Community discussions

MikroTik App
 
lista
just joined
Topic Author
Posts: 10
Joined: Sat Feb 04, 2023 5:19 pm

VLAN ax3

Tue Feb 07, 2023 11:38 pm

Hi,

struggling with proper VLAN set up. Basic home set-up. Eth2-4 will be for PCs and TV (which I'll later add to separate VLAN) and 2x wifi.
Currently trying to set up wifi on VLAN 20 for guests. I can connect to wifi, proper IP, also torch shows some lines with Vlan Id 20, but unfortunately no internet access.

Any help is appreciated.
Thank you.
# feb/07/2023 22:19:25 by RouterOS 7.5
# software id = 8WTH-A6G4
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add admin-mac=ZZZZZZZZZ auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Internet name=ether1_wan
set [ find default-name=ether2 ] comment=PC name=ether2_PC
set [ find default-name=ether3 ] comment=Other
set [ find default-name=ether4 ] comment=Other
set [ find default-name=ether5 ] comment=SonyTV name=ether5_SonyTV
/interface vlan
add interface=bridge name=interface_vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=VLAN
/interface wifiwave2 security
add authentication-types=wpa2-psk name=AThome
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac configuration.country=USA .mode=ap .ssid="Ahsoka Tano 2" \
    disabled=no name="Ahsoka Tano 2" security=AThome \
    security.authentication-types=wpa2-psk
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac configuration.country=USA .mode=ap .ssid="Ahsoka Tano 5" \
    disabled=no name="Ahsoka Tano 5" security=AThome \
    security.authentication-types=wpa2-psk
add channel.band=5ghz-ax configuration.country=USA .mode=ap .ssid=\
    "Ahsoka Tano 6" disabled=no mac-address=ZZZZZZ \
    master-interface="Ahsoka Tano 5" name="Ahsoka Tano 6" \
    security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=20.10.10.2-20.10.10.254
add name=dhcp_pool2 ranges=30.10.10.2-30.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=interface_vlan20 name=dhcp_vlan20
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_PC
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5_SonyTV
add bridge=bridge comment=defconf interface="Ahsoka Tano 5"
add bridge=bridge comment=defconf interface="Ahsoka Tano 2"
add bridge=bridge interface="Ahsoka Tano 6" pvid=20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged="Ahsoka Tano 6,bridge" vlan-ids=20
/interface list member
add interface=bridge list=LAN
add interface=ether1_wan list=WAN
add interface=interface_vlan20 list=VLAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=20.10.10.1/24 interface=interface_vlan20 network=20.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1_wan
/ip dhcp-server network
add address=20.10.10.0/24 gateway=20.10.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=USA
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN ax3

Thu Feb 09, 2023 10:04 pm

Once I go vlans, I go all the way. In other words dont like mixing apples and oranges, and I ensure the bridge does nothing but bridging. Clearer, and consistent too.
Also why three pools when you have two interfaces, the bridge and vlan 20???

I will assume you want another vlan for ether3,ether4 connected devices............ enjoy, changes only shown

/interface ethernet
set [ find default-name=ether1 ] comment=Internet name=ether1_wan
set [ find default-name=ether2 ] comment=PC name=ether2_PC
set [ find default-name=ether3 ] comment=Other
set [ find default-name=ether4 ] comment=Other
set [ find default-name=ether5 ] comment=SonyTV name=ether5_SonyTV
/interface vlan
add interface=bridge name=interface_vlan20 vlan-id=20
add interface=bridge name=interface_vlan10 vlan-id=10
add interface=bridge name=interface_vlan30 vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=MGMT
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=20.10.10.2-20.10.10.254
add name=dhcp_pool2 ranges=30.10.10.2-30.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=interface_vlan10 name=defconf
add address-pool=dhcp_pool1 interface=interface_vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool2 interface=interface_vlan30 name=dhcp_vlan30
/interface bridge port
add bridge=bridge ingress-filtering=yes admit-frame-types=priority-and-untagged interface=ether2_PC pvid=10
add bridge=bridge ingress-filtering=yes admit-frame-types=priority-and-untagged interface=ether3 pvid=30
add bridge=bridge ingress-filtering=yes admit-frame-types=priority-and-untagged interface=ether4 pvid=30
add bridge=bridge ingress-filtering=yes admit-frame-types=priority-and-untagged interface=ether5_SonyTV pvid=10
add bridge=bridge ingress-filtering=yes admit-frame-types=priority-and-untagged interface="Ahsoka Tano 5" pvid=10
add bridge=bridge ingress-filtering=yes admit-frame-types=priority-and-untagged interface="Ahsoka Tano 2" pvid=10
add bridge=bridge ingress-filtering=yes admit-frame-types=priority-and-untagged interface="Ahsoka Tano 6" pvid=20
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge untagged="Ahsoka Tano 6" vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether2,ether5_SonyTV, "Ahsoka Tano 5", "Ahsoka Tano 2" vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3,ether4 vlan-ids=30
/interface list member
add interface=ether1_wan list=WAN
add interface=interface_vlan10 list=LAN
add interface=interface_vlan20 list=LAN
add interface=interface_vlan30 list=LAN
add interface=interface_vlan10 list=MGMT
/ip address
add address=192.168.88.1/24 comment=defconf interface=interface_vlan10 network=\
192.168.88.0
add address=20.10.10.1/24 interface=interface_vlan20 network=20.10.10.0
add address=30.10.10.1/24 interface=interface_vlan30 network=30.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1_wan
/ip dhcp-server network
add address=20.10.10.0/24 dns-server=20.10.10.1 gateway=20.10.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=30.10.10.0/24 dns-server=30.10.10.1 gateway=30.10.10.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
( default rules )
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
( admin rules )
add action=accept chain=input in-interface-list=MGMT { admin access to router for config purpose - see note2 for better implementation }
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp { user access only to needed router services }
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp { user access only to needed router services }
add action=drop chain=input comment="drop all else" { NOTE DO THIS RULE LAST after everything else works !!! }
(default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
(admin rules)
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { can disable if dont have any servers }
add action=drop chain=forward comment="Drop all else"
/tool mac-server
set allowed-interface-list=NONE { not a secure access method to router, do not use }
/tool mac-server mac-winbox
set allowed-interface-list=MGMT



Note1: If you want to add any access between vlans on the router, like to a shared printer or if you as admin want to access the other vlans,
then do so in the forward chain and add rules ABOVE the drop rule at the end
ex1.
add chain=forward action=accept in-interface-list=LAN dst-address=IP_of_shared_printer
ex2.
add chain=forward action=accept in-interface=interface_vlan10 src-address=IP_of_Admin out-interface-list=LAN

Note2. As indicated in the input chain, the ONLY PERSON needing full access to the router is the admin, right now you have it where everyone can. This is not good.
Thus above you will see I changed it so that only the trusted vlan vlan10 had full access. However this is still not ideal.
The better way is to make a firewall address list and incorporate that into the above rule like so:

add action=accept chain=input in-interface-list=MGMT src-address-list=AdminAccess[/i]

where AdminAccess is a firewall address list consisting of ( and based on fixed static leases or fixed wireguard IPs ):
add ip-address=Admin_Desktop_IP list=AdminAccess
add ip-address=Admin_Laptop_IP-wired list=AdminAccess
add ip-address=Admin_Laptop_IP-WIFI list=AdminAccess
add ip-address=Admin_Iphone/IPad-WIFI list=AdminAccess
add ip-address=Admin_Laptop_IP-Remote list=AdminAccess { wireguard connection }
add ip-address=Admin_Iphone/IPad-Remote list=AdminAccess {wireguard connection }
 
lista
just joined
Topic Author
Posts: 10
Joined: Sat Feb 04, 2023 5:19 pm

Re: VLAN ax3

Fri Feb 10, 2023 9:09 pm

Thank you for your help!
I'll implement it and in process try to learn as much as possible :)


BR
Lista
 
lista
just joined
Topic Author
Posts: 10
Joined: Sat Feb 04, 2023 5:19 pm

Re: VLAN ax3

Sat Feb 25, 2023 10:36 pm

Anav, still struggling. It seems everytime I set interface from briged to interface_vlan10 in ip addresses menu I lost connection. Thank god for safe mode :)
Any suggestions?

Thank you


[admin@MikroTik] > export
# feb/25/2023 21:17:10 by RouterOS 7.5
# software id = 8WTH-A6G4
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ZZZZZZZZ
/interface bridge
add admin-mac=ZZZZZZZZZ auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=Internet name=ether1_wan
set [ find default-name=ether2 ] comment=PC name=ether2_PC
set [ find default-name=ether3 ] comment=Other
set [ find default-name=ether4 ] comment=Other
set [ find default-name=ether5 ] comment=SonyTV name=ether5_SonyTV
/interface vlan
add interface=bridge name=interface_vlan10 vlan-id=10
add interface=bridge name=interface_vlan20 vlan-id=20
add interface=bridge name=interface_vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wifiwave2 security
add authentication-types=wpa2-psk name=AThome
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac configuration.country=ZZZZZ .mode=ap \
    .ssid="Ahsoka Tano 2" disabled=no name="Ahsoka Tano 2" security=AThome security.authentication-types=wpa2-psk
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac configuration.country=ZZZZZ.mode=ap \
    .ssid="Ahsoka Tano 5" disabled=no name="Ahsoka Tano 5" security=AThome security.authentication-types=wpa2-psk
add channel.band=5ghz-ax configuration.country=ZZZZZ .mode=ap .ssid="Ahsoka Tano 6" disabled=no mac-address=\
    4A:A9:8A:0D:DA:1F master-interface="Ahsoka Tano 5" name="Ahsoka Tano 6" security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=20.10.10.2-20.10.10.254
add name=dhcp_pool2 ranges=30.10.10.2-30.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=interface_vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool2 interface=interface_vlan30 name=dhcp_vlan30
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2_PC pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5_SonyTV pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 5" pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 2" pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 6" pvid=20
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge untagged="Ahsoka Tano 6" vlan-ids=20
add bridge=bridge tagged=bridge untagged="ether5_SonyTV,ether2_PC,Ahsoka Tano 2,Ahsoka Tano 5" vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=ether1_wan list=WAN
add interface=interface_vlan10 list=LAN
add interface=interface_vlan20 list=LAN
add interface=interface_vlan30 list=LAN
add interface=interface_vlan10 list=MGMT
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=20.10.10.1/24 interface=interface_vlan20 network=20.10.10.0
add address=30.10.10.1/24 interface=interface_vlan30 network=30.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1_wan
/ip dhcp-server network
add address=20.10.10.0/24 dns-server=20.10.10.1 gateway=20.10.10.1
add address=30.10.10.0/24 dns-server=30.10.10.1 gateway=30.10.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=s
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=ZZZZZ
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
[admin@MikroTik] >
Last edited by BartoszP on Sun Feb 26, 2023 2:26 am, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code - keep forum tidy
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN ax3

Sun Feb 26, 2023 5:00 am

If you have a spare port on the router, do what I do for safe configuring.
Lets say ether5 is free.
-rename the interface name=ether5-emerg
-remove it from bridge ports
-give it an IP addresss like 192.168.55.1/24
-on a laptop or pc put 192.168.55.5 for example in the ipv4 settings, plug into ether5 and log into the router.
- one other things first, add it to the MGMT list
add interface=ether5-emerg list=MGMT

Then when you can log in from ether5 come back to post the new config with that on it, then we
can discuss next steps.
 
lista
just joined
Topic Author
Posts: 10
Joined: Sat Feb 04, 2023 5:19 pm

Re: VLAN ax3

Sat Mar 04, 2023 12:13 am

Don't know how, when setting up eth5 and connecting from other laptop, I could access router from main PC as well.
Below next export. I also think I made a mess with firewall rules.

/interface bridge
add admin-mac=ZZZZZZZZZZ auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Internet name=ether1_wan
set [ find default-name=ether2 ] comment=PC name=ether2_PC
set [ find default-name=ether3 ] comment=Other
set [ find default-name=ether4 ] comment=Other
set [ find default-name=ether5 ] comment=SonyTV name=ether5-emerg
/interface vlan
add interface=bridge name=interface_vlan10 vlan-id=10
add interface=bridge name=interface_vlan20 vlan-id=20
add interface=bridge name=interface_vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wifiwave2 security
add authentication-types=wpa2-psk name=AThome
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac configuration.country=ZZZZZZ .mode=ap .ssid="Ahsoka Tano 2" \
    disabled=no name="Ahsoka Tano 2" security=AThome \
    security.authentication-types=wpa2-psk
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac configuration.country=ZZZZZZ .mode=ap .ssid="Ahsoka Tano 5" \
    disabled=no name="Ahsoka Tano 5" security=AThome \
    security.authentication-types=wpa2-psk
add channel.band=5ghz-ax configuration.country=ZZZZZZ .mode=ap .ssid=\
    "Ahsoka Tano 6" disabled=no mac-address=4A:A9:8A:0D:DA:1F \
    master-interface="Ahsoka Tano 5" name="Ahsoka Tano 6" \
    security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=20.10.10.2-20.10.10.254
add name=dhcp_pool2 ranges=30.10.10.2-30.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=interface_vlan10 name=defconf
add address-pool=dhcp_pool1 interface=interface_vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool2 interface=interface_vlan30 name=dhcp_vlan30
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2_PC pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 5" pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 2" pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface="Ahsoka Tano 6" pvid=20
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge untagged="Ahsoka Tano 6" vlan-ids=20
add bridge=bridge tagged=bridge untagged=\
    "ether2_PC,Ahsoka Tano 2,Ahsoka Tano 5" vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_wan list=WAN
add interface=interface_vlan10 list=LAN
add interface=interface_vlan20 list=LAN
add interface=interface_vlan30 list=LAN
add interface=interface_vlan10 list=MGMT
add interface=ether5-emerg list=MGMT
add interface=ether5-emerg list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=interface_vlan10 \
    network=192.168.88.0
add address=20.10.10.1/24 interface=interface_vlan20 network=20.10.10.0
add address=30.10.10.1/24 interface=interface_vlan30 network=30.10.10.0
add address=192.168.55.1/24 interface=ether5-emerg network=192.168.55.0
/ip dhcp-client
add comment=defconf interface=ether1_wan
/ip dhcp-server network
add address=20.10.10.0/24 dns-server=20.10.10.1 gateway=20.10.10.1
add address=30.10.10.0/24 dns-server=30.10.10.1 gateway=30.10.10.1
add address=192.168.55.0/24 dns-server=192.168.55.1 gateway=192.168.55.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment=s
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=ZZZZZZ
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN ax3

Sat Mar 04, 2023 1:52 pm

will have a look later today

(1) Remove the bridge from the interface list members ( you have it covered with proper vlan entries ).

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_wan list=WAN

(2) REMOVE ether5 from dhcp server settings, was never stated to do this...?

/ip dhcp-server network
add address=20.10.10.0/24 dns-server=20.10.10.1 gateway=20.10.10.1
add address=30.10.10.0/24 dns-server=30.10.10.1 gateway=30.10.10.1
add address=192.168.55.0/24 dns-server=192.168.55.1 gateway=192.168.55.1


(3) In terms of DNS, you can get rid of the default static settings and add a couple of servers......

/ip dns
set allow-remote-requests=yes servers=1.1.1.2,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan


(4) Now all thats left are the firewall rules!

Input Chain

Firewall rules disorganized, full of duplicates needs a cleanup see next post!



In terms of access to the router you have it at least refined to the MGMT interface list, this is good and better is to refine it by static lease IP addresses of the admin in a firewall address list ( src-address-list )

Good:
add action=accept chain=input comment="allow limited config access" in-interface-list=MGMT
add action=accept chain=input comment="allow user services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input comment="allow user services" dst-port=53 protocol=udp in-interface-list=LAN

add action=drop chain=input comment="drop all else"
{ put this in as last rule otherwise you will lock yourself out }

Better still first rule.
add action=accept chain=input comment="allow limited config access" in-interface-list=MGMT src-address-list=authorized

Where you create a firewall address list like\
/firewall address list
add ip-address=Admin-desktop list=authorized
add ip-address=Admin-laptop list=authorized
add ip-address=Admin-iphone/ipad list=authorized
add ip-address=192.168.55.0/24 list=authorized
Last edited by anav on Sat Mar 04, 2023 8:14 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN ax3

Sat Mar 04, 2023 8:11 pm

Okay so now I see you have a made a mess with duplication and lack of organization so best to redo.....

/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

(admin rules)
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=forward comment="Drop all else"

{Forward Chain}
(default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" \ YOU CAN REMOVE these first two rules if not doing ipsec
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

(admin rules)
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
 
lista
just joined
Topic Author
Posts: 10
Joined: Sat Feb 04, 2023 5:19 pm

Re: VLAN ax3

Mon Mar 06, 2023 8:43 pm

(1) Remove the bridge from the interface list members ( you have it covered with proper vlan entries ).
Done.

(2) REMOVE ether5 from dhcp server settings, was never stated to do this...?
I had problems establishing static ip and connecting, so I tried doing via lease and then static.

(3) In terms of DNS, you can get rid of the default static settings and add a couple of servers......
Done.

static lease IP addresses of the admin

Do you mean via /ip dhcp-server lease? So I specify one statiic ip and MAC of my PC?

One question. Is my understanding correct, that when using Torch I should see VLAN ids?

Okay so now I see you have a made a mess with duplication and lack of organization so best to redo.....
Yes, I did. Below export.
/interface bridge
add admin-mac=ZZZZZZ auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Internet name=ether1_wan
set [ find default-name=ether2 ] comment=PC name=ether2_PC
set [ find default-name=ether3 ] comment="Sony TV"
set [ find default-name=ether4 ] comment=Other
set [ find default-name=ether5 ] comment=Emergency name=ether5-emerg
/interface vlan
add interface=bridge name=interface_vlan10 vlan-id=10
add interface=bridge name=interface_vlan20 vlan-id=20
add interface=bridge name=interface_vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wifiwave2 security
add authentication-types=wpa2-psk name=AThome
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2437 \
    .skip-dfs-channels=10min-cac configuration.country=ZZZZZ .mode=ap \
    .ssid="Ahsoka Tano 2" disabled=no name="Ahsoka Tano 2" security=AThome \
    security.authentication-types=wpa2-psk
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac configuration.country=ZZZZZZ .mode=ap .ssid="Ahsoka Tano 5" \
    disabled=no name="Ahsoka Tano 5" security=AThome \
    security.authentication-types=wpa2-psk
add channel.band=5ghz-ax configuration.country=ZZZZZ .mode=ap .ssid=\
    "Ahsoka Tano 6" disabled=no mac-address=4A:A9:8A:0D:DA:1F \
    master-interface="Ahsoka Tano 5" name="Ahsoka Tano 6" \
    security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=20.10.10.2-20.10.10.254
add name=dhcp_pool2 ranges=30.10.10.2-30.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=interface_vlan10 name=defconf
add address-pool=dhcp_pool1 interface=interface_vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool2 interface=interface_vlan30 name=dhcp_vlan30
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2_PC pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 5" pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 2" pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface="Ahsoka Tano 6" pvid=20
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge untagged="Ahsoka Tano 6" vlan-ids=20
add bridge=bridge tagged=bridge untagged=\
    "ether2_PC,Ahsoka Tano 2,Ahsoka Tano 5" vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=ether1_wan list=WAN
add interface=interface_vlan10 list=LAN
add interface=interface_vlan20 list=LAN
add interface=interface_vlan30 list=LAN
add interface=interface_vlan10 list=MGMT
add interface=ether5-emerg list=MGMT
add interface=ether5-emerg list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=interface_vlan10 \
    network=192.168.88.0
add address=20.10.10.1/24 interface=interface_vlan20 network=20.10.10.0
add address=30.10.10.1/24 interface=interface_vlan30 network=30.10.10.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1_wan
/ip dhcp-server network
add address=20.10.10.0/24 dns-server=20.10.10.1 gateway=20.10.10.1
add address=30.10.10.0/24 dns-server=30.10.10.1 gateway=30.10.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=ZZZZ
set api disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=USA
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN ax3

Mon Mar 06, 2023 10:11 pm

(1) Looks like you accidentally removed the IP address for ether5-emerg??
/ip address
add address=192.168.88.1/24 comment=defconf interface=interface_vlan10 \
network=192.168.88.0
add address=20.10.10.1/24 interface=interface_vlan20 network=20.10.10.0
add address=30.10.10.1/24 interface=interface_vlan30 network=30.10.10.0

???????????????????????????????????????????????????????????????


(2) Your firewall rules are not cleanly grouped by input chain and then forward chain, or the reverse, ie chains should be viewed together.......
FIXED: ( forward chain Invalid rule dropped from my recommendations, apparently it doesnt really do much other than possibly block good traffic )

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=drop comment="drop all else" { put this in LAST }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN ax3

Mon Mar 06, 2023 10:15 pm

Yes, if you want to add a source address list entry on the input chain to narrow down who under MGMT interface list can access the router for config purpose.
You need to create a firewall address list of IP addresses assigned to the firewall list name.
You do this for any LANIPs the admin uses (desktop, laptop, iphone/ipad) by finding its lease and use the SET STATIC option.

For ether5 you could choose an IP
192.168.55.5 list=adminaccess

OR the whole subnet
192.168.55.0/24 list=adminaccess
 
lista
just joined
Topic Author
Posts: 10
Joined: Sat Feb 04, 2023 5:19 pm

Re: VLAN ax3

Wed Mar 08, 2023 11:05 pm

(1) Looks like you accidentally removed the IP address for ether5-emerg??
/ip address
add address=192.168.88.1/24 comment=defconf interface=interface_vlan10 \
network=192.168.88.0
add address=20.10.10.1/24 interface=interface_vlan20 network=20.10.10.0
add address=30.10.10.1/24 interface=interface_vlan30 network=30.10.10.0
???????????????????????????????????????????????????????????????
My mistake. When deleting dhcp I also deleted address for eth5.

One question. Is my understanding correct, that when using Torch I should see VLAN ids?

Below new export. I hope I set it right. Also added static ip and ip of eth5 for the access to router.
/interface bridge
add admin-mac=ZZZZZZZZZZZZZZZZZ auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Internet name=ether1_wan
set [ find default-name=ether2 ] comment=PC name=ether2_PC
set [ find default-name=ether3 ] comment="Sony TV"
set [ find default-name=ether4 ] comment=Other
set [ find default-name=ether5 ] comment=Emergency name=ether5-emerg
/interface vlan
add interface=bridge name=interface_vlan10 vlan-id=10
add interface=bridge name=interface_vlan20 vlan-id=20
add interface=bridge name=interface_vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wifiwave2 security
add authentication-types=wpa2-psk name=AThome
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2437 \
    .skip-dfs-channels=10min-cac .width=20mhz configuration.country=ZZZZZ \
    .mode=ap .ssid="Ahsoka Tano 2" disabled=no name="Ahsoka Tano 2" security=\
    AThome security.authentication-types=wpa2-psk
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5170-5250 \
    .skip-dfs-channels=10min-cac configuration.country=ZZZZZZZ .mode=ap \
    .ssid="Ahsoka Tano 5" disabled=no name="Ahsoka Tano 5" security=AThome \
    security.authentication-types=wpa2-psk
add channel.band=5ghz-ax configuration.country=ZZZZZZ .mode=ap .ssid=\
    "Ahsoka Tano 6" disabled=no mac-address=4A:A9:8A:0D:DA:1F \
    master-interface="Ahsoka Tano 5" name="Ahsoka Tano 6" \
    security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=20.10.10.2-20.10.10.254
add name=dhcp_pool2 ranges=30.10.10.2-30.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=interface_vlan10 name=defconf
add address-pool=dhcp_pool1 interface=interface_vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool2 interface=interface_vlan30 name=dhcp_vlan30
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2_PC pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 5" pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 2" pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface="Ahsoka Tano 6" pvid=20
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge untagged="Ahsoka Tano 6" vlan-ids=20
add bridge=bridge tagged=bridge untagged=\
    "ether2_PC,Ahsoka Tano 2,Ahsoka Tano 5" vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=ether1_wan list=WAN
add interface=interface_vlan10 list=LAN
add interface=interface_vlan20 list=LAN
add interface=interface_vlan30 list=LAN
add interface=interface_vlan10 list=MGMT
add interface=ether5-emerg list=MGMT
add interface=ether5-emerg list=LAN
/ip address
add address=192.168.88.1/24 interface=interface_vlan10 network=192.168.88.0
add address=20.10.10.1/24 interface=interface_vlan20 network=20.10.10.0
add address=30.10.10.1/24 interface=interface_vlan30 network=30.10.10.0
add address=192.168.55.1/24 interface=ether5-emerg network=192.168.55.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1_wan
/ip dhcp-server lease
add address=192.168.88.222 client-id=1:30:9c:23:9a:a4:e9 mac-address=\
    30:9C:23:9A:A4:E9 server=defconf
/ip dhcp-server network
add address=20.10.10.0/24 dns-server=20.10.10.1 gateway=20.10.10.1
add address=30.10.10.0/24 dns-server=30.10.10.1 gateway=30.10.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.55.0/24 list=authorized
add address=192.168.88.222 list=authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT src-address-list=\
    authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
add action=drop chain=drop comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=ZZZZ
set api disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=ZZZZZZ
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN ax3

Thu Mar 09, 2023 1:46 am

close, look at the end of the forward chain.......

add action=drop chain=forward comment="Drop all else" GOOD
add action=drop chain=drop comment="drop all else"
UGLY

I think the second rule is the missing rule which should be at the end of the INPUT CHAIN, its missing in the config but looks like so ( there is no CHAIN called drop LOL)
add action=drop chain=input comment="drop all else"

Between these two..
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
PUT THE RULE HERE IN ORDER
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec

Everything else looks good.
 
lista
just joined
Topic Author
Posts: 10
Joined: Sat Feb 04, 2023 5:19 pm

Re: VLAN ax3

Thu Mar 09, 2023 10:21 pm

( there is no CHAIN called drop LOL)
Really strange that you can create something that its not even an option :)

Sorry, but still no VLAN ids :-?
/interface bridge
add admin-mac=ZZZZZZZ auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Internet name=ether1_wan
set [ find default-name=ether2 ] comment=PC name=ether2_PC
set [ find default-name=ether3 ] comment="Sony TV" name=ether3_TV
set [ find default-name=ether4 ] comment=Other
set [ find default-name=ether5 ] comment=Emergency name=ether5_emerg
/interface vlan
add interface=bridge name=interface_vlan10 vlan-id=10
add interface=bridge name=interface_vlan20 vlan-id=20
add interface=bridge name=interface_vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wifiwave2 security
add authentication-types=wpa2-psk name=AThome
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2437 \
    .skip-dfs-channels=10min-cac .width=20mhz configuration.country=ZZZZZ \
    .mode=ap .ssid="Ahsoka Tano 2" disabled=no name="Ahsoka Tano 2" security=\
    AThome security.authentication-types=wpa2-psk
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5170-5250 \
    .skip-dfs-channels=10min-cac configuration.country=ZZZZZ .mode=ap \
    .ssid="Ahsoka Tano 5" disabled=no name="Ahsoka Tano 5" security=AThome \
    security.authentication-types=wpa2-psk
add channel.band=5ghz-ax configuration.country=ZZZZZ .mode=ap .ssid=\
    "Ahsoka Tano 6" disabled=no mac-address=4A:A9:8A:0D:DA:1F \
    master-interface="Ahsoka Tano 5" name="Ahsoka Tano 6" \
    security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=20.10.10.2-20.10.10.254
add name=dhcp_pool2 ranges=30.10.10.2-30.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=interface_vlan10 name=defconf
add address-pool=dhcp_pool1 interface=interface_vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool2 interface=interface_vlan30 name=dhcp_vlan30
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2_PC pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3_TV pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 5" pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface="Ahsoka Tano 2" pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface="Ahsoka Tano 6" pvid=20
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge untagged="Ahsoka Tano 6" vlan-ids=20
add bridge=bridge tagged=bridge untagged=\
    "ether2_PC,Ahsoka Tano 2,Ahsoka Tano 5" vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3_TV,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=ether1_wan list=WAN
add interface=interface_vlan10 list=LAN
add interface=interface_vlan20 list=LAN
add interface=interface_vlan30 list=LAN
add interface=interface_vlan10 list=MGMT
add interface=ether5_emerg list=MGMT
add interface=ether5_emerg list=LAN
/ip address
add address=192.168.88.1/24 interface=interface_vlan10 network=192.168.88.0
add address=20.10.10.1/24 interface=interface_vlan20 network=20.10.10.0
add address=30.10.10.1/24 interface=interface_vlan30 network=30.10.10.0
add address=192.168.55.1/24 interface=ether5_emerg network=192.168.55.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1_wan
/ip dhcp-server lease
add address=192.168.88.222 client-id=1:30:9c:23:9a:a4:e9 mac-address=\
    30:9C:23:9A:A4:E9 server=defconf
/ip dhcp-server network
add address=20.10.10.0/24 dns-server=20.10.10.1 gateway=20.10.10.1
add address=30.10.10.0/24 dns-server=30.10.10.1 gateway=30.10.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.55.0/24 list=authorized
add address=192.168.88.222 list=authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT src-address-list=\
    authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=ZZZZ
set api disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=ZZZZZZZ
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN ax3

Fri Mar 10, 2023 7:27 am

( there is no CHAIN called drop LOL)
Really strange that you can create something that its not even an option :)

Creating custom chain (e.g. one named drop) is fine and sometimes very handy. However you have to configure firewall to jump into that chain (in certain conditions).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN ax3

Fri Mar 10, 2023 7:53 pm

Your config has no errors I can see.
Try rebooting the router...........
 
lista
just joined
Topic Author
Posts: 10
Joined: Sat Feb 04, 2023 5:19 pm

Re: VLAN ax3

Fri Mar 10, 2023 9:18 pm

Your config has no errors I can see.
Try rebooting the router...........
Didnt help. I also did an upgrade & reboot. No luck.

Really appreciate all the help!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN ax3

Sat Mar 11, 2023 2:47 am

Is it just the wifi where you are not getting any dhcp??
 
lista
just joined
Topic Author
Posts: 10
Joined: Sat Feb 04, 2023 5:19 pm

Re: VLAN ax3

Sun Mar 12, 2023 3:11 pm

Tried also torch on PC and TV port, but unfortunately, no IDs also there.
 
noexp
just joined
Posts: 1
Joined: Mon Feb 20, 2023 1:34 pm

Re: VLAN ax3

Wed Mar 15, 2023 2:28 pm

VLAN id is visible in torch - bridge.
DHCP work?
 
lista
just joined
Topic Author
Posts: 10
Joined: Sat Feb 04, 2023 5:19 pm

Re: VLAN ax3

Sat Mar 18, 2023 6:01 pm

Sorry guys. I was using torch on wifis and ports, as i was sure VLAN IDs will be visible there. Didnt think about the bridge! IDs are there and DHCP is ok.

Thank you again for all the help.


BR
Lista

Who is online

Users browsing this forum: cmmike, Google [Bot], hatred, Matta and 39 guests