = EJGX-NLPK
#
# model = RB4011iGS+5HacQ2HnD
# serial number =
/caps-man datapath
add name=Invitados
/interface bridge
add name=Puente vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment="VLAN PRUEBAS"
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] comment=LAN
set [ find default-name=ether7 ] comment=LAN
set [ find default-name=ether8 ] comment=LAN
set [ find default-name=ether9 ] comment=LAN
set [ find default-name=ether10 ] comment=LAN
/interface eoip
add disabled=yes local-address=81.36.138.168 mac-address=02:98:C2:91:1D:6E \
name=eoip-Muntaner remote-address=80.26.190.115 tunnel-id=1
/interface vlan
add interface=ether1 name=vlan6 vlan-id=6
add interface=Puente name=vlan10ETH3 vlan-id=10
/caps-man configuration
add country=spain datapath.bridge=Puente name="Configuracion CAP" \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm,tkip ssid=SnapSalon2G
add country=spain datapath.bridge=Puente name=CAPSALON \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm,tkip ssid=SnapSalon2Ga
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6 keepalive-timeout=60 \
name=pppoe-out1 user=adslppp@telefonicanetpa
/caps-man interface
add configuration=CAPSALON disabled=no l2mtu=1600 mac-address=\
E4:8D:8C:9F:6D:6F master-interface=none name=Salon radio-mac=\
E4:8D:8C:9F:6D:6F radio-name=E48D8C9F6D6F
/caps-man security
add authentication-types=wpa-psk,wpa2-psk name=security1Invitados
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=Misclaves \
supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 5640/20-eeCe/ac/DP(27dBm)+5210/80/P(23dBm), SSID: SnapSalon2G, CAPsMAN forwarding
set [ find default-name=wlan1 ] antenna-gain=0 country=no_country_set \
frequency-mode=manual-txpower mac-address=74:4D:28:8C:76:98 mode=\
ap-bridge radio-name=744D288C7698 security-profile=Misclaves ssid=SNAPs5 \
station-roaming=enabled wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2447/20-Ce/gn(20dBm), SSID: SnapSalon2G, CAPsMAN forwarding
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set \
frequency-mode=manual-txpower mode=ap-bridge security-profile=Misclaves \
ssid=SnapSalon2G station-roaming=enabled wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=Puente name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan10ETH3 lease-time=10s \
name=dhcp2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=Puente
/caps-man provisioning
add action=create-dynamic-enabled master-configuration="Configuracion CAP"
/interface bridge port
add bridge=Puente interface=ether2
add bridge=Puente interface=ether1
add bridge=Puente interface=ether4
add bridge=Puente interface=ether5
add bridge=Puente interface=ether6
add bridge=Puente interface=ether7
add bridge=Puente interface=ether8
add bridge=Puente interface=ether9
add bridge=Puente interface=ether10
add bridge=Puente interface=ether3 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=Puente tagged=Puente untagged=ether3 vlan-ids=10
/interface list member
add interface=ether1 list=WAN
add interface=Puente list=LAN
/interface wireless cap
#
set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=\
wlan1,wlan2
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=192.168.200.1/24 interface=vlan10ETH3 network=192.168.200.0
/ip arp
add address=192.168.1.201 comment=Camara interface=Puente mac-address=\
00:62:6E:61:B5:85
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.176 comment="BOOX ONXY" mac-address=B0:F1:EC:21:A5:38 \
server=dhcp1
add address=192.168.1.3 client-id=1:7c:e9:d3:8f:f5:d8 comment=IMPRESORA \
mac-address=7C:E9:D3:8F:F5:D8 server=dhcp1
add address=192.168.1.18 client-id=1:0:11:32:ee:97:5 comment=SYNOLOGY \
mac-address=00:11:32:EE:97:05 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.200.0/24 gateway=192.168.200.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 list="Red LAN"
add address=192.168.200.0/24 list=REDVLAN
/ip firewall filter
add action=accept chain=input comment=\
"Regla para aceptar solo las conexiones relacionadas y establecidas:" \
connection-state=established,related
add action=drop chain=input comment="Regla para denegar conexiones invalidas" \
connection-state=invalid
add action=accept chain=input comment=\
"Regla para aceptar el trafico que viene de nuestra Red LAN" \
src-address-list="Red LAN"
add action=accept chain=input comment=\
"Regla para aceptar el trafico que viene de nuestra Red VLAN" \
src-address-list=REDVLAN
add action=drop chain=input comment="Regla para denegar todo el trafico restan\
te, solo dejara entrar lo que este en el DST-NAT" connection-nat-state=\
!dstnat
add action=accept chain=forward comment=\
"Regla para aceptar solo las conexiones relacionadas y establecidas" \
connection-state=established,related
add action=drop chain=forward comment=\
"Regla para denegar conexiones invalidas" connection-state=invalid
add action=accept chain=forward comment=\
"Regla para aceptar el trafico que saldr\E1 que viene de nuestra Red LAN" \
src-address-list="Red LAN"
add action=accept chain=forward comment="Regla para aceptar el trafico que sal\
dr\E1 que viene de nuestra Red VLAN" src-address-list=REDVLAN
add action=drop chain=forward comment="Regla para denegar el resto del trafico\
\_a trav\E9s del router, a excepci\F3n del trafico que este autorizado con\
\_una regla DST-NAT" connection-nat-state=!dstnat
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=5000 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=6281 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=6150 protocol=\
tcp to-addresses=192.168.1.40
add action=dst-nat chain=dstnat comment="CAMARA TERRAZA" in-interface=\
pppoe-out1 port=6170,443 protocol=tcp to-addresses=192.168.1.8
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
79.155.7.84 src-port=7200 to-addresses=192.168.1.215 to-ports=7200
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=CASA
/system leds
set 0 interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-\
led,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system package update
set channel=long-term

# jul/25/2022 19:38:06 by RouterOS 6.49
# software id = 7DE5-ZHUJ
#
# model = 951G-2HnD
# serial number =
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge \
ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment="VLAN INVITADOS"
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.10.1-192.168.10.253
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan10 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=10
/ip address
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Fri Aug 05, 2022 2:33 pm

Hmm, well I am allergic to
a. capsman, I find it easier with 3 or less devices just to configure wifi on each device, much less complex and less prone to error.
b. mixing lans and vlans on a router, I prefer to use all vlans.


Questions.
(1) Why is ether1 (your WAN connection) associated with a VLAN (vlan6)??. Is that how it comes from the provider?
I will assume yes based on your ppoe settings. So seems okay.

(2) The ether1 your WAN connection should NOT be on the bridge!

(3) It is not clear the role of VLAN10 on ether3? You state its a trunk port on the RB but you config it like an access port, thus a confused setup.

The better question/answer is do you expect to have the LAN network on the RB951G device or ONLY vlan10 traffic?

(4) Why do you attempt to apply DHCP twice for vlan10 and different ones at that......
once on the RB4011 with subnt 192.168.200.0/24 and then on the second MT device again with subnet 192.168.10.0/24

============================
On your network diagram you need to add all the ports being used on the RB400 and which traffic flows through the ports including the connection between the two devices.
It will then become clear what you have setup incorrectly. One only needs DHCP settings for a subnet in one location.

Personally I would create as many vlans as needed and have NO subnet attached to the bridge, only vlans.
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Aug 05, 2022 3:07 pm

Questions.
(1) Why is ether1 (your WAN connection) associated with a VLAN (vlan6)??. Is that how it comes from the provider?
I will assume yes based on your ppoe settings. So seems okay.

Yes is TV o TEF.


(2) The ether1 your WAN connection should NOT be on the bridge!
OK

(3) It is not clear the role of VLAN10 on ether3? You state its a trunk port on the RB but you config it like an access port, thus a confused setup.
I am learning with the VLANs and I do tests watching youtube videos, it is normal that it is wrong.

The better question/answer is do you expect to have the LAN network on the RB951G device or ONLY vlan10 traffic?
I want to use RB951G as CAP with a VLAN that is my purpose.

(4) Why do you attempt to apply DHCP twice for vlan10 and different ones at that......
once on the RB4011 with subnt 192.168.200.0/24 and then on the second MT device again with subnet 192.168.10.0/24
I understand that I should only have a DHCP

============================
On your network diagram you need to add all the ports being used on the RB400 and which traffic flows through the ports including the connection between the two devices.
It will then become clear what you have setup incorrectly. One only needs DHCP settings for a subnet in one location.

Personally I would create as many vlans as needed and have NO subnet attached to the bridge, only vlans.
Thanks for the suggestion.
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Aug 05, 2022 3:10 pm

Now set RB95 default CAP Mode. I want to create a vlan on that cap.
# aug/05/2022 13:06:00 by RouterOS 6.49
# software id = 7DE5-ZHUJ
#
# model = 951G-2HnD
# serial number =
/interface bridge
add admin-mac=E4:8D:8C:9F:6D:6A auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(17dBm), SSID: SnapSalon2Ga, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wireless cap
#
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
interfaces=wlan1
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/system clock
set time-zone-name=Atlantic/Canary
You do not have the required permissions to view the files attached to this post.
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Aug 05, 2022 3:17 pm

CAP RB95 already has a connection with CAPMAN where I created the vlan for CAPRB95
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Fri Aug 05, 2022 9:03 pm

WARNING - Why is SSH setup without crypto, what is the purpose???
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote


{ Another error just noted, is incorrect = /ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 it should be the bridge for your config setup }
However I am suggesting an alternative approach }

{ Another error noted, REMOVE the IP DHCP client (warning message indicates an issue) it is NOT required as the dhcp client is handled already in pppoe-client settings!! }
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether1


{ Missing is pppoe-1 as a WAN interface list member }

{ Format for destination nat is dst-port = )

{ Also why is this lease time set to 10 seconds, recommend at least 1 day ?????
add address-pool=dhcp_pool2 disabled=no interface=vlan10ETH3 lease-time=10s \ }

{ Firewall rules, many small errors, the big one is Port Forwarding DST nat rules dont belong in the input chain! }

In general, there should be a trusted subnet.
It can be the LAN subnet on the RB4011, it could be vlan10 for example or you can add one.

It should be one that your PC is normally connected to as you configure the devices from this pc.
All attached smart devices (such as APs and Switches that can read vlan tags such as the RB95 ) should have an IP address from this subnet.

The solution I would find easiest to implement is to add vlan11
This will be the home vlan currently your 192.168.1.0 subnet.

Router: BEFORE you start, recommend both firmwares should be the same if possible.
***** I include only changed portions for the most part****
# model = RB4011iGS+5HacQ2HnD
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment="VLAN PRUEBAS"
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] comment=LAN
set [ find default-name=ether7 ] comment=LAN
set [ find default-name=ether8 ] comment=LAN
set [ find default-name=ether9 ] comment=LAN
set [ find default-name=ether10 ] comment=eth10-OffBridge
/interface vlan
add interface=ether1 name=vlan6 vlan-id=6
add interface=Puente name=vlanHOME-11  vlan-id-11
add interface=Puente name=vlanCAP-10  vlan-id=10
add name=WAN
add name=LAN
add name=BASE
/interface wireless
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlanHome-11 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlanCAP-10 name=dhcp2
/interface bridge port
add bridge=Puente interface=ether2  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether4  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether5  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether6  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether7  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether8  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether9 pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=Puente  tagged=Puente,ether3  vlan-ids=10
add bridge=Puente  tagged=Puente,ether3  untagged=ether2,ether4,ether5,ether6,ether7,ether8,ether9  vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1  list=WAN
add interface=vlanCAP-10  list=LAN
add interface=vlanHOME-11  list=LAN
add interface=vlanHOME-11  list=BASE
add interface=eth10-OffBridge  list=BASE
/interface wireless cap
set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=\   { maybe vlan10 here is what is needed ?? }
wlan1,wlan2
/ip address
add address=192.168.1.1/24 interface=vlanHOME-11 network=192.168.1.0
add address=192.168.200.1/24 interface=vlanCAP-10 network=192.168.200.0
add address=192.168.5.1/24  interface=ether10-OffBridge
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=\
"Regla para aceptar solo las conexiones relacionadas establecidas y untracked:" \
connection-state=established,related,untracked
add action=drop chain=input comment="Regla para denegar conexiones invalidas" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=BASE comment=\
"Regla para aceptar el trafico que viene de nuestra BASE" \
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment=\
"Regla para aceptar el trafico LAN para DNS TCP" \
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=UDP comment=\
"Regla para aceptar el trafico LAN  para DNS UDP" \
add action=drop chain=input  comment="Drop all else"
{Forward Chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"Regla para aceptar solo las conexiones relacionadas  establecidas y untracked" \
connection-state=established,related,untracked
add action=drop chain=forward  connection-state=invalid comment=\
   "Regla para denegar conexiones invalidas"
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=\
   "Regla para aceptar el trafico que saldr\E1 l'internet que viene de LAN" \
add action=accept chain=input connection-state=dstnat  comment=\
      "entrar lo que este en DST-NAT"
add action=drop  comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=5000 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=6281 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=6150 protocol=\
tcp to-addresses=192.168.1.40
add action=dst-nat chain=dstnat comment="CAMARA TERRAZA" in-interface=\
pppoe-out1 dst-port=6170,443 protocol=tcp to-addresses=192.168.1.8
/ip ssh
set ????????????
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
.................

The only thing I am not sure about is this line.
/interface wireless cap
#
set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=\
wlan1,wlan2


I am guessing this may what is needed ??
set bridge=Puente discovery-interfaces=vlan10 enabled=yes interfaces=wlan1,wlan2 ????
Last edited by anav on Fri Aug 05, 2022 9:36 pm, edited 7 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Fri Aug 05, 2022 9:04 pm

For ether10 configuring off bridge before doing other changes FROM bridge, easy to lock yourself out!!!
viewtopic.php?t=181718

The only config item I am not sure of is one of the capsman settings where you referred to the Bridge.
I dont know if that should remain bridge or identify vlanCAP-10

The next post will detail the CAP config to match.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Fri Aug 05, 2022 9:26 pm

For this one the complete config is required........ Again, take ether5 and configure it off the bridge as per the article, and then and do all your changes hooked up to ether5.
ACCESS POINT SWITCH CONFIG
# model = 951G-2HnD
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge \
ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment="VLAN INVITADOS"
set [ find default-name=ether5 ]  name=ether5-OffBridge
/interface vlan
add interface=bridge1 name=vlan11-home  vlan-id=11  { required as this is the base vlan }
add interface=bridge1 name=vlan10 vlan-id=10  { not required as only passing data through but is good for the reader to understand  }
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list
add name=MANAGE
/interface list members
add interface=vlan11-home  list=MANAGE
add interface=ether5-OffBridge list=MANAGE
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge port
add bridge=bridge1 interface=ether1  ingress-filtering=yes  frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=wlan1 pvid=10 ingress-filtering=yes  frame-types=admit-priority-and-untagged
/interface bridge vlan
add bridge=bridge1  tagged=bridge1,ether1  vlan-ids=11
add bridge=bridge1  tagged=bridge1  untagged=wlan1  vlan-ids=10
/ip address
add address=192.168.5.1/24  interface=ether5-OffBridge network=192.168.5.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 comment="ensures route avail through trusted subnet gateway"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Aug 05, 2022 9:53 pm

WARNING - Why is SSH setup without crypto, what is the purpose???
I don't understand this I don't use SSH.
What should I do?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Fri Aug 05, 2022 10:08 pm

Hi there......
Well not sure, as the stupid item was a default config along time ago.
Did you copy and paste older configs when putting on 6.48.6 ??

The best thing to do for now is to turn that off.
Go to in winbox SYSTEM, then Services, then ensure SSH is off NOT green. (hit the red X).


After some research on capsman, Its getting in the way of success, it gets complicated with vlans and hurts my head ( I avoid it like the plague )
Suggest get a working config with regular wifi settings first, then when its stable introduce capsman after some reading etc...

Unless of course you are a capsman whiz and this is no problem for you.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: VLAN

Fri Aug 05, 2022 10:13 pm

WARNING - Why is SSH setup without crypto, what is the purpose???
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
Is not the user wanted settings, are the default for v6.xx and when migrating to another version, where the new default are no / no, the export show that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Fri Aug 05, 2022 10:15 pm

WARNING - Why is SSH setup without crypto, what is the purpose???
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
Is not the user wanted settings, are the default for v6.xx and when migrating to another version, where the new default are no / no, the export show that.
Also in CLI accessed via New Terminal you can type...............
/ip ssh set allow-none-crypto=no
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: VLAN

Fri Aug 05, 2022 10:17 pm

Paste this on device for solve / align the new default
/ip ssh
set allow-none-crypto=no forwarding-enabled=no
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: VLAN

Fri Aug 05, 2022 10:19 pm

On that capsman line I see thousand of problems....

security.authentication-types=wpa-psk,wpa2-psk security.encryption=aes-ccm,tkip

wpa-psk and tkip must disappear


management-protection=allowed

management-protection not work with clients, only between mikrotik devices.....


lease-time=10s

10 seconds???????????

On RB4011iGS+5HacQ2HnD paste this on terminal
{
/caps-man configuration
set [find] security.authentication-types=wpa2-psk security.encryption=aes-ccm
/caps-man security
set [find] authentication-types=wpa2-psk
/interface pppoe-client
set [find] keepalive-timeout=10
/interface wireless security-profiles
set Misclaves authentication-types=wpa2-psk eap-methods=passthrough management-protection=disabled supplicant-identity=MikroTik
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,!dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=static
/ip ssh
set allow-none-crypto=no forwarding-enabled=no
}


Paste this on 951G-2HnD
/ip neighbor discovery-settings
set discover-interface-list=static
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Aug 05, 2022 10:35 pm



Is not the user wanted settings, are the default for v6.xx and when migrating to another version, where the new default are no / no, the export show that.
Also in CLI accessed via New Terminal you can type...............
/ip ssh set allow-none-crypto=no
Ready!!
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: VLAN

Fri Aug 05, 2022 10:36 pm

AAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: VLAN

Fri Aug 05, 2022 10:37 pm

Really do not hide anyting for default service ports... 8728,8729,21,22,23,8291,80 and 443.......

Paste this on terminal, better on both devices....:
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Aug 05, 2022 10:39 pm

lease-time=10s

10 seconds???????????

I was testing the renewal of the IP and I did not remember to change to more time
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: VLAN

Fri Aug 05, 2022 10:41 pm

if you do not have depleting IPs problem, you can set it to 1 day (1d 00:00:00)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Fri Aug 05, 2022 11:16 pm

As rextended noted, change all the other services to OFF if you dont need them, normally most just have winbox green.

Also decide if you will keep capsman or drop it as if you keep it i cannot help further.......... as there will be conflicts........
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Sat Aug 06, 2022 6:52 pm

WARNING - Why is SSH setup without crypto, what is the purpose???
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote


{ Another error just noted, is incorrect = /ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 it should be the bridge for your config setup }
However I am suggesting an alternative approach }

{ Another error noted, REMOVE the IP DHCP client (warning message indicates an issue) it is NOT required as the dhcp client is handled already in pppoe-client settings!! }
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether1


{ Missing is pppoe-1 as a WAN interface list member }

{ Format for destination nat is dst-port = )

{ Also why is this lease time set to 10 seconds, recommend at least 1 day ?????
add address-pool=dhcp_pool2 disabled=no interface=vlan10ETH3 lease-time=10s \ }

{ Firewall rules, many small errors, the big one is Port Forwarding DST nat rules dont belong in the input chain! }

In general, there should be a trusted subnet.
It can be the LAN subnet on the RB4011, it could be vlan10 for example or you can add one.

It should be one that your PC is normally connected to as you configure the devices from this pc.
All attached smart devices (such as APs and Switches that can read vlan tags such as the RB95 ) should have an IP address from this subnet.

The solution I would find easiest to implement is to add vlan11
This will be the home vlan currently your 192.168.1.0 subnet.

Router: BEFORE you start, recommend both firmwares should be the same if possible.
***** I include only changed portions for the most part****
# model = RB4011iGS+5HacQ2HnD
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment="VLAN PRUEBAS"
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] comment=LAN
set [ find default-name=ether7 ] comment=LAN
set [ find default-name=ether8 ] comment=LAN
set [ find default-name=ether9 ] comment=LAN
set [ find default-name=ether10 ] comment=eth10-OffBridge
/interface vlan
add interface=ether1 name=vlan6 vlan-id=6
add interface=Puente name=vlanHOME-11  vlan-id-11
add interface=Puente name=vlanCAP-10  vlan-id=10
add name=WAN
add name=LAN
add name=BASE
/interface wireless
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlanHome-11 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlanCAP-10 name=dhcp2
/interface bridge port
add bridge=Puente interface=ether2  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether4  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether5  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether6  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether7  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether8  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether9 pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=Puente  tagged=Puente,ether3  vlan-ids=10
add bridge=Puente  tagged=Puente,ether3  untagged=ether2,ether4,ether5,ether6,ether7,ether8,ether9  vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1  list=WAN
add interface=vlanCAP-10  list=LAN
add interface=vlanHOME-11  list=LAN
add interface=vlanHOME-11  list=BASE
add interface=eth10-OffBridge  list=BASE
/interface wireless cap
set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=\   { maybe vlan10 here is what is needed ?? }
wlan1,wlan2
/ip address
add address=192.168.1.1/24 interface=vlanHOME-11 network=192.168.1.0
add address=192.168.200.1/24 interface=vlanCAP-10 network=192.168.200.0
add address=192.168.5.1/24  interface=ether10-OffBridge
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=\
"Regla para aceptar solo las conexiones relacionadas establecidas y untracked:" \
connection-state=established,related,untracked
add action=drop chain=input comment="Regla para denegar conexiones invalidas" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=BASE comment=\
"Regla para aceptar el trafico que viene de nuestra BASE" \
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment=\
"Regla para aceptar el trafico LAN para DNS TCP" \
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=UDP comment=\
"Regla para aceptar el trafico LAN  para DNS UDP" \
add action=drop chain=input  comment="Drop all else"
{Forward Chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"Regla para aceptar solo las conexiones relacionadas  establecidas y untracked" \
connection-state=established,related,untracked
add action=drop chain=forward  connection-state=invalid comment=\
   "Regla para denegar conexiones invalidas"
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=\
   "Regla para aceptar el trafico que saldr\E1 l'internet que viene de LAN" \
add action=accept chain=input connection-state=dstnat  comment=\
      "entrar lo que este en DST-NAT"
add action=drop  comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=5000 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=6281 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=6150 protocol=\
tcp to-addresses=192.168.1.40
add action=dst-nat chain=dstnat comment="CAMARA TERRAZA" in-interface=\
pppoe-out1 dst-port=6170,443 protocol=tcp to-addresses=192.168.1.8
/ip ssh
set ????????????
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
.................

The only thing I am not sure about is this line.
/interface wireless cap
#
set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=\
wlan1,wlan2


I am guessing this may what is needed ??
set bridge=Puente discovery-interfaces=vlan10 enabled=yes interfaces=wlan1,wlan2 ????
Thanks for the help.
I prefer to use the interface than the script so I understand better what I'm doing.
I do not understand this.
/vlan-interface
add interface=ether1 name=vlan6 vlan-id=6
add interface=Bridge name=vlanHOME-11 vlan-id-11
add interface=Bridge name=vlanCAP-10 vlan-id=10
addname=WAN
addname=LAN
add name=BASE

add name=BASE
What does it do to change the name of name=vlanCAP-10?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Sat Aug 06, 2022 10:39 pm

Yes I was just using it to name the wifi device, use whatever name you wish......
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Sun Aug 07, 2022 11:51 am

I don't understand wifi or vlan?. In any case, it gives an error, it does not change the name. But then further down the old name is referenced.

add address-pool=dhcp_pool2 disabled=no interface=vlanCAP-10 name=dhcp2.
It's a mistake?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Sun Aug 07, 2022 2:56 pm

Naming should be consistent for the vlan associated with the wifi device, so whatever name you give it ....... needs to be populated in all the required spots.
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Sun Aug 07, 2022 8:50 pm

I have the two scripts in both mikrotik but RB95G does not have internet access or IP. I no longer use CAP. My main goal is the "guest" wifi of the RB95G to work with a VLAN 10 in this case.
# jan/02/1970 00:04:21 by RouterOS 6.49.6
# software id = 7DE5-ZHUJ
#
# model = 951G-2HnD
# serial number = 5D610534BAE3
/interface bridge
add admin-mac=E4:8D:8C:9F:6D:6B auto-mac=no comment=defconf name=bridge1 \
vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=spain disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=INVITADOS wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment="VLAN INVITADOS"
set [ find default-name=ether5 ] name=ether5-OffBridge
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan11-home vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge1 name=defconf
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
wlan1 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=wlan1 vlan-ids=10
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan11-home list=MANAGE
add interface=ether5-OffBridge list=MANAGE
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=\
192.168.88.0
add address=192.168.5.1/24 interface=ether5-OffBridge network=192.168.5.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=MANAGE
/ip route
add comment="ensures route avail through trusted subnet gateway" distance=1 \
gateway=192.168.1.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

# aug/07/2022 19:28:04 by RouterOS 6.49.6
# software id = EJGX-NLPK
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B8E00A39B557
/caps-man datapath
add name=Invitados
/interface bridge
add name=Puente vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment="VLAN PRUEBAS"
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] comment=LAN
set [ find default-name=ether7 ] comment=LAN
set [ find default-name=ether8 ] comment=LAN
set [ find default-name=ether9 ] comment=LAN
set [ find default-name=ether10 ] comment=BASE
/interface eoip
add disabled=yes local-address=81.36.138.168 mac-address=02:98:C2:91:1D:6E \
name=eoip-Muntaner remote-address=80.26.190.115 tunnel-id=1
/interface vlan
add comment=LAN interface=Puente name=vlan1HOME-11 vlan-id=11
add interface=ether1 name=vlan6 vlan-id=6
add interface=Puente name=vlanCAP-10 vlan-id=10
/caps-man configuration
add country=spain datapath.bridge=Puente name="Configuracion CAP" \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm,tkip ssid=SnapSalon2G
add country=spain datapath.bridge=Puente name=CAPSALON \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm,tkip ssid=SnapSalon2Ga
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6 keepalive-timeout=60 \
name=pppoe-out1 user=adslppp@telefonicanetpa
/caps-man interface
add configuration=CAPSALON disabled=no l2mtu=1600 mac-address=\
E4:8D:8C:9F:6D:6F master-interface=none name=Salon radio-mac=\
E4:8D:8C:9F:6D:6F radio-name=E48D8C9F6D6F
/caps-man security
add authentication-types=wpa-psk,wpa2-psk name=security1Invitados
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=Misclaves \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 country=no_country_set \
disabled=no frequency-mode=manual-txpower mac-address=74:4D:28:8C:76:98 \
mode=ap-bridge radio-name=744D288C7698 security-profile=Misclaves ssid=\
SNAPs5 station-roaming=enabled vlan-id=11 wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set \
disabled=no frequency-mode=manual-txpower mode=ap-bridge \
security-profile=Misclaves ssid=SnapSalon2G station-roaming=enabled \
vlan-id=11 wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlan1HOME-11 lease-time=1d name=\
dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlanCAP-10 lease-time=1d \
name=dhcp2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=Puente
/caps-man provisioning
add action=create-dynamic-enabled master-configuration="Configuracion CAP"
/interface bridge port
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=ether9 pvid=11
add bridge=Puente interface=ether10
add bridge=Puente frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether3 pvid=10
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan1 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan2 pvid=11
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=Puente tagged=Puente untagged=ether3 vlan-ids=10
add bridge=Puente tagged=Puente,ether3 untagged=\
ether2,ether4,ether5,ether6,ether7,ether8 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlanCAP-10 list=LAN
add interface=vlan1HOME-11 list=LAN
add interface=vlan1HOME-11 list=BASE
add interface=ether10 list=BASE
/interface wireless cap
set bridge=Puente discovery-interfaces=Puente interfaces=wlan1,wlan2
/ip address
add address=192.168.1.1/24 interface=vlan1HOME-11 network=192.168.1.0
add address=192.168.200.1/24 interface=vlanCAP-10 network=192.168.200.0
add address=192.168.5.1/24 interface=ether10 network=192.168.5.0
/ip arp
add address=192.168.1.201 comment=Camara interface=Puente mac-address=\
00:62:6E:61:B5:85
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.176 comment="BOOX ONXY" mac-address=B0:F1:EC:21:A5:38 \
server=dhcp1
add address=192.168.1.3 client-id=1:7c:e9:d3:8f:f5:d8 comment=IMPRESORA \
mac-address=7C:E9:D3:8F:F5:D8 server=dhcp1
add address=192.168.1.18 client-id=1:0:11:32:ee:97:5 comment=SYNOLOGY \
mac-address=00:11:32:EE:97:05 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 list="Red LAN"
add address=192.168.200.0/24 list=REDVLAN
/ip firewall filter
add action=accept chain=input comment=\
"Regla para aceptar solo las conexiones relacionadas y establecidas:" \
connection-state=established,related
add action=drop chain=input comment="Regla para denegar conexiones invalidas" \
connection-state=invalid
add action=accept chain=input comment=\
"Regla para aceptar el trafico que viene de nuestra Red LAN" \
src-address-list="Red LAN"
add action=accept chain=input comment=\
"Regla para aceptar el trafico que viene de nuestra Red VLAN" \
src-address-list=REDVLAN
add action=drop chain=input comment="Regla para denegar todo el trafico restan\
te, solo dejara entrar lo que este en el DST-NAT" connection-nat-state=\
!dstnat
add action=accept chain=forward comment=\
"Regla para aceptar solo las conexiones relacionadas y establecidas" \
connection-state=established,related
add action=drop chain=forward comment=\
"Regla para denegar conexiones invalidas" connection-state=invalid
add action=accept chain=forward comment=\
"Regla para aceptar el trafico que saldr\E1 que viene de nuestra Red LAN" \
src-address-list="Red LAN"
add action=accept chain=forward comment="Regla para aceptar el trafico que sal\
dr\E1 que viene de nuestra Red VLAN" src-address-list=REDVLAN
add action=drop chain=forward comment="Regla para denegar el resto del trafico\
\_a trav\E9s del router, a excepci\F3n del trafico que este autorizado con\
\_una regla DST-NAT" connection-nat-state=!dstnat
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=5000 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=6281 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=6150 protocol=\
tcp to-addresses=192.168.1.40
add action=dst-nat chain=dstnat comment="CAMARA TERRAZA" in-interface=\
pppoe-out1 port=6170,443 protocol=tcp to-addresses=192.168.1.8
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
79.155.7.84 src-port=7200 to-addresses=192.168.1.215 to-ports=7200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=CASA
/system leds
set 0 interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-\
led,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Sun Aug 07, 2022 11:17 pm

WIFI DEVICE acting as AP/Switch
(1) In the wifi device there is no need for any pool so remove this line.
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254


(2) for /interface bridge vlan settings you are missing one line, please add to make complete
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=wlan1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=11

(3) the address of the wifi device should be an IP from the subnet controlled by teh RB4011 and specifically an IP address on VLAN11.
Since vlan11 has an ip adddress of 192.168.1.1/24, you can manually assign an IP of 192.168.1.2/24 for example to the Wifi device and set it static.
So the IP address on the wifi device would look like
/ip address
add address=192.168.1.2/24 comment=defconf interface=bridge1 network=\

(4) Remove from wifi device......
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1

(5) Remove from wifi device (there is no wan, no ip dhcp client),.
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1

(6) Remove
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(7) REMOVE Firewall rules, not required........
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
(8) Remove masquerade NAT rule
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=MANAGE
Last edited by anav on Sun Aug 07, 2022 11:30 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Sun Aug 07, 2022 11:29 pm

RB4011
(1) Have an old pool default entry and missing the pool for the vlans. OKAY I see them later so simply get rid of the pool that refers to 192.168.88.x
Each vlan identified with parent interface of the bridge requires.
ip pool
dhcp server
dhcp server network
IP address


(2) Okay for BRIDGE ports ether3 is a trunk port carrying both vlans tagged, so this is incorrect.
/interface bridge vlan
add bridge=Puente tagged=Puente untagged=ether3 vlan-ids=10
add bridge=Puente tagged=Puente,ether3 untagged=\
ether2,ether4,ether5,ether6,ether7,ether8 vlan-ids=11


that line should be
add bridge=Puente tagged=Puente,ether3 [/color]vlan-ids=10

(3) In keeping with this theme lets look at the corresponding /interface bridge port setting
/interface bridge port
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=ether9 pvid=11
add bridge=Puente interface=ether10
add bridge=Puente frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether3 pvid=10
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan1 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan2 pvid=11


You can see the discrepancy clearly here where you are saying ether3 is for only tagged traffic and yet with the pvid you are stating to tag incoming traffic with vlan10 as if it was connected to a dumb device.........
Correct line is.
add bridge=Puente frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether3
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Mon Aug 08, 2022 12:21 pm

RB4011
(1) Have an old pool default entry and missing the pool for the vlans. OKAY I see them later so simply get rid of the pool that refers to 192.168.88.x
Each vlan identified with parent interface of the bridge requires.
ip pool
dhcp server
dhcp server network
IP address


I dont see 192.168.88.x and I see dhcp server and poll
not working yet

(2) Okay for BRIDGE ports ether3 is a trunk port carrying both vlans tagged, so this is incorrect.
/interface bridge vlan
add bridge=Puente tagged=Puente untagged=ether3 vlan-ids=10
add bridge=Puente tagged=Puente,ether3 untagged=\
ether2,ether4,ether5,ether6,ether7,ether8 vlan-ids=11


that line should be
add bridge=Puente tagged=Puente,ether3 [/color]vlan-ids=10

(3) In keeping with this theme lets look at the corresponding /interface bridge port setting
/interface bridge port
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=ether9 pvid=11
add bridge=Puente interface=ether10
add bridge=Puente frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether3 pvid=10
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan1 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan2 pvid=11


You can see the discrepancy clearly here where you are saying ether3 is for only tagged traffic and yet with the pvid you are stating to tag incoming traffic with vlan10 as if it was connected to a dumb device.........
Correct line is.
add bridge=Puente frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether3
You do not have the required permissions to view the files attached to this post.
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Mon Aug 08, 2022 12:31 pm

# aug/08/2022 11:30:09 by RouterOS 6.49.6
# software id = EJGX-NLPK
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B8E00A39B557
/caps-man datapath
add name=Invitados
/interface bridge
add name=Puente vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment="VLAN PRUEBAS"
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] comment=LAN
set [ find default-name=ether7 ] comment=LAN
set [ find default-name=ether8 ] comment=LAN
set [ find default-name=ether9 ] comment=LAN
set [ find default-name=ether10 ] comment=BASE
/interface eoip
add disabled=yes local-address=81.36.138.168 mac-address=02:98:C2:91:1D:6E \
name=eoip-Muntaner remote-address=80.26.190.115 tunnel-id=1
/interface vlan
add comment=LAN interface=Puente name=vlan1HOME-11 vlan-id=11
add interface=ether1 name=vlan6 vlan-id=6
add interface=Puente name=vlanCAP-10 vlan-id=10
/caps-man configuration
add country=spain datapath.bridge=Puente name="Configuracion CAP" \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm,tkip ssid=SnapSalon2G
add country=spain datapath.bridge=Puente name=CAPSALON \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm,tkip ssid=SnapSalon2Ga
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6 keepalive-timeout=60 \
name=pppoe-out1 user=adslppp@telefonicanetpa
/caps-man interface
add configuration=CAPSALON disabled=no l2mtu=1600 mac-address=\
E4:8D:8C:9F:6D:6F master-interface=none name=Salon radio-mac=\
E4:8D:8C:9F:6D:6F radio-name=E48D8C9F6D6F
/caps-man security
add authentication-types=wpa-psk,wpa2-psk name=security1Invitados
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=Misclaves \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 country=no_country_set \
disabled=no frequency-mode=manual-txpower mac-address=74:4D:28:8C:76:98 \
mode=ap-bridge radio-name=744D288C7698 security-profile=Misclaves ssid=\
SNAPs5 station-roaming=enabled vlan-id=11 wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set \
disabled=no frequency-mode=manual-txpower mode=ap-bridge \
security-profile=Misclaves ssid=SnapSalon2G station-roaming=enabled \
vlan-id=11 wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlan1HOME-11 lease-time=1d name=\
dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlanCAP-10 lease-time=1d \
name=dhcp2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=Puente
/caps-man provisioning
add action=create-dynamic-enabled master-configuration="Configuracion CAP"
/interface bridge port
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether9 pvid=11
add bridge=Puente interface=ether10
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan1 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan2 pvid=11
add bridge=Puente frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=Puente tagged=Puente,ether3 vlan-ids=10
add bridge=Puente tagged=Puente,ether3 untagged=\
ether2,ether4,ether5,ether6,ether7,ether8 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlanCAP-10 list=LAN
add interface=vlan1HOME-11 list=LAN
add interface=vlan1HOME-11 list=BASE
add interface=ether10 list=BASE
/interface wireless cap
set bridge=Puente discovery-interfaces=Puente interfaces=wlan1,wlan2
/ip address
add address=192.168.1.1/24 interface=vlan1HOME-11 network=192.168.1.0
add address=192.168.200.1/24 interface=vlanCAP-10 network=192.168.200.0
add address=192.168.5.1/24 interface=ether10 network=192.168.5.0
/ip arp
add address=192.168.1.201 comment=Camara interface=Puente mac-address=\
00:62:6E:61:B5:85
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.176 comment="BOOX ONXY" mac-address=B0:F1:EC:21:A5:38 \
server=dhcp1
add address=192.168.1.3 client-id=1:7c:e9:d3:8f:f5:d8 comment=IMPRESORA \
mac-address=7C:E9:D3:8F:F5:D8 server=dhcp1
add address=192.168.1.18 client-id=1:0:11:32:ee:97:5 comment=SYNOLOGY \
mac-address=00:11:32:EE:97:05 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 list="Red LAN"
add address=192.168.200.0/24 list=REDVLAN
/ip firewall filter
add action=accept chain=input comment=\
"Regla para aceptar solo las conexiones relacionadas y establecidas:" \
connection-state=established,related
add action=drop chain=input comment="Regla para denegar conexiones invalidas" \
connection-state=invalid
add action=accept chain=input comment=\
"Regla para aceptar el trafico que viene de nuestra Red LAN" \
src-address-list="Red LAN"
add action=accept chain=input comment=\
"Regla para aceptar el trafico que viene de nuestra Red VLAN" \
src-address-list=REDVLAN
add action=drop chain=input comment="Regla para denegar todo el trafico restan\
te, solo dejara entrar lo que este en el DST-NAT" connection-nat-state=\
!dstnat
add action=accept chain=forward comment=\
"Regla para aceptar solo las conexiones relacionadas y establecidas" \
connection-state=established,related
add action=drop chain=forward comment=\
"Regla para denegar conexiones invalidas" connection-state=invalid
add action=accept chain=forward comment=\
"Regla para aceptar el trafico que saldr\E1 que viene de nuestra Red LAN" \
src-address-list="Red LAN"
add action=accept chain=forward comment="Regla para aceptar el trafico que sal\
dr\E1 que viene de nuestra Red VLAN" src-address-list=REDVLAN
add action=drop chain=forward comment="Regla para denegar el resto del trafico\
\_a trav\E9s del router, a excepci\F3n del trafico que este autorizado con\
\_una regla DST-NAT" connection-nat-state=!dstnat
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=5000 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=6281 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=6150 protocol=\
tcp to-addresses=192.168.1.40
add action=dst-nat chain=dstnat comment="CAMARA TERRAZA" in-interface=\
pppoe-out1 port=6170,443 protocol=tcp to-addresses=192.168.1.8
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
79.155.7.84 src-port=7200 to-addresses=192.168.1.215 to-ports=7200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=CASA
/system leds
set 0 interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-\
led,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE


# jan/02/1970 03:17:53 by RouterOS 6.49.6
# software id = 7DE5-ZHUJ
#
# model = 951G-2HnD
# serial number = 5D610534BAE3
/interface bridge
add admin-mac=E4:8D:8C:9F:6D:6B auto-mac=no comment=defconf name=bridge1 \
vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=spain disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=INVITADOS wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment="VLAN INVITADOS"
set [ find default-name=ether5 ] name=ether5-OffBridge
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan11-home vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=bridge1 name=defconf
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
wlan1 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=wlan1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=11
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan11-home list=MANAGE
add interface=ether5-OffBridge list=MANAGE
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=\
192.168.88.0
add address=192.168.5.1/24 interface=ether5-OffBridge network=192.168.5.0
add address=192.168.1.11/24 interface=bridge1 network=192.168.1.0
/ip dns
set allow-remote-requests=yes
/ip route
add comment="ensures route avail through trusted subnet gateway" distance=1 \
gateway=192.168.1.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Mon Aug 08, 2022 12:53 pm

RB4011.
- still using capsman so not sure how vlans and capsman mix ??
- firewall rules are not the ones I gave you and thus still wrong and I stopped looking when I saw the first item below..........

for example destination nat rules have no business being in the INPUT CHAIN!
add action=drop chain=input comment="Regla para denegar todo el trafico restan\
te, solo dejara entrar lo que este en el DST-NAT" connection-nat-state=\
!dstna

So cannot really do much more for you on this device as everything else seems to check out.

WIFI DEVICE
I missed this error last time my apologies............
From this
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=wlan1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=11

TO:
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 untagged=wlan1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=11
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Aug 12, 2022 2:19 pm

Hello:
Well it works now.
The detail of the IP 0.0.0.0, how can it be solved?
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Aug 12, 2022 2:19 pm

Capture
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Fri Aug 12, 2022 3:00 pm

Hello:
Well it works now.
The detail of the IP 0.0.0.0, how can it be solved?
Buenos, so the config is basically working now?
What do you mean about the detail being solved?
Can you provide more information/detail please..........
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Aug 12, 2022 3:29 pm

In WINBOX in IP Address I see 0.0.0.0
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN

Fri Aug 12, 2022 9:05 pm

(1) On the 951 unit..........
From:
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan11-home list=MANAGE
add interface=ether5-OffBridge list=MANAGE

TO:
/interface list member
add interface=vlan11-home list=MANAGE
add interface=ether5-OffBridge list=MANAGE


(2) On the 951 unit.........
REMOVE!!!!
/ip dhcp-server
add disabled=no interface=bridge1 name=defconf


(3) on the 951 unit...........
From:
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=\
192.168.88.0

add address=192.168.5.1/24 interface=ether5-OffBridge network=192.168.5.0
add address=192.168.1.11/24 interface=bridge1 network=192.168.1.0


TO:
/ip address
add address=192.168.5.1/24 interface=ether5-OffBridge network=192.168.5.0
add address=192.168.1.11/24 interface=bridge1 network=192.168.1.0
 
User avatar
Rey68
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Mon Mar 31, 2014 12:52 pm
Location: Barcelona. España

Re: VLAN

Fri Sep 30, 2022 12:43 pm

Hello:
I have the second router connected by vlan but I do not have access to the internet.

aug/18/2022 10:39:13 by RouterOS 6.49.6
# software id = IZCV-KXT5
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7708429EB8
/interface bridge
add admin-mac=E4:8D:8C:9F:6D:6B auto-mac=no comment=defconf name=bridge1 \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="VLAN INVITADOS" mac-address=\
E4:8D:8C:9F:6D:6A
set [ find default-name=ether2 ] mac-address=E4:8D:8C:9F:6D:6B
set [ find default-name=ether3 ] mac-address=E4:8D:8C:9F:6D:6C
set [ find default-name=ether4 ] mac-address=E4:8D:8C:9F:6D:6D
set [ find default-name=ether5 ] mac-address=E4:8D:8C:9F:6D:6E name=\
ether5-OffBridge
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan11-home vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
name=ClaveBAR supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge \
name=wlan2 security-profile=ClaveBAR ssid=ELREYDELBOCATA
set [ find default-name=wlan2 ] country=spain disabled=no mode=ap-bridge \
name=wlan3 security-profile=ClaveBAR ssid=ELREYDELBOCATA5G
/system logging action
set 1 disk-file-name=log
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
*6 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan3 pvid=10
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=ether5-OffBridge
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 untagged=wlan2,wlan3 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=11
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan11-home list=MANAGE
add interface=ether5-OffBridge list=MANAGE
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5-OffBridge list=LAN
add interface=sfp1 list=LAN
add interface=wlan3 list=LAN
add interface=wlan2 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge1 \
network=192.168.88.0
add address=192.168.5.1/24 interface=ether5-OffBridge network=192.168.5.0
add address=192.168.1.11/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add interface=bridge1
/ip dns
set allow-remote-requests=yes
/ip route
add comment="ensures route avail through trusted subnet gateway" distance=1 \
gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=WIFIBAR
/system leds
set 0 leds=""
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

# sep/30/2022 11:42:07 by RouterOS 6.49.6
# software id = ZRD2-N1KA
#
# model = RB4011iGS+5HacQ2HnD
# serial number = F03C0EC6DC25
/caps-man datapath
add name=Invitados
/interface bridge
add name=Puente vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=74:4D:28:8C:76:8E
set [ find default-name=ether2 ] comment=LAN mac-address=74:4D:28:8C:76:8F
set [ find default-name=ether3 ] comment=LAN mac-address=74:4D:28:8C:76:90
set [ find default-name=ether4 ] comment="EXTENSION WIFI" mac-address=\
74:4D:28:8C:76:91
set [ find default-name=ether5 ] comment=LAN mac-address=74:4D:28:8C:76:92
set [ find default-name=ether6 ] comment=LAN mac-address=74:4D:28:8C:76:93
set [ find default-name=ether7 ] comment=LAN mac-address=74:4D:28:8C:76:94
set [ find default-name=ether8 ] comment=LAN mac-address=74:4D:28:8C:76:95
set [ find default-name=ether9 ] comment=LAN mac-address=74:4D:28:8C:76:96
set [ find default-name=ether10 ] comment=BASE mac-address=74:4D:28:8C:76:97
set [ find default-name=sfp-sfpplus1 ] mac-address=74:4D:28:8C:76:98
/interface eoip
add disabled=yes local-address=81.36.138.168 mac-address=02:98:C2:91:1D:6E \
name=eoip-Muntaner remote-address=80.26.190.115 tunnel-id=1
/interface vlan
add comment=LAN interface=Puente name=vlan1HOME-11 vlan-id=11
add interface=ether1 name=vlan6 vlan-id=6
add interface=Puente name=vlanCAP-10 vlan-id=10
/caps-man configuration
add country=spain datapath.bridge=Puente name="Configuracion CAP" \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm,tkip ssid=SnapSalon2G
add country=spain datapath.bridge=Puente name=CAPSALON \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm,tkip ssid=SnapSalon2Ga
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6 keepalive-timeout=60 \
name=pppoe-out1 user=adslppp@telefonicanetpa
/caps-man interface
add configuration=CAPSALON disabled=no l2mtu=1600 mac-address=\
E4:8D:8C:9F:6D:6F master-interface=none name=Salon radio-mac=\
E4:8D:8C:9F:6D:6F radio-name=E48D8C9F6D6F
/caps-man security
add authentication-types=wpa-psk,wpa2-psk name=security1Invitados
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=Misclaves \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] comment="WIFI 5G ELREDELBOCATA+" disabled=no \
mode=ap-bridge name=wlan3 security-profile=Misclaves ssid=ELREYDELBOCATA+
set [ find default-name=wlan2 ] comment="WIFI 2G ELREYDELBOCATA+" disabled=no \
mode=ap-bridge name=wlan4 security-profile=Misclaves ssid=ELREYDELBOCATA+
/interface wireless manual-tx-power-table
set wlan3 comment="WIFI 5G ELREDELBOCATA+"
set wlan4 comment="WIFI 2G ELREYDELBOCATA+"
/interface wireless nstreme
set wlan3 comment="WIFI 5G ELREDELBOCATA+"
set wlan4 comment="WIFI 2G ELREYDELBOCATA+"
/ip firewall layer7-protocol
add name=Youtube regexp="^.+(youtube|googlevideo).+\$"
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlan1HOME-11 lease-time=1d name=\
dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlanCAP-10 lease-time=1d \
name=dhcp2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=Puente
/caps-man provisioning
add action=create-dynamic-enabled master-configuration="Configuracion CAP"
/interface bridge port
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=11
add bridge=Puente frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether4
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether9 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether10 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=*C pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=*D pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan3 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan4 pvid=11
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=Puente tagged=Puente,ether4 vlan-ids=10
add bridge=Puente tagged=Puente,ether4 untagged=\
ether2,ether3,ether5,ether6,ether7,ether8,ether10 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlanCAP-10 list=LAN
add interface=vlan1HOME-11 list=LAN
add interface=vlan1HOME-11 list=BASE
add interface=ether10 list=BASE
/interface wireless cap
set bridge=Puente discovery-interfaces=Puente interfaces=*C,*D
/ip address
add address=192.168.1.1/24 interface=vlan1HOME-11 network=192.168.1.0
add address=192.168.200.1/24 interface=vlanCAP-10 network=192.168.200.0
add address=192.168.5.1/24 interface=ether10 network=192.168.5.0
/ip arp
add address=192.168.1.201 comment=Camara interface=Puente mac-address=\
00:62:6E:61:B5:85
add address=192.168.1.5 comment="CAMARA TERRAZA" interface=Puente \
mac-address=C4:D6:55:35:5D:F7
add address=192.168.1.2 interface=Puente mac-address=50:76:91:BD:2A:94
add address=192.168.1.166 comment="BARRA NUC CASHDRO" interface=Puente \
mac-address=C0:3F:D5:67:A7:0F
add address=192.168.1.167 comment="CAMARA CAFETERA" interface=Puente \
mac-address=00:62:6E:93:11:35
add address=192.168.1.9 comment="CAMARA SOTANO" interface=Puente mac-address=\
C4:D6:55:37:E5:F0
add address=192.168.1.11 comment="CAMARA OPTICA" interface=Puente \
mac-address=00:62:6E:4E:C7:DA
add address=192.168.1.54 comment="CAMARA LAVABO" interface=Puente \
mac-address=00:62:6E:A7:7A:08
add address=192.168.1.214 comment=CASHDRO interface=Puente mac-address=\
00:0E:C4:CD:49:F7
add address=192.168.1.13 comment="PC OFICINA" interface=Puente mac-address=\
84:47:09:0C:5F:9C
add address=192.168.1.173 comment="PC CAMARAS OFICINA" interface=Puente \
mac-address=B8:AE:ED:7A:07:7A
add address=192.168.1.16 comment="TASMOTA LUZ SALA" interface=Puente \
mac-address=DC:4F:22:2D:3E:B6
add address=192.168.200.128 comment="MI TELEFONO" interface=ether4 \
mac-address=48:2C:A0:FD:4C:44
add address=192.168.1.7 comment="GRABADOR CAMARAS" interface=Puente \
mac-address=98:DF:82:A3:B4:4B
add address=192.168.1.14 comment="TASMOTA VENTILADOR PLANCHA" interface=\
Puente mac-address=68:C6:3A:A2:E5:5F
add address=192.168.200.228 comment="CAMARA TERRAZA OPTICA WIF" interface=\
ether4 mac-address=2C:D2:6B:E7:43:E0
add address=192.168.1.19 comment="LUZ SALA 28/05/22" interface=Puente \
mac-address=4C:EB:D6:0F:D6:C3
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.176 comment="BOOX ONXY" mac-address=B0:F1:EC:21:A5:38 \
server=dhcp1
add address=192.168.1.3 client-id=1:7c:e9:d3:8f:f5:d8 comment=IMPRESORA \
mac-address=7C:E9:D3:8F:F5:D8 server=dhcp1
add address=192.168.1.18 client-id=1:0:11:32:ee:97:5 comment=SYNOLOGY \
mac-address=00:11:32:EE:97:05 server=dhcp1
add address=192.168.1.2 client-id=1:50:76:91:bd:2a:94 mac-address=\
50:76:91:BD:2A:94 server=dhcp1
add address=192.168.1.22 mac-address=5C:CF:7F:66:D5:57 server=dhcp1
add address=192.168.1.6 mac-address=5C:CF:7F:66:D4:B4 server=dhcp1
add address=192.168.1.26 mac-address=68:C6:3A:A2:EE:1F server=dhcp1
add address=192.168.1.16 comment="Tasmota Luz Sala" mac-address=\
DC:4F:22:2D:3E:B6 server=dhcp1
add address=192.168.1.45 client-id=1:cc:2d:e0:b5:29:70 comment="ROUTER WIFI2" \
mac-address=CC:2D:E0:B5:29:70 server=dhcp1
add address=192.168.1.14 comment="TASMOTA VENTILADOR PLANCHA" mac-address=\
68:C6:3A:A2:E5:5F server=dhcp1
add address=192.168.1.17 client-id=1:0:62:6e:fe:32:f4 comment=\
"CAMARA OPTICA TERRAZA" mac-address=00:62:6E:FE:32:F4 server=dhcp1
add address=192.168.200.228 client-id=1:2c:d2:6b:e7:43:e0 comment=\
"CAMARA OPTICA TERRAZA WIFI" mac-address=2C:D2:6B:E7:43:E0 server=dhcp2
add address=192.168.1.23 comment="LUZ SALA TASMOTA" mac-address=\
4C:EB:D6:0F:D6:C3 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 list="Red LAN"
add address=192.168.200.0/24 list=REDVLAN
/ip firewall filter
add action=accept chain=input comment=\
"Regla para aceptar solo las conexiones relacionadas y establecidas:" \
connection-state=established,related
add action=drop chain=input comment="Regla para denegar conexiones invalidas" \
connection-state=invalid
add action=accept chain=input comment=\
"Regla para aceptar el trafico que viene de nuestra Red LAN" \
src-address-list="Red LAN"
add action=accept chain=input comment=\
"Regla para aceptar el trafico que viene de nuestra Red VLAN" \
src-address-list=REDVLAN
add action=drop chain=input comment="Regla para denegar todo el trafico restan\
te, solo dejara entrar lo que este en el DST-NAT" connection-nat-state=\
!dstnat
add action=accept chain=forward comment=\
"Regla para aceptar solo las conexiones relacionadas y establecidas" \
connection-state=established,related,untracked
add action=drop chain=forward comment=\
"Regla para denegar conexiones invalidas" connection-state=invalid
add action=accept chain=forward comment=\
"Regla para aceptar el trafico que saldr\E1 que viene de nuestra Red LAN" \
src-address-list="Red LAN"
add action=accept chain=forward comment="Regla para aceptar el trafico que sal\
dr\E1 que viene de nuestra Red VLAN" src-address-list=REDVLAN
add action=drop chain=forward comment="Regla para denegar el resto del trafico\
\_a trav\E9s del router, a excepci\F3n del trafico que este autorizado con\
\_una regla DST-NAT" connection-nat-state=!dstnat
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="CAMARA LAVABO" in-interface=\
pppoe-out1 port=7250 protocol=tcp to-addresses=192.168.1.54
add action=dst-nat chain=dstnat comment="CAMARA TERRAZA" in-interface=\
pppoe-out1 port=6200 protocol=tcp to-addresses=192.168.1.5
add action=dst-nat chain=dstnat comment="CAMARA SOTANO" in-interface=\
pppoe-out1 port=6100 protocol=tcp to-addresses=192.168.1.9
add action=dst-nat chain=dstnat comment="CAMARA CAFETERA" in-interface=\
pppoe-out1 port=7200 protocol=tcp to-addresses=192.168.1.167
add action=dst-nat chain=dstnat comment="CAMARA SOTANO" in-interface=\
pppoe-out1 port=6300 protocol=tcp to-addresses=192.168.1.11
add action=dst-nat chain=dstnat comment="CAMARA OPTICA TERRAZA" in-interface=\
pppoe-out1 port=6375 protocol=tcp to-addresses=192.168.1.17
add action=dst-nat chain=dstnat comment="MIKROTIK RED WIFI2" disabled=yes \
in-interface=pppoe-out1 port=8291 protocol=tcp to-addresses=192.168.200.1
add action=dst-nat chain=dstnat comment="GRABADOR DE CAMARAS" in-interface=\
pppoe-out1 port=8000,8001 protocol=tcp to-addresses=192.168.1.7
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
79.155.7.84 src-port=7200 to-addresses=192.168.1.215 to-ports=7200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=BAR
/system leds
set 0 leds="wlan4_signal1-led,wlan4_signal2-led,wlan4_signal3-led,wlan4_signal\
4-led,wlan4_signal5-led" type=wireless-signal-strength
add leds=wlan4_tx-led type=interface-transmit
add leds=wlan4_rx-led type=interface-receive
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot] and 60 guests