Community discussions

MikroTik App
 
RodoggA
just joined
Topic Author
Posts: 10
Joined: Sun Feb 12, 2023 1:35 pm

Getting Started with Mikrotik & Home Network Guidance

Sun Feb 12, 2023 3:11 pm

Hi Everyone,

As a renter, I'm trying to structure my home LAB so that if I move in with someone else, I can hook into the existing network with minimum changes.

Current Use Case
I'm home-sharing with the Landlord, and I'm trying to set it up where their existing network (192.168.1.0/24) is segmented from my side of things(Own Subnets & VLANS), so I can try different things without breaking the rest of the network. Only everything on my side of the hAP ax2 would be impacted.

I'm only just getting started with Mikrotik since a colleague recommended it. This is what my network looks like:
Image

The whole idea behind it is if I move out into another place, I can hook my hAP ax2 into the existing router and be isolated from the rest of the network to break things as I do trial and error at my own will.

I'm using the Cloudflare tunnel to route to applications hosted internally to try and avoid having to do port forwarding on the landlord's router.
This is where I'm getting stuck. I'm finding an application hosted on a VM can't be reached due to a bad gateway via the Cloudflare tunnel, but I can reach it internally using its internal IP.

When discussing this with my colleagues, they mentioned that for me to reach internally hosted applications, I would either need to port forward or look at a DMZ solution. I'm hoping with CF tunnel, that I can avoid that.

This is my current configuration:
bash
[admin@MikroTik] > export compact 
# feb/12/2023 20:49:24 by RouterOS 7.7
/interface bridge
add admin-mac=18:FD:74:BB:C2:B1 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink to home router"
set [ find default-name=ether2 ] comment="Downstream CoreSwitch"
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-BBC2B5
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-BBC2B6
/interface vlan
add comment="Data VLAN" interface=ether2 name=ether2.99 vlan-id=99
add comment="Management VLAN" interface=ether2 name=ether2.100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool3 ranges=192.168.99.20-192.168.99.240
add name=dhcp_pool4 ranges=192.168.100.20-192.168.100.40
/ip dhcp-server
add address-pool=dhcp_pool3 comment="DHCP | DataVLAN.99" interface=ether2.99 lease-time=8h name=dhcp1
add address-pool=dhcp_pool4 comment="DHCP | MGMTVLAN.100" interface=ether2.100 lease-time=8h name=dhcp2 relay=192.168.100.1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2.99 list=LAN
add interface=ether2.100 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.99.1/24 interface=ether2.99 network=192.168.99.0
add address=192.168.100.1/24 interface=ether2.100 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.99.237 client-id=ff:9f:6e:85:24:0:2:0:0:ab:11:cc:fa:15:6:42:c5:f0:fb mac-address=00:0C:29:5A:49:8C server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=2000 servers=1.1.1.1 use-doh-server=\
    https://htq09quqqk.cloudflare-gateway.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan
add address=172.64.36.1 name=cloudflare-dns.com
add address=172.64.36.2 name=cloudflare-dns.com
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Australia/Perth
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
When I use torch, I can see the arp request come in but after that, nothing. Any ideas?
Happy for responses to be links to resources for my reading.

Who is online

Users browsing this forum: Bing [Bot] and 29 guests