VLAN Trunking from RouterOS to SwOS

fuddleduddle · Wed Dec 21, 2022 10:57 pm

Hey folks I have a HAP AC3 router with 2 access points and everything finally configured and working with CAPsMAN to control the on-board AP as well as the 2 x CAPs.

It is a bit of a complex setup that I originally put together with multiple SSIDs each of which terminates onto a bridge. I have SSIDs for

Management
Guest
Kids
IOT
Trusted wifi

And each of those has a bridge associated with it. I also have another bridge for wired management (but I may end up merging it with the wifi management)

Works great but now I want to introduce my new CSS326 24 port switch. At first I just want a single trunk port going to the router with VLAN trunking, but eventually want to upgrade it to a dual port LAG trunk.

Anyway I can't find any examples for this type of setup.

Things I need to do :
- update each bridge to have a VLAN and VLAN ID
- designate a port on the router for a trunk port
- currently the port to my switch is on my management bridge
- configure VLAN trunk on switch

I've made a few attempts at things which usually lead to losing contact with the switch and sometimes factory resetting it.

Are there any good examples out there for this? Or any other help?

Wed Dec 21, 2022 11:08 pm

Why so complex ?
You only need 1 bridge on hAP AC3.
Read this: viewtopic.php?t=143620

From your explanation it's for me unclear where your problem is.
On hAP or CSS ?

k6ccc · Wed Dec 21, 2022 11:46 pm

I'll let people who deal with bridges in RouterOS help you on that end, but on the SwitchOS part, that is insanely easy. I assume that other than the trunk port (or ports after you setup the LAG) all the other ports will be un-tagged ports on an assortment of the VLANs, For those ports, on the VLAN and VLANs tabs, assign the desired VLAN. On the VLAN tab, VLAN Mode = Disabled, VLAN Receive = Only Untagged, and Default VLAN ID is the desired VLAN. For the trunk port or ports, VLAN Mode = Strict, VLAN Receive = Only tagged, and Default VLAN ID is a bogus number. Port 1 in this example is a VLAN trunk. Here is one of mine a while ago:

On the VLANs tab, add each VLAN and check the box for which port or ports will be on that VLAN. Again, here is one of mine:

The LAG is really easy, but I don't have a screen capture of that already on my website - and I'm not home to be able to add one...

To start with, leave access to the switch (on the system tab, completely unrestricted until you have everything else working, you understand what the restrictions do, AND you have a save backup just before you start restricting it (so if you lock yourself out and need to reset, you don't lose any effort).

anav · Thu Dec 22, 2022 4:24 am

Concur with both, one bridge only required, and use vlans to separate groups of users, using bridges is unnecessary complication.
Yes you would trunk all vlans to the Switch (which is very happy to work with VLANS not bridges)

fuddleduddle · Thu Dec 22, 2022 3:41 pm

OK that's interesting about only 1 bridge. Last night while trying some things to make this work I locked myself out of my RouterOS - and I went through every possibility and I'm locked out to the point where I have to factory reset. I do have a recent backup but I was already thinking that the best path forward will be to build it all back up from scratch but this time build in the VLANs from the beginning instead of adding them on at the end. And it sounds like the best way to do that will be with just a single bridge.

The multiple bridges worked really well as a way to segregate everything really easily using firewall rules but it seems like that method almost implies not using VLANs

anav · Thu Dec 22, 2022 6:12 pm

I also recommend taking one port OFF the bridge and using it as an emergency access on the router in case the bridge or config burps and some prefer to config the router all the time from the port.

Off bridge - viewtopic.php?t=182373

Vlan advice Para C. - viewtopic.php?t=182373

fuddleduddle · Wed Dec 28, 2022 12:25 am

OK so I went back to the drawing board and redesigned it all with 1 bridge on my RouterOS side and all the VLANs connected to the bridge. I got it working but there is something strange which you can see from a screen shot of my firewall rules here :

https://photos.app.goo.gl/GWEuGCK2LcNh3w5G9

I was having an issue that when I would ping for the first few seconds it would not ping (which was expected as per my FW rules) but then suddenly the ping would start pinging! It was very strange and I did not get this sort of behavior when I had the same network designed with bridges instead of VLANs

And also some traffic that was supposed to work would not work - and I got a hunch that it was travelling in one direction but was not making its way back. And as part of that hunch I added a rule at the top which duplicated the default rule for existing and related connections, but instead of being on the input interface it was on forward. You see rule 3 at the top.

Then in each section for each of my VLANs I duplicated all existing rules one at a time and each time changed the interface from input to forward. And this looks like it has fixed my issue and it looks like it is wrong. You can see that both the input and forward rules get traffic.

I'm relatively new at Linux-style firewall rules with input, forward, mangle and so on, so I don't fully understand where the traffic is going that makes this work.

Can someone help me understand the traffic flow here and/or tell me a better way to do my rules. I am nervous going into production like this because it just doesn't seem like it should be right even though my testing does seem correct.

I also have my VLAN trunk going to the switch, and have a laptop wired into the switch. When I change the switch port VLAN and reload my network stack I get the IP according to the correct VLAN, and the behavior according to that. So really looks like it is working but still it does not seem right.

k6ccc · Wed Dec 28, 2022 12:43 am

For RouterOS please don't post screen captures. Export and post the config file. For SwitchOS, you don't have a choice as the GUI is all you get.

To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.

fuddleduddle · Wed Dec 28, 2022 1:58 am

OK thanks I'll do that - I only use the GUI so that's what I posted. But I'll export now and share.

fuddleduddle · Wed Dec 28, 2022 2:02 am

# dec/27/2022 19:00:25 by RouterOS 7.6
# software id = BXS9-F76C
#
# model = RBD53iG-5HacD2HnD
# serial number = HD10846D5W3
/interface bridge
add admin-mac=18:FD:74:85:DD:FC auto-mac=no comment=defconf name=br-mgmt
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN
set [ find default-name=ether2 ] name=eth2-CAP-01
set [ find default-name=ether3 ] name=eth3-CAP-02
set [ find default-name=ether4 ] name=eth4-SW
set [ find default-name=ether5 ] name=eth5-mgmt poe-out=off
/interface wireless
# managed by CAPsMAN
# channel: 5520/20-eCee/ac/DP(21dBm), SSID: MT-5, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=canada distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name=wlan-5 ssid=MT-5 \
    wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2442/20-eC/gn(27dBm), SSID: MT-24, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
    wlan-24 ssid=MikroTik-85DE00 wireless-protocol=802.11
/interface vlan
add interface=br-mgmt name=vl-guest vlan-id=66
add interface=br-mgmt name=vl-iot vlan-id=55
add interface=br-mgmt name=vl-kids vlan-id=77
add interface=br-mgmt name=vl-mgmt vlan-id=1
add interface=br-mgmt name=vl-tr-wifi vlan-id=99
add interface=br-mgmt name=vl-tr-wired vlan-id=88
/caps-man datapath
add bridge=br-mgmt name=dpath-mgmt vlan-id=1 vlan-mode=use-tag
add bridge=br-mgmt name=dpath-trusted vlan-id=99 vlan-mode=use-tag
add bridge=br-mgmt name=dpath-guest vlan-id=66 vlan-mode=use-tag
add bridge=br-mgmt name=dpath-kids vlan-id=77 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-mgmt
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-trusted
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-kids
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-guest
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-IOT
/caps-man configuration
add channel.band=2ghz-b/g/n country=canada datapath.bridge=br-mgmt \
    .client-to-client-forwarding=no .local-forwarding=no distance=indoors \
    installation=any mode=ap name=capcfg-mgmt-24 security=capsec-mgmt ssid=\
    MT-24
add channel.band=5ghz-a/n/ac country=canada datapath.bridge=br-mgmt distance=\
    indoors installation=any mode=ap name=capcfg-mgmt-5 security=capsec-mgmt \
    ssid=MT-5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-kids distance=\
    indoors installation=any mode=ap name=capcfg-kids-24 security=capsec-kids \
    ssid=Dity-24
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-kids distance=\
    indoors installation=any mode=ap name=capcfg-kids-5 security=capsec-kids \
    ssid=Dity-5
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-guest distance=\
    indoors installation=any mode=ap name=capcfg-guest-5 security=\
    capsec-guest ssid=IDontTrustYou5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-guest distance=\
    indoors installation=any mode=ap name=capcfg-guest-24 security=\
    capsec-guest ssid=IDontTrustYou24
add channel.band=2ghz-b/g/n country=canada datapath=dpath-trusted distance=\
    indoors installation=any mode=ap name=capcfg-trusted-24 security=\
    capsec-trusted ssid=Doviryayu24
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-trusted distance=\
    indoors installation=any mode=ap name=capcfg-trusted-5 security=\
    capsec-trusted ssid=Doviryayut5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man datapath
add bridge=br-mgmt interface-list=all name=dpath-iot vlan-id=55 vlan-mode=\
    use-tag
/caps-man configuration
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-iot distance=\
    indoors installation=any mode=ap name=capcfg-iot-5 security=capsec-IOT \
    ssid=IOT-5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-iot distance=\
    indoors installation=any mode=ap name=capcfg-iot-24 security=capsec-IOT \
    ssid=IOT-24
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.199.22-10.0.199.222
add name=pool-dhcp-iot ranges=10.0.55.22-10.0.55.222
add name=pool-dhcp-guest ranges=10.0.66.22-10.0.66.222
add name=pool-dhcp-kids ranges=10.0.77.22-10.0.77.222
add name=pool-dhcp-tr-wifi ranges=10.0.99.22-10.0.99.222
add name=pool-dhcp-tr-wired ranges=10.0.88.22-10.0.88.222
/ip dhcp-server
add address-pool=dhcp interface=br-mgmt name=defconf
add address-pool=pool-dhcp-iot interface=vl-iot name=dhcp-iot
add address-pool=pool-dhcp-guest interface=vl-guest name=dhcp-guest
add address-pool=pool-dhcp-kids interface=vl-kids name=dhcp-kids
add address-pool=pool-dhcp-tr-wifi interface=vl-tr-wifi name=dhcp-wifi
add address-pool=pool-dhcp-tr-wired interface=vl-tr-wired name=dhcp-tr-wired
/caps-man manager
set ca-certificate=CAPsMAN-CA-18FD7485DDFB certificate=CAPsMAN-18FD7485DDFB \
    enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:85:DE:00 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:85:DE:01 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:99:87:16 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:99:87:17 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:5F:AE:A6 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:5F:AE:A7 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
/interface bridge port
add bridge=br-mgmt comment=defconf interface=eth2-CAP-01
add bridge=br-mgmt comment=defconf interface=eth3-CAP-02
add bridge=br-mgmt comment=defconf interface=eth4-SW
add bridge=br-mgmt comment=defconf interface=eth5-mgmt
add bridge=br-mgmt comment=defconf interface=wlan-24
add bridge=br-mgmt comment=defconf interface=wlan-5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=br-mgmt vlan-ids=55,1
/interface list member
add comment=defconf interface=br-mgmt list=LAN
add comment=defconf interface=eth1-WAN list=WAN
/interface wireless cap
# 
set bridge=br-mgmt caps-man-addresses=127.0.0.1 certificate=\
    CAPsMAN-18FD7485DDFB discovery-interfaces=br-mgmt enabled=yes interfaces=\
    wlan-24,wlan-5
/ip address
add address=10.0.199.1/24 comment=defconf interface=br-mgmt network=\
    10.0.199.0
add address=10.0.55.1/24 interface=vl-iot network=10.0.55.0
add address=10.0.88.1/24 interface=vl-tr-wired network=10.0.88.0
add address=10.0.99.1/24 interface=vl-tr-wifi network=10.0.99.0
add address=10.0.77.1/24 interface=vl-kids network=10.0.77.0
add address=10.0.66.1/24 interface=vl-guest network=10.0.66.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=eth1-WAN
/ip dhcp-server network
add address=10.0.55.0/24 dns-server=10.0.55.1 gateway=10.0.55.1
add address=10.0.66.0/24 dns-server=10.0.66.1 gateway=10.0.66.1
add address=10.0.77.0/24 dns-server=10.0.77.1 gateway=10.0.77.1
add address=10.0.88.0/24 dns-server=10.0.88.1 gateway=10.0.88.1
add address=10.0.99.0/24 dns-server=10.0.99.1 gateway=10.0.99.1
add address=10.0.199.0/24 comment=defconf dns-server=10.0.199.1 gateway=\
    10.0.199.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.199.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.55.0/24 list=SN-WF-IOT
add address=10.0.66.0/24 list=SN-WF-GUEST
add address=10.0.77.0/24 list=SN-WF-KIDS
add address=10.0.88.0/24 list=SN-TR-WIRED
add address=10.0.99.0/24 list=SN-TR-WIFI
add address=10.0.0.0/8 list=RFC1918-10
add address=172.16.0.0/12 list=RFC1918-172-16
add address=192.168.0.0/16 list=RFC1918-192-168
add address=10.0.199.0/24 list=SN-MGMT
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all coming in from WAN" \
    in-interface-list=WAN
add action=accept chain=input comment=\
    "IOT has no access to other internal subnets" dst-address=10.0.55.1 \
    dst-port=67,53,123 in-interface=vl-iot protocol=udp src-address-list=\
    SN-WF-IOT
add action=accept chain=forward dst-address=10.0.55.1 dst-port=67,53,123 \
    in-interface=vl-iot protocol=udp src-address-list=SN-WF-IOT
add action=drop chain=input dst-address-list=RFC1918-10 in-interface=vl-iot \
    src-address-list=SN-WF-IOT
add action=drop chain=forward dst-address-list=RFC1918-10 src-address-list=\
    SN-WF-IOT
add action=drop chain=input dst-address-list=RFC1918-172-16 in-interface=\
    vl-iot src-address-list=SN-WF-IOT
add action=drop chain=forward dst-address-list=RFC1918-172-16 \
    src-address-list=SN-WF-IOT
add action=drop chain=input dst-address-list=RFC1918-192-168 in-interface=\
    vl-iot src-address-list=SN-WF-IOT
add action=drop chain=forward dst-address-list=RFC1918-192-168 \
    src-address-list=SN-WF-IOT
add action=accept chain=input comment=\
    "allow trusted wifi to all internal subnets" connection-nat-state="" \
    dst-address-list=RFC1918-10 in-interface=vl-tr-wifi src-address-list=\
    SN-TR-WIFI
add action=accept chain=forward connection-nat-state="" dst-address-list=\
    RFC1918-10 src-address-list=SN-TR-WIFI
add action=accept chain=input dst-address-list=RFC1918-172-16 in-interface=\
    vl-tr-wifi src-address-list=SN-TR-WIFI
add action=accept chain=forward dst-address-list=RFC1918-172-16 \
    src-address-list=SN-TR-WIFI
add action=accept chain=input dst-address-list=RFC1918-192-168 in-interface=\
    vl-tr-wifi src-address-list=SN-TR-WIFI
add action=accept chain=forward dst-address-list=RFC1918-192-168 \
    src-address-list=SN-TR-WIFI
add action=accept chain=input comment="allow kids to IOT and Guest networks" \
    dst-address=10.0.77.1 dst-port=67,53,123 in-interface=vl-kids protocol=\
    udp src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address=10.0.77.1 dst-port=67,53,123 \
    protocol=udp src-address-list=SN-WF-KIDS
add action=accept chain=input dst-address-list=SN-WF-IOT in-interface=vl-kids \
    src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address-list=SN-WF-IOT src-address-list=\
    SN-WF-KIDS
add action=accept chain=input dst-address-list=SN-WF-GUEST in-interface=\
    vl-kids src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address-list=SN-WF-GUEST \
    src-address-list=SN-WF-KIDS
add action=drop chain=input dst-address-list=RFC1918-10 in-interface=vl-kids \
    src-address-list=SN-WF-KIDS
add action=drop chain=forward dst-address-list=RFC1918-10 src-address-list=\
    SN-WF-KIDS
add action=drop chain=input dst-address-list=RFC1918-172-16 in-interface=\
    vl-kids src-address-list=SN-WF-KIDS
add action=drop chain=forward dst-address-list=RFC1918-172-16 \
    src-address-list=SN-WF-KIDS
add action=drop chain=input dst-address-list=RFC1918-192-168 in-interface=\
    vl-kids src-address-list=SN-WF-KIDS
add action=drop chain=forward dst-address-list=RFC1918-192-168 \
    src-address-list=SN-WF-KIDS
add action=accept chain=input comment=\
    "allow trusted wired to all internal subnets" dst-address-list=RFC1918-10 \
    in-interface=vl-tr-wired src-address-list=SN-TR-WIRED
add action=accept chain=forward dst-address-list=RFC1918-10 src-address-list=\
    SN-TR-WIRED
add action=accept chain=input dst-address-list=RFC1918-172-16 in-interface=\
    vl-tr-wired src-address-list=SN-TR-WIRED
add action=accept chain=forward dst-address-list=RFC1918-172-16 \
    src-address-list=SN-TR-WIRED
add action=accept chain=input dst-address-list=RFC1918-192-168 in-interface=\
    vl-tr-wired src-address-list=SN-TR-WIRED
add action=accept chain=forward dst-address-list=RFC1918-192-168 \
    src-address-list=SN-TR-WIRED
add action=accept chain=input comment=\
    "Block GUESTs from all internal subnets" dst-address=10.0.66.1 dst-port=\
    67,53,123 in-interface=vl-guest protocol=udp src-address-list=SN-WF-GUEST
add action=accept chain=forward dst-address=10.0.66.1 dst-port=67,53,123 \
    protocol=udp src-address-list=SN-WF-GUEST
add action=drop chain=input dst-address-list=RFC1918-10 in-interface=vl-guest \
    src-address-list=SN-WF-GUEST
add action=drop chain=forward dst-address-list=RFC1918-10 src-address-list=\
    SN-WF-GUEST
add action=drop chain=input dst-address-list=RFC1918-172-16 in-interface=\
    vl-guest src-address-list=SN-WF-GUEST
add action=drop chain=forward dst-address-list=RFC1918-172-16 \
    src-address-list=SN-WF-GUEST
add action=drop chain=input dst-address-list=RFC1918-192-168 in-interface=\
    vl-guest src-address-list=SN-WF-GUEST
add action=drop chain=forward dst-address-list=RFC1918-192-168 \
    src-address-list=SN-WF-GUEST
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.99.0/24,10.0.199.0/24,10.0.88.0/24
set www-ssl address=10.0.99.0/24,10.0.199.0/24,10.0.88.0/24
set winbox address=10.0.99.0/24,10.0.199.0/24,10.0.88.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MT-Router-01
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

fuddleduddle · Wed Dec 28, 2022 2:12 am

One side question - I don't use LAN for anything and I did not change the default settings for it.

I see this "set allowed-interface-list=LAN" but I google and cannot find any reference to the "allowed-interface-list" setting to know what this does.

fuddleduddle · Wed Dec 28, 2022 3:21 am

OK reviewing some of the VLAN example configs posted in the important reference threads here I see I did not have VLAN filtering enabled on my bridge - that's got to be an issue of some sort or another.

And I also see some basic stuff that gives me some hints as to the data flows for input and forward chains. Namely this snippit - which I also have a question about but maybe I'll ask it in that thread rather than here.

##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

fuddleduddle · Wed Dec 28, 2022 3:45 am

Somewhere in the manual wiki there is a (rather complex) diagram that explains input, forward, mangle and so forth, and the order in which they are applied. But I can't seem to find it now. It seems I should go re-read this

fuddleduddle · Sat Dec 31, 2022 3:49 am

I don't seem to be getting a lot of interest in helping me out. I've been going through numerous examples in the wiki and the youtube channels that are recommended form the various sticky links like The Network Berg and so on. Those are all great really simple examples of 1 simple thing but the problem is I don't have 1 simple thing. Here is basically my setup

5 Port HAP AC3
2 x CAP AC3
1 x SwOS 24 Port Switch

Eth1 - WAN - working
Eth2 - bridge br-main -> CAP-01
Eth3 - bridge br-main -> CAP-02
Eth4 - bridge br-main -> Switch (SwOS)
Eth5 - bridge br-mgmt no VLANs -> SSID MT-24 and MT-5 tied to this bridge along with the port so that I can mess with the other bridge to get the settings right, without losing connection. This part is working great but I'm not getting anywhere with the config of br-main and its ports

Question: should Eth2 and Eth3 be VLAN trunks with vlan-filtering turned on on the bridge?

From all the examples I am reading it tells me I need to turn on VLAN filtering on the bridge because this is the "new way" and is the only correct way to do VLANs that are compatible with the industry standard protocols. But then I end up with a strange message "port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry" which I track down to this thread : viewtopic.php?t=162560 which I think is telling me that my issue is that I have eth2 and eth3 (the CAPs) terminating on the bridge but not tagged trunk ports.

When I turn them on as tagged trunk ports and burn on VLAN filtering on br-main that whole bridge locks up.

I'll post my config in a moment in another message.

fuddleduddle · Sat Dec 31, 2022 3:51 am

Here is my config

# dec/30/2022 20:50:07 by RouterOS 7.6
# software id = BXS9-F76C
#
# model = RBD53iG-5HacD2HnD
# serial number = HD10846D5W3
/caps-man datapath
add name=dpath-mgmt
/interface bridge
add admin-mac=18:FD:74:85:DD:FC auto-mac=no comment=defconf \
    ingress-filtering=no name=br-main vlan-filtering=yes
add name=br-mgmt
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN
set [ find default-name=ether2 ] name=eth2-CAP-01
set [ find default-name=ether3 ] name=eth3-CAP-02
set [ find default-name=ether4 ] name=eth4-SW
set [ find default-name=ether5 ] name=eth5-mgmt poe-out=off
/interface wireless
# managed by CAPsMAN
# channel: 5520/20-eCee/ac/DP(21dBm), SSID: MT-5, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=canada distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name=wlan-5 ssid=MT-5 \
    wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2442/20-eC/gn(27dBm), SSID: MT-24, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
    wlan-24 ssid=MikroTik-85DE00 wireless-protocol=802.11
/interface vlan
add interface=br-main name=vl-guest vlan-id=66
add interface=br-main name=vl-iot vlan-id=55
add interface=br-main name=vl-kids vlan-id=77
add interface=br-main name=vl-mgmt vlan-id=11
add interface=br-main name=vl-mgmt-old vlan-id=199
add interface=br-main name=vl-tr-wifi vlan-id=99
add interface=br-main name=vl-tr-wired vlan-id=88
/caps-man datapath
add bridge=br-main name=dpath-trusted vlan-id=99 vlan-mode=use-tag
add bridge=br-main name=dpath-guest vlan-id=66 vlan-mode=use-tag
add bridge=br-main name=dpath-kids vlan-id=77 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-mgmt
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-trusted
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-kids
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-guest
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-IOT
/caps-man configuration
add channel.band=2ghz-b/g/n country=canada datapath.bridge=br-mgmt \
    .client-to-client-forwarding=no .local-forwarding=no distance=indoors \
    installation=any mode=ap name=capcfg-mgmt-24 security=capsec-mgmt ssid=\
    MT-24
add channel.band=5ghz-a/n/ac country=canada datapath.bridge=br-mgmt distance=\
    indoors installation=any mode=ap name=capcfg-mgmt-5 security=capsec-mgmt \
    ssid=MT-5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-kids distance=\
    indoors installation=any mode=ap name=capcfg-kids-24 security=capsec-kids \
    ssid=Dity-24
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-kids distance=\
    indoors installation=any mode=ap name=capcfg-kids-5 security=capsec-kids \
    ssid=Dity-5
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-guest distance=\
    indoors installation=any mode=ap name=capcfg-guest-5 security=\
    capsec-guest ssid=IDontTrustYou5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-guest distance=\
    indoors installation=any mode=ap name=capcfg-guest-24 security=\
    capsec-guest ssid=IDontTrustYou24
add channel.band=2ghz-b/g/n country=canada datapath=dpath-trusted distance=\
    indoors installation=any mode=ap name=capcfg-trusted-24 security=\
    capsec-trusted ssid=Doviryayu24
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-trusted distance=\
    indoors installation=any mode=ap name=capcfg-trusted-5 security=\
    capsec-trusted ssid=Doviryayut5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man datapath
add bridge=br-main interface-list=all name=dpath-iot vlan-id=55 vlan-mode=\
    use-tag
/caps-man configuration
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-iot distance=\
    indoors installation=any mode=ap name=capcfg-iot-5 security=capsec-IOT \
    ssid=IOT-5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-iot distance=\
    indoors installation=any mode=ap name=capcfg-iot-24 security=capsec-IOT \
    ssid=IOT-24
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=pool-dhcp-default ranges=10.0.199.22-10.0.199.222
add name=pool-dhcp-iot ranges=10.0.55.22-10.0.55.222
add name=pool-dhcp-guest ranges=10.0.66.22-10.0.66.222
add name=pool-dhcp-kids ranges=10.0.77.22-10.0.77.222
add name=pool-dhcp-tr-wifi ranges=10.0.99.22-10.0.99.222
add name=pool-dhcp-tr-wired ranges=10.0.88.22-10.0.88.222
add name=pool-dhcp-mgmt ranges=10.0.11.22-10.0.11.222
/ip dhcp-server
add address-pool=pool-dhcp-default interface=br-main name=defconf
add address-pool=pool-dhcp-iot interface=vl-iot name=dhcp-iot
add address-pool=pool-dhcp-guest interface=vl-guest name=dhcp-guest
add address-pool=pool-dhcp-kids interface=vl-kids name=dhcp-kids
add address-pool=pool-dhcp-tr-wifi interface=vl-tr-wifi name=dhcp-wifi
add address-pool=pool-dhcp-tr-wired interface=vl-tr-wired name=dhcp-tr-wired
add address-pool=pool-dhcp-mgmt interface=br-mgmt name=dhcp-mgmt
/caps-man manager
set ca-certificate=CAPsMAN-CA-18FD7485DDFB certificate=CAPsMAN-18FD7485DDFB \
    enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:85:DE:00 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:85:DE:01 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:99:87:16 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:99:87:17 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:5F:AE:A6 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:5F:AE:A7 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
/interface bridge port
add bridge=br-main comment=defconf ingress-filtering=no interface=eth2-CAP-01
add bridge=br-main comment=defconf interface=eth3-CAP-02
add bridge=br-main comment=defconf frame-types=admit-only-vlan-tagged \
    interface=eth4-SW
add bridge=br-mgmt comment=defconf interface=eth5-mgmt
add bridge=br-main comment=defconf interface=wlan-24
add bridge=br-main comment=defconf interface=wlan-5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=br-main tagged=eth4-SW vlan-ids=55,1,11,66,77,88,99,199
add bridge=br-mgmt vlan-ids=11,199
/interface list member
add comment=defconf interface=br-main list=LAN
add comment=defconf interface=eth1-WAN list=WAN
/interface wireless cap
# 
set bridge=br-main caps-man-addresses=127.0.0.1 certificate=\
    CAPsMAN-18FD7485DDFB discovery-interfaces=br-main enabled=yes interfaces=\
    wlan-24,wlan-5
/ip address
add address=10.0.199.1/24 interface=br-main network=10.0.199.0
add address=10.0.55.1/24 interface=vl-iot network=10.0.55.0
add address=10.0.88.1/24 interface=vl-tr-wired network=10.0.88.0
add address=10.0.99.1/24 interface=vl-tr-wifi network=10.0.99.0
add address=10.0.77.1/24 interface=vl-kids network=10.0.77.0
add address=10.0.66.1/24 interface=vl-guest network=10.0.66.0
add address=10.0.11.1/24 interface=br-mgmt network=10.0.11.0
/ip dhcp-client
add comment=defconf interface=eth1-WAN
/ip dhcp-server network
add address=10.0.11.0/24 dns-server=10.0.11.1 gateway=10.0.11.1
add address=10.0.55.0/24 dns-server=10.0.55.1 gateway=10.0.55.1
add address=10.0.66.0/24 dns-server=10.0.66.1 gateway=10.0.66.1
add address=10.0.77.0/24 dns-server=10.0.77.1 gateway=10.0.77.1
add address=10.0.88.0/24 dns-server=10.0.88.1 gateway=10.0.88.1
add address=10.0.99.0/24 dns-server=10.0.99.1 gateway=10.0.99.1
add address=10.0.199.0/24 comment=defconf dns-server=10.0.199.1 gateway=\
    10.0.199.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.199.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.55.0/24 list=SN-WF-IOT
add address=10.0.66.0/24 list=SN-WF-GUEST
add address=10.0.77.0/24 list=SN-WF-KIDS
add address=10.0.88.0/24 list=SN-TR-WIRED
add address=10.0.99.0/24 list=SN-TR-WIFI
add address=10.0.0.0/8 list=RFC1918-10
add address=172.16.0.0/12 list=RFC1918-172-16
add address=192.168.0.0/16 list=RFC1918-192-168
add address=10.0.199.0/24 list=SN-OLD-MGMT
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
add address=10.0.11.0/24 list=SN-MGMT
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all coming in from WAN" \
    in-interface-list=WAN
add action=accept chain=input comment=\
    "IOT has no access to other internal subnets" dst-address=10.0.55.1 \
    dst-port=67,53,123 protocol=udp src-address-list=SN-WF-IOT
add action=drop chain=input dst-address-list=RFC1918 in-interface=vl-iot \
    src-address-list=SN-WF-IOT
add action=drop chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-WF-IOT
add action=accept chain=input comment=\
    "allow trusted wifi to all internal subnets" dst-address-list=RFC1918 \
    in-interface=vl-tr-wifi src-address-list=SN-TR-WIFI
add action=accept chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-TR-WIFI
add action=accept chain=input comment=\
    "allow kids to IOT and Guest networks but nothing else" dst-address=\
    10.0.77.1 dst-port=67,53,123 protocol=udp src-address-list=SN-WF-KIDS
add action=accept chain=input dst-address-list=SN-WF-IOT in-interface=vl-kids \
    src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address-list=SN-WF-IOT src-address-list=\
    SN-WF-KIDS
add action=accept chain=input dst-address-list=SN-WF-GUEST in-interface=\
    vl-kids src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address-list=SN-WF-GUEST \
    src-address-list=SN-WF-KIDS
add action=drop chain=input dst-address-list=RFC1918 in-interface=vl-kids \
    src-address-list=SN-WF-KIDS
add action=drop chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-WF-KIDS
add action=accept chain=input comment="allow MGMT to all internal subnets" \
    dst-address-list=RFC1918 in-interface=br-mgmt src-address-list=SN-MGMT
add action=accept chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-MGMT
add action=accept chain=input comment=\
    "allow trusted wired to all internal subnets" dst-address-list=RFC1918 \
    in-interface=vl-tr-wired src-address-list=SN-TR-WIRED
add action=accept chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-TR-WIRED
add action=accept chain=input comment=\
    "Block GUESTs from all internal subnets" dst-address=10.0.66.1 dst-port=\
    67,53,123 protocol=udp src-address-list=SN-WF-GUEST
add action=drop chain=input dst-address-list=RFC1918 in-interface=vl-guest \
    src-address-list=SN-WF-GUEST
add action=drop chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-WF-GUEST
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.11.0/24,10.0.88.0/24,10.0.99.0/24,10.0.199.0/24
set ssh address=10.0.11.0/24,10.0.88.0/24,10.0.99.0/24,10.0.199.0/24
set www-ssl address=10.0.11.0/24,10.0.88.0/24,10.0.99.0/24,10.0.199.0/24 \
    disabled=no
set winbox address=10.0.99.0/24,10.0.88.0/24,10.0.199.0/24,10.0.11.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MT-Router-01
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Buckeye · Sat Dec 31, 2022 4:55 am

Somewhere in the manual wiki there is a (rather complex) diagram that explains input, forward, mangle and so forth, and the order in which they are applied. But I can't seem to find it now. It seems I should go re-read this

This is probably what you are remembering: Firewall Filter

or perhaps you were remembering the even more complicated: Packet Flow in RouterOS

erlinden · Sat Dec 31, 2022 11:25 am

I still see two bridges, as mentioned earlier please stick to one bridge.
When it comes to VLAN, please use this topic only:
viewtopic.php?t=143620

It has got lots of examples and will guide you to a working environment.
My experience is that there is a lot of crap, escpecially on YouTube when it comes to Mikrotik.

fuddleduddle · Sat Dec 31, 2022 3:42 pm

Thanks Buckeye those are both the ones I was looking for!

Regarding my management bridge - I think it is irrelevant I am not trying to integrate it in any way with br-main it is just a static configuration that gives me access while I mess around with br-main to get it working so I won't lose connect to the device. When I get br-main working it is very likely that br-mgmt will disappear.

The thing I am confused with concerning that VLAN thread is that it was created before the "new method" was created - and everything I read since the introduction of the "new method" says it is the only method that should be used. So doesn't that VLAN thread need revision? Anyway I will do my best to work through that to see what I can come up with.

fuddleduddle · Sat Dec 31, 2022 6:30 pm

The thing I am confused with concerning that VLAN thread is that it was created before the "new method" was created - and everything I read since the introduction of the "new method" says it is the only method that should be used. So doesn't that VLAN thread need revision? Anyway I will do my best to work through that to see what I can come up with.

OK this turns out not to be the case. By "new method" I mean the introduction of Bridge VLAN table

https://help.mikrotik.com/docs/display/ ... VLAN+Table

fuddleduddle · Sat Dec 31, 2022 6:35 pm

Anyway best I can tell I seem to be doing what's in the first example in the VLAN thread except I'm doing it through the GUI so maybe I'm not getting exactly what I'm going for.

Maybe I need to start doing my own config files from scratch I'm just not sure how to go about that - do I upload a file into the "files" section and then restore it?

I'd rather stick with the GUI for now at least.

And still have my basic question from a couple of posts ago about what's the right way to connect my CAPs - I read through the VLAN thread and it says my APs should be on the management VLAN I'm just not exactly sure how to accomplish that. Maybe I should strip it down and start from scratch again with the first step being just getting the hard-wired network set up between my CAPs and my router with everything working on my management VLAN.

Buckeye · Sat Dec 31, 2022 11:04 pm

Anyway best I can tell I seem to be doing what's in the first example in the VLAN thread except I'm doing it through the GUI so maybe I'm not getting exactly what I'm going for.

What you configure with WebFig or WinBox will modify the same "configuration" as the CLI modifies, so you can export your config before you make a change with the GUI, and then do another export after the change, and use a text difference reporting tool (like the open source WinMerge utility you can install on Windows) to see what the change made with the GUI really did.

anav · Sat Dec 31, 2022 11:57 pm

Sorry, normally more focused but with xmas and NYs, less time to devote to forums......

fuddleduddle · Sat Dec 31, 2022 11:58 pm

OK so here is what I decided on - I factory reset everything and am building from the ground up but starting with hard-wired networking first.

I already have a single bridge on the HAP AC3 and each of the 2 CAPs, with VLANs configured and static IPs set on each of the 3 devices on my management VLAN.

Yay!

I have not yet integrated the switch that will come. Right now I am trying to sort out the ins and outs of allowing them to be managed on the management IP.

But I think I may take a break for New Year's Eve. I'm please with what I have going here at the moment. Once I get management going on my management IPs it should be relatively easy to add the CAPsMAN stuff because I feel like I know that part pretty well now.

I'll document this all when I'm done and share it.

fuddleduddle · Sat Dec 31, 2022 11:59 pm

Merry Christmas anav - I noticed earlier that you are a fellow Bluenoser! I'm currently ex-pat though.

anav · Mon Jan 02, 2023 4:17 am

Merry xmas to you too...........

Living the dream on the right side of the Harbour LOL.........
IN any case post your current config before you go to far...........want to nip things early so to speak.

fuddleduddle · Wed Jan 04, 2023 5:12 pm

Will do - I haven't touched it in a few days but I think I know where I need to go. Want to get this one wrapped up soon so I can replace all my old Ubiquiti gear.

anav · Wed Jan 04, 2023 8:03 pm

Personally with only two capacs, I would skip capsman and just set them up as accessible APs.
Most of your config is cap bloat LOL.
Unless you need some sort of extra control between users that capsman may provide, and use of vlans is sufficient to block users from each other,
along with commensurate firewall rules, caps IMHO is an unnecessary complication

Dont get me wrong, its cool and would translate well to running a business location with multiple like 5 or more CAPACs................but for only 2, its a wonderful exercise, but probably a waste of time for having a clean concise config.

In truth, whenever I start to see capsman in a config, I pass and move to another thread, that is the level of my disdain and lack of comfort LOL

VLAN Trunking from RouterOS to SwOS

VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Re: VLAN Trunking from RouterOS to SwOS

Who is online