Community discussions

MUM Europe 2020
 
CinciTech
just joined
Topic Author
Posts: 5
Joined: Wed Sep 05, 2018 6:56 pm
Location: Cincinnati, Ohio
Contact:

Mac-based VLAN on CRS-125, DHCP

Wed Dec 04, 2019 4:39 pm

I have a network including a handful of physical workstations and printers plugged into a Mikrotik CRS-125, and a pair of virtualization host servers running VMWare ESXi 6.7.0. I am attempting to set up VLANs to separate internal users (the workstations and domain-based PCs) from the web server (accessable from the internet high seas) and then to further separate the VM management network into a VLAN and the backup traffic into a VLAN.

I did some reading up on mac-based VLAN, and I like this approach because it seems to help protect against a user plugging a foreign device into an ethernet port in their office and being a liability on the network. Last night I was working my way through the setup process. I managed to enable the FDB-based VLAN on an ethernet port (8), and I set up the ethernet port which goes to the virtualization servers (23) to be a trunk port, and I further set up the virtual switch on ESXi to use the same VLAN I had configured for ethernet port 8. I gave the VMs and the desktop some static IPs on a subnet of their own and was able to ping from one PC to the other on the same VLAN. So far so good.

I was not able to establish DHCP for the VLAN, and am also unable to find guides that describe how to enable multiple VLANs to route to the Mikrotik's default gateway (I want two VLANs with different subnets to connect to the internet, but not to each other. Particularly in the case of the business VLAN, guest WiFi and the web server, I want all three to connect to the internet, I want the internet to connect to the webserver (NAT), and I want guests to be able to open websites on the web server, so some VLAN-to-VLAN traffic is needed. Does anyone have a guide or some tips on how I need to approach this particular step? Thanks in advance!
 
mkx
Forum Guru
Forum Guru
Posts: 3350
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mac-based VLAN on CRS-125, DHCP

Wed Dec 04, 2019 7:14 pm

Post sanitized /export hide-sensitive output (obfuscate public IP addresses if any) in [code][/code] environment. It is easier to tell what is missing than to throw in complete tutorial.
BR,
Metod
 
CinciTech
just joined
Topic Author
Posts: 5
Joined: Wed Sep 05, 2018 6:56 pm
Location: Cincinnati, Ohio
Contact:

Re: Mac-based VLAN on CRS-125, DHCP

Thu Dec 05, 2019 6:46 pm

I was hoping there existed a guide already written that I just didn't find, but that's a fair approach. I did remove a couple things to restore the network back to functional, since it is a production system, so this has a couple things removed/unconfigured (like eth8 is no longer mac-vlan enabled). That said, here's the export:
[admin@MikroTik-Anderson] > /export hide-sensitive
# dec/05/2019 11:35:18 by RouterOS 6.45.7
# software id = AY01-AU48
#
# model = CRS125-24G-1S-2HnD
# serial number = 6D0104A50213
/interface bridge
add admin-mac=4C:5E:0C:1D:94:35 arp=proxy-arp auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN Ethernet Port" speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] name="ether8 (ws-etech)" speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
set [ find default-name=ether14 ] speed=100Mbps
set [ find default-name=ether15 ] speed=100Mbps
set [ find default-name=ether16 ] speed=100Mbps
set [ find default-name=ether17 ] speed=100Mbps
set [ find default-name=ether18 ] speed=100Mbps
set [ find default-name=ether19 ] speed=100Mbps
set [ find default-name=ether20 ] speed=100Mbps
set [ find default-name=ether21 ] speed=100Mbps
set [ find default-name=ether22 ] speed=100Mbps
set [ find default-name=ether23 ] name="ether23 (vhost trunk)" speed=100Mbps
set [ find default-name=ether24 ] name="ether24 (vhost untagged)" speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add disabled=yes interface=bridge name="VLAN 110 (Business)" vlan-id=110
add disabled=yes interface=bridge mtu=9000 name="VLAN 120 (Datastore)" vlan-id=120
add disabled=yes interface="VLAN 110 (Business)" mtu=9000 name="VLAN 130 (Backups)" vlan-id=130
add disabled=yes interface=bridge name="VLAN 140 (Management)" vlan-id=140
add disabled=yes interface=bridge name="VLAN 150 (DMZ)" vlan-id=150
add disabled=yes interface=bridge name="VLAN 160 (Public)" vlan-id=160
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes management-protection=allowed mode=\
    dynamic-keys name="WiFi Security" supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=\
    "united states" disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile="WiFi Security" ssid=ProBizWireless wireless-protocol=802.11 wps-mode=\
    disabled
/interface wireless nstreme
set wlan1 enable-nstreme=yes
/ip dhcp-server option
add code=119 name=domain-search-option value="'domain.local'"
add code=15 name=domain-name value="'domain.local'"
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-1\
    92-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" name=\
    "L2TP VPN Proposal"
/ip pool
add name="Unknown Addresses" ranges=192.168.100.100-192.168.100.150
add name="VPN Addresses" ranges=192.168.77.1-192.168.77.254
add name="192.168.88.002 (vhost1)" ranges=192.168.88.2
add name="192.168.88.003 (vhost2)" ranges=192.168.88.3
add name="192.168.88.005 (nas1)" ranges=192.168.88.5
add name="192.168.88.010 (dc1)" ranges=192.168.88.10
add name="192.168.88.020-35 (Printers)" ranges=192.168.88.20-192.168.88.34
add name="192.168.88.016 (wiki1)" ranges=192.168.88.16
add name="192.168.88.018 (mattermost1)" ranges=192.168.88.18
add name="192.168.88.006 (vhost1-ipmi)" ranges=192.168.88.6
add name="192.168.88.007 (vhost2-ipmi)" ranges=192.168.88.7
add name="192.168.88.011 (dc2)" ranges=192.168.88.11
add name="192.168.88.014 (wordpress)" ranges=192.168.88.14
add name="192.168.88.015 (mail1)" ranges=192.168.88.15
add name="192.168.88.017 (fs2)" ranges=192.168.88.17
add name="192.168.88.019 (av1)" ranges=192.168.88.19
add name="192.168.88.044 (ts4)" ranges=192.168.88.44
add name="192.168.88.043 (ts3)" ranges=192.168.88.43
add name="192.168.88.042 (ts2)" ranges=192.168.88.42
add name="192.168.88.041 (ts1)" ranges=192.168.88.41
add name="192.168.88.050-069 (Workstations)" ranges=192.168.88.50-192.168.88.69
add name="192.168.88.080-089 (Mobile)" ranges=192.168.88.80-192.168.88.89
add name="192.168.88.070 (Redmine1)" ranges=192.168.88.70
add name="192.168.88.071 (Docker1)" ranges=192.168.88.71
add name="192.168.88.072 (Wordpress1)" ranges=192.168.88.72
add name="192.168.88.073 (ATX1)" ranges=192.168.88.73
add name="192.168.88.020 (prn_4250)" ranges=192.168.88.20
add name="192.168.88.021 (prn_m402dw)" ranges=192.168.88.21
add name="192.168.88.026 (prn_m452nw)" ranges=192.168.88.26
add name="192.168.88.027 (prn_p2015dn)" ranges=192.168.88.27
add name="192.168.88.024 (prn_M426fdn)" ranges=192.168.88.24
add name="192.168.88.023 (prn_m402dw_2)" ranges=192.168.88.23
add name="192.168.88.025 (prn_4050)" ranges=192.168.88.25
add name="192.168.88.028 (prn_m426fdw)" ranges=192.168.88.28
add name="192.168.88.013 (security-cam)" ranges=192.168.88.13
add name="192.168.88.009 (thinstation1)" ranges=192.168.88.9
add name="192.168.88.074 (Wordpress2)" ranges=192.168.88.74
add name="192.168.88.075 (vcsa1)" ranges=192.168.88.75
add name="192.168.88.004 (nas2)" ranges=192.168.88.4
add name="192.168.88.012 (plex1)" ranges=192.168.88.12
add name="192.168.88.250 (PiHole)" ranges=192.168.88.250
add name="192.168.88.008 (ca1)" ranges=192.168.88.8
add name="192.168.88.100 (rds-sql1)" ranges=192.168.88.100
add name="192.168.88.101 (rds-broker1)" ranges=192.168.88.101
add name="192.168.88.102 (rds-broker2)" ranges=192.168.88.102
add name="192.168.88.103 (rds-host1)" ranges=192.168.88.103
add name="192.168.88.104 (rds-host2)" ranges=192.168.88.104
add name="192.168.88.076 (kb1)" ranges=192.168.88.76
add name=10.1.10.000 ranges=10.1.10.0/24
add name=dhcp_pool51 ranges=10.1.10.2-10.1.10.254
add name="Corporate LAN DHCP" next-pool="Unknown Addresses" ranges=192.168.88.200-192.168.88.249
add name="192.168.88.022 (PQ2SE601\?)" next-pool="Corporate LAN DHCP" ranges=192.168.88.22
/ip dhcp-server
add address-pool="Corporate LAN DHCP" authoritative=after-2sec-delay disabled=no interface=bridge \
    name="Corporate DHCP Server"
/ppp profile
add change-tcp-mss=yes name="L2TP VPN Profile" use-compression=yes use-encryption=required \
    use-mpls=no use-upnp=no
set *FFFFFFFE local-address=192.168.89.1 remote-address="VPN Addresses"
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface="ether8 (ws-etech)"
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface="ether23 (vhost trunk)"
add bridge=bridge interface="ether24 (vhost untagged)"
add bridge=bridge interface=sfp1
add interface="VLAN 110 (Business)"
/ip neighbor discovery-settings
set discover-interface-list=none
/interface ethernet switch mac-based-vlan
add comment=ws-etech.domain.local disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=0C:54:A5:17:5D:DF
add comment=ws-deb.domain.local disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=88:51:FB:65:B3:72
add comment="Lee's lappy NIC" disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=D0:67:E5:49:A4:31
add comment=ws-greg.domain.local disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=2C:4D:54:D2:99:93
add comment=ws-mary.domain.local disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=70:4D:7B:26:D6:16
add comment=ws-jeff.domain.local disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=88:51:FB:6D:CB:AF
add comment=ws-new.domain.local disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=44:8A:5B:2B:C9:45
add comment=ws-freya.domain.local disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=88:51:FB:65:B3:CA
add comment=ws-amber.domain.local disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=88:51:FB:6D:CB:ED
add comment=ws-barb.domain.local disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=88:51:FB:65:B3:BA
add comment=ws-mandy.domain.local disabled=yes new-customer-vid=110 new-service-vid=110 \
    src-mac-address=C8:D3:FF:9E:13:4D
/interface l2tp-server server
set authentication=mschap2 default-profile="L2TP VPN Profile" enabled=yes use-ipsec=required
/interface list member
add interface=wlan1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface="ether8 (ws-etech)"
add interface=ether9
add interface=ether10
add interface=ether11
add interface=ether12
add interface=ether13
add interface=ether14
add interface=ether15
add interface=ether16
add interface=ether17
add interface=ether18
add interface=ether19
add interface=ether20
add interface=ether21
add interface=ether22
add interface="ether23 (vhost trunk)"
add interface="ether24 (vhost untagged)"
add interface=sfp1
add interface=bridge
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes256 require-client-certificate=yes
/interface pptp-server server
set authentication=mschap2 default-profile=default
/interface sstp-server server
set authentication=mschap2 certificate=fullchain1.pem_0 force-aes=yes pfs=yes port=8443
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    "ether1 - WAN Ethernet Port"
/ip dhcp-server lease
add address="192.168.88.050-069 (Workstations)" always-broadcast=yes client-id=\
    1:88:51:fb:65:b3:ca mac-address=88:51:FB:65:B3:CA server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" always-broadcast=yes client-id=\
    1:88:51:fb:65:b3:72 mac-address=88:51:FB:65:B3:72 server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" client-id=1:88:51:fb:65:b3:ba mac-address=\
    88:51:FB:65:B3:BA server="Corporate DHCP Server"
add address="192.168.88.024 (prn_M426fdn)" always-broadcast=yes client-id=1:a0:8c:fd:13:bd:b2 \
    mac-address=A0:8C:FD:13:BD:B2 server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" client-id=1:c:54:a5:17:5d:df mac-address=\
    0C:54:A5:17:5D:DF server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" client-id=1:70:4d:7b:26:d6:16 mac-address=\
    70:4D:7B:26:D6:16 server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" always-broadcast=yes client-id=\
    1:88:51:fb:6d:cb:ed mac-address=88:51:FB:6D:CB:ED server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" always-broadcast=yes client-id=\
    1:88:51:fb:6d:cb:af mac-address=88:51:FB:6D:CB:AF server="Corporate DHCP Server"
add address="192.168.88.020 (prn_4250)" mac-address=00:11:0A:C8:70:87 server="Corporate DHCP Server"
add address="192.168.88.005 (nas1)" client-id=1:0:11:32:7b:de:70 mac-address=00:11:32:7B:DE:70 \
    server="Corporate DHCP Server"
add address="192.168.88.017 (fs2)" client-id=1:0:c:29:35:91:31 mac-address=00:0C:29:35:91:31 \
    server="Corporate DHCP Server"
add address="192.168.88.080-089 (Mobile)" mac-address=00:E0:4C:0D:59:62 server=\
    "Corporate DHCP Server"
add address="192.168.88.080-089 (Mobile)" client-id=1:48:51:b7:dc:32:91 mac-address=\
    48:51:B7:DC:32:91 server="Corporate DHCP Server"
add address="192.168.88.007 (vhost2-ipmi)" client-id=1:ac:1f:6b:4b:51:b5 mac-address=\
    AC:1F:6B:4B:51:B5 server="Corporate DHCP Server"
add address="192.168.88.080-089 (Mobile)" client-id=1:f4:9:d8:f8:4b:d1 mac-address=\
    F4:09:D8:F8:4B:D1 server="Corporate DHCP Server"
add address="192.168.88.026 (prn_m452nw)" always-broadcast=yes client-id=1:f4:30:b9:f3:25:b2 \
    mac-address=F4:30:B9:F3:25:B2 server="Corporate DHCP Server"
add address="192.168.88.003 (vhost2)" client-id=1:ac:1f:6b:46:c5:fe mac-address=\
    AC:1F:6B:46:C5:FE server="Corporate DHCP Server"
add address="192.168.88.080-089 (Mobile)" mac-address=3C:33:00:FC:52:E2 server=\
    "Corporate DHCP Server"
add address="192.168.88.023 (prn_m402dw_2)" always-broadcast=yes client-id=1:ac:e2:d3:d8:4d:f7 \
    mac-address=AC:E2:D3:D8:4D:F7 server="Corporate DHCP Server"
add address="192.168.88.071 (Docker1)" client-id=1:0:c:29:95:39:92 mac-address=\
    00:0C:29:95:39:92 server="Corporate DHCP Server"
add address="192.168.88.072 (Wordpress1)" client-id=1:0:c:29:15:33:bd mac-address=\
    00:0C:29:15:33:BD server="Corporate DHCP Server"
add address="192.168.88.041 (ts1)" client-id=1:0:c:29:24:1e:b4 mac-address=00:0C:29:24:1E:B4 \
    server="Corporate DHCP Server"
add address="192.168.88.010 (dc1)" client-id=1:0:c:29:fc:28:5c mac-address=00:0C:29:FC:28:5C \
    server="Corporate DHCP Server"
add address="192.168.88.015 (mail1)" client-id=1:0:c:29:94:1b:23 mac-address=00:0C:29:94:1B:23 \
    server="Corporate DHCP Server"
add address="192.168.88.027 (prn_p2015dn)" client-id=0:0:17:8:8a:20:3 mac-address=\
    00:17:08:8A:20:03 server="Corporate DHCP Server"
add address="192.168.88.042 (ts2)" client-id=1:0:c:29:1f:93:5b mac-address=00:0C:29:1F:93:5B \
    server="Corporate DHCP Server"
add address="192.168.88.018 (mattermost1)" client-id=1:0:c:29:a3:66:25 mac-address=\
    00:0C:29:A3:66:25 server="Corporate DHCP Server"
add address="192.168.88.044 (ts4)" client-id=1:0:c:29:73:8c:4c mac-address=00:0C:29:73:8C:4C \
    server="Corporate DHCP Server"
add address="192.168.88.073 (ATX1)" client-id=1:0:c:29:a0:3b:54 mac-address=00:0C:29:A0:3B:54 \
    server="Corporate DHCP Server"
add address="192.168.88.011 (dc2)" client-id=1:0:c:29:66:10:6 mac-address=00:0C:29:66:10:06 \
    server="Corporate DHCP Server"
add address="192.168.88.019 (av1)" mac-address=00:0C:29:FC:BB:58 server="Corporate DHCP Server"
add address="192.168.88.043 (ts3)" client-id=1:0:c:29:a5:e:b5 mac-address=00:0C:29:A5:0E:B5 \
    server="Corporate DHCP Server"
add address="192.168.88.021 (prn_m402dw)" always-broadcast=yes client-id=1:ac:e2:d3:d8:9d:25 \
    mac-address=AC:E2:D3:D8:9D:25 server="Corporate DHCP Server"
add address="192.168.88.025 (prn_4050)" mac-address=00:10:83:42:36:F0 server="Corporate DHCP Server"
add address="192.168.88.028 (prn_m426fdw)" always-broadcast=yes client-id=1:9c:30:5b:8e:37:72 \
    mac-address=9C:30:5B:8E:37:72 server="Corporate DHCP Server"
add address="192.168.88.013 (security-cam)" client-id=1:8:10:79:ce:6e:c7 mac-address=\
    08:10:79:CE:6E:C7 server="Corporate DHCP Server"
add address="192.168.88.022 (PQ2SE601\?)" disabled=yes mac-address=00:01:E6:A6:BB:39 server=\
    "Corporate DHCP Server"
add address="192.168.88.022 (PQ2SE601\?)" mac-address=00:01:E6:A6:BB:39 server=\
    "Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" client-id=1:84:39:be:67:a3:c2 mac-address=\
    84:39:BE:67:A3:C2 server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" client-id=1:2c:4d:54:d2:99:93 mac-address=\
    2C:4D:54:D2:99:93 server="Corporate DHCP Server"
add address="192.168.88.006 (vhost1-ipmi)" client-id=1:ac:1f:6b:b6:ef:c mac-address=\
    AC:1F:6B:B6:EF:0C server="Corporate DHCP Server"
add address="192.168.88.002 (vhost1)" client-id=1:ac:1f:6b:b2:22:74 mac-address=\
    AC:1F:6B:B2:22:74 server="Corporate DHCP Server"
add address="192.168.88.080-089 (Mobile)" client-id=1:a0:c9:a0:bb:2:48 mac-address=\
    A0:C9:A0:BB:02:48 server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" client-id=1:c8:d3:ff:9e:13:4d mac-address=\
    C8:D3:FF:9E:13:4D server="Corporate DHCP Server"
add address="192.168.88.016 (wiki1)" client-id=1:0:c:29:93:6:a mac-address=00:0C:29:93:06:0A \
    server="Corporate DHCP Server"
add address="192.168.88.012 (plex1)" client-id=\
    ff:b6:22:f:eb:0:2:0:0:ab:11:e:50:f7:ec:75:19:84:e5 mac-address=00:0C:29:F0:92:F5 server=\
    "Corporate DHCP Server"
add address="192.168.88.250 (PiHole)" client-id=\
    ff:b6:22:f:eb:0:2:0:0:ab:11:89:2d:a9:8d:f8:f4:20:d8 mac-address=00:0C:29:7C:DC:2B
add address="192.168.88.075 (vcsa1)" client-id=1:0:c:29:9d:8c:28 mac-address=00:0C:29:9D:8C:28 \
    server="Corporate DHCP Server"
add address="192.168.88.080-089 (Mobile)" client-id=1:24:77:3:60:ee:38 mac-address=\
    24:77:03:60:EE:38 server="Corporate DHCP Server"
add address="192.168.88.004 (nas2)" client-id=1:24:5e:be:2c:e3:c3 mac-address=24:5E:BE:2C:E3:C3 \
    server="Corporate DHCP Server"
add address="192.168.88.101 (rds-broker1)" client-id=1:0:50:56:8b:b8:cb mac-address=\
    00:50:56:8B:B8:CB server="Corporate DHCP Server"
add address="192.168.88.100 (rds-sql1)" client-id=1:0:c:29:e8:19:1e mac-address=\
    00:0C:29:E8:19:1E server="Corporate DHCP Server"
add address="192.168.88.104 (rds-host2)" client-id=1:0:50:56:8b:e9:70 mac-address=\
    00:50:56:8B:E9:70 server="Corporate DHCP Server"
add address="192.168.88.103 (rds-host1)" client-id=1:0:50:56:8b:e6:89 mac-address=\
    00:50:56:8B:E6:89 server="Corporate DHCP Server"
add address="192.168.88.102 (rds-broker2)" client-id=1:0:50:56:8b:9d:2f mac-address=\
    00:50:56:8B:9D:2F server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" client-id=1:44:8a:5b:2b:c9:45 mac-address=\
    44:8A:5B:2B:C9:45 server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" client-id=1:24:fd:52:1d:6c:24 mac-address=\
    24:FD:52:1D:6C:24 server="Corporate DHCP Server"
add address="192.168.88.050-069 (Workstations)" client-id=1:24:fd:52:78:c9:7f mac-address=\
    24:FD:52:78:C9:7F server="Corporate DHCP Server"
add address="192.168.88.076 (kb1)" client-id=\
    ff:b6:22:f:eb:0:2:0:0:ab:11:5b:62:eb:9a:81:e8:b6:8d mac-address=00:50:56:8B:EF:8E server=\
    "Corporate DHCP Server"
add address="192.168.88.014 (wordpress)" client-id=\
    ff:b6:22:f:eb:0:2:0:0:ab:11:f4:b9:a3:40:70:0:e0:1b mac-address=00:50:56:8B:1B:FE server=\
    "Corporate DHCP Server"
add address="192.168.88.008 (ca1)" client-id=\
    ff:b6:22:f:eb:0:2:0:0:ab:11:81:c8:34:87:ff:ce:63:48 mac-address=00:50:56:8B:F3:9E server=\
    "Corporate DHCP Server"
add address="192.168.88.070 (Redmine1)" client-id=\
    ff:b6:22:f:eb:0:2:0:0:ab:11:36:af:3f:4e:84:73:aa:25 mac-address=00:0C:29:38:C6:89 server=\
    "Corporate DHCP Server"
add address=10.1.10.250 client-id=1:d0:67:e5:49:a4:31 mac-address=D0:67:E5:49:A4:31
add address=10.1.10.11 client-id=1:0:c:29:fc:28:66 lease-time=1m mac-address=00:0C:29:FC:28:66
add address=10.1.10.42 client-id=1:0:c:29:1f:93:65 mac-address=00:0C:29:1F:93:65
/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1
add address=192.168.88.0/24 boot-file-name=pxelinux.0 comment=\
    "Corporate Business Intranet (Anderson)" dhcp-option=domain-name,domain-search-option dns-server=\
    192.168.88.250 domain=domain.local gateway=192.168.88.1 netmask=24 next-server=192.168.88.9 \
    ntp-server=192.168.88.10,192.168.88.11 wins-server=192.168.88.10,192.168.88.11
/ip dns
set allow-remote-requests=yes servers=192.168.88.250
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=input comment="Allow Inbound UDP:500 (L2TP VPN)" dst-port=500 \
    in-interface="ether1 - WAN Ethernet Port" protocol=udp
add action=accept chain=input comment="Allow Inbound UDP:1701 (L2TP VPN)" dst-port=1701 \
    in-interface="ether1 - WAN Ethernet Port" protocol=udp
add action=accept chain=input comment="Allow Inbound UDP:4500 (L2TP VPN)" dst-port=4500 \
    in-interface="ether1 - WAN Ethernet Port" protocol=udp
add action=accept chain=input comment="Allow Inbound Protocol 50 (L2TP-ESP)" in-interface=\
    "ether1 - WAN Ethernet Port" protocol=ipsec-esp
add action=accept chain=forward comment="Allow Inbound TCP:80 (HTTP)" dst-port=80 in-interface=\
    "ether1 - WAN Ethernet Port" protocol=tcp
add action=accept chain=forward comment="Allow Outbound TCP:80 (HTTP)" out-interface=\
    "ether1 - WAN Ethernet Port" port=80 protocol=tcp
add action=accept chain=forward comment=\
    "Allow Outbound TCP:25 (SMTP) (00:0C:29:94:1B:23 = mail1.domain.local)" in-interface=bridge \
    log-prefix="Filter: AllowOutPort25 (mail1)" out-interface="ether1 - WAN Ethernet Port" \
    port=25 protocol=tcp src-mac-address=00:0C:29:94:1B:23
add action=accept chain=forward comment=\
    "Allow Outbound Port 25 (00:0C:29:1F:93:5B = ts2.domain.local)" in-interface=bridge \
    log-prefix="Allow Outbound Port 25 (ts2)" out-interface="ether1 - WAN Ethernet Port" port=\
    25 protocol=tcp src-mac-address=00:0C:29:1F:93:5B
add action=accept chain=forward comment="Allow Outbound Port 25 (AC:1F:6B:46:C5:FE = vhost2)" \
    in-interface=bridge out-interface="ether1 - WAN Ethernet Port" port=25 protocol=tcp \
    src-mac-address=AC:1F:6B:46:C5:FE
add action=reject chain=forward comment="Deny Outbound Port 25 (SMTP)" in-interface=bridge log=\
    yes log-prefix="Filter: DenyOutPort25 (All)" out-interface="ether1 - WAN Ethernet Port" \
    port=25 protocol=tcp reject-with=icmp-net-prohibited
add action=accept chain=forward comment="Allow already-established connections" \
    connection-state=established,related
add action=accept chain=forward comment="Log ALL outbound traffic not previously handled." \
    disabled=yes in-interface=bridge log=yes log-prefix="Outbound Traffic: " out-interface=\
    "ether1 - WAN Ethernet Port"
add action=accept chain=input comment="VPN L2TP UDP 500" disabled=yes dst-port=500 \
    in-interface="ether1 - WAN Ethernet Port" protocol=udp
add action=accept chain=input comment="VPN L2TP UDP 1701" disabled=yes dst-port=1701 \
    in-interface="ether1 - WAN Ethernet Port" protocol=udp
add action=accept chain=input comment="VPN L2TP 4500" disabled=yes dst-port=4500 in-interface=\
    "ether1 - WAN Ethernet Port" protocol=udp
add action=accept chain=input comment="Testing SSTP" disabled=yes dst-port=8443 protocol=tcp
add action=accept chain=input comment="Allow PPTP (TCP)" disabled=yes dst-port=1723 protocol=\
    tcp
add action=accept chain=input comment="Allow PPTP (GRE)" disabled=yes protocol=gre
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=\
    established,related
add action=accept chain=forward
add action=accept chain=forward disabled=yes dst-port=25 protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid \
    log-prefix="Drop (Invalid): "
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface="ether1 - WAN Ethernet Port" \
    log-prefix="Drop (all dstnat)"
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
    "ether1 - WAN Ethernet Port" log-prefix="Drop (all WAN):" src-address=!192.168.89.0/24
/ip firewall nat
add action=dst-nat chain=dstnat comment="HTTP Inbound (WAN:80 ==> wp1.domain.local:80)" dst-port=\
    80 in-interface="ether1 - WAN Ethernet Port" protocol=tcp to-addresses=192.168.88.14
add action=dst-nat chain=dstnat comment="HTTPS Inbound (WAN:443 ==> wp1.domain.local:443)" \
    dst-port=443 in-interface="ether1 - WAN Ethernet Port" log-prefix=HTTPS: protocol=tcp \
    to-addresses=192.168.88.14 to-ports=443
add action=dst-nat chain=dstnat comment="SMTP Inbound (WAN:25 ==> mail1.domain.local:25)" \
    dst-port=25 in-interface="ether1 - WAN Ethernet Port" protocol=tcp src-mac-address=\
    !00:0C:29:94:1B:23 to-addresses=192.168.88.15 to-ports=25
add action=accept chain=srcnat comment="Site-to-Site VPN: Anderson to Milford NAT Bypass" \
    disabled=yes dst-address=192.168.89.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.88.0/24 src-address=\
    192.168.77.0/24
add action=masquerade chain=srcnat comment="VPN: Masquerade Local Traffic" disabled=yes \
    src-address=192.168.89.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    "ether1 - WAN Ethernet Port"
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="OWA Inbound (WAN:443 ==> mail1:443)" disabled=yes \
    dst-port=443 in-interface="ether1 - WAN Ethernet Port" protocol=tcp to-addresses=\
    192.168.88.15 to-ports=443
add action=dst-nat chain=dstnat comment="TS1 RDP (WAN:XXXX ==> ts1:3389)" dst-port=XXXX \
    in-interface="ether1 - WAN Ethernet Port" protocol=tcp to-addresses=192.168.88.41 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-port=XXXX in-interface="ether1 - WAN Ethernet Port" \
    protocol=udp to-addresses=192.168.88.41 to-ports=3389
add action=dst-nat chain=dstnat comment="TS2 RDP (WAN:XXXX ==> ts2:3389)" dst-port=XXXX \
    in-interface="ether1 - WAN Ethernet Port" protocol=tcp to-addresses=192.168.88.42 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-port=XXXX in-interface="ether1 - WAN Ethernet Port" \
    protocol=udp to-addresses=192.168.88.42 to-ports=3389
add action=dst-nat chain=dstnat comment="TS4 RDP (WAN:XXXX ==> ts4:3389)" dst-port=XXXX \
    in-interface="ether1 - WAN Ethernet Port" protocol=tcp to-addresses=192.168.88.44 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-port=XXXX in-interface="ether1 - WAN Ethernet Port" \
    protocol=udp to-addresses=192.168.88.43 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP ws-etech" dst-port=XXXX log-prefix="GREG RDP" \
    protocol=tcp to-addresses=192.168.88.55 to-ports=3389
add action=dst-nat chain=dstnat dst-port=XXXX protocol=udp to-addresses=192.168.88.55 to-ports=\
    3389
add action=dst-nat chain=dstnat comment="RDP Joyce" disabled=yes dst-port=XXXX log=yes \
    log-prefix="RDP JOYCE" protocol=tcp to-addresses=192.168.88.52 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=XXXX protocol=udp to-addresses=\
    192.168.88.52 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP Mary" disabled=yes dst-port=XXXX protocol=tcp \
    to-addresses=192.168.88.57 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=XXXX protocol=udp to-addresses=\
    192.168.88.57 to-ports=3389
add action=dst-nat chain=dstnat comment="Amber Remote for Milford" disabled=yes dst-port=XXXX \
    protocol=tcp to-addresses=192.168.88.56 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=XXXX log-prefix=Corporate_Birdcage protocol=udp \
    to-addresses=192.168.88.56 to-ports=3389
add action=dst-nat chain=dstnat comment=Adminer disabled=yes dst-port=12321 in-interface=\
    "ether1 - WAN Ethernet Port" protocol=tcp to-addresses=192.168.88.72 to-ports=12321
add action=dst-nat chain=dstnat comment="Turnkey Linux Terminal" disabled=yes dst-port=12320 \
    in-interface="ether1 - WAN Ethernet Port" protocol=tcp to-addresses=192.168.88.72 to-ports=\
    12320
add action=dst-nat chain=dstnat comment=Adminer disabled=yes dst-port=12322 in-interface=\
    "ether1 - WAN Ethernet Port" protocol=tcp to-addresses=192.168.88.72 to-ports=12322
/ip firewall raw
add action=notrack chain=prerouting comment=\
    "Site-to-Site VPN: Don't Track Outbound Traffic" disabled=yes dst-address=\
    192.168.89.0/24 src-address=192.168.88.0/24
add action=notrack chain=prerouting comment=\
    "Site-to-Site VPN: Don't Track Inbound Traffic" disabled=yes dst-address=\
    192.168.88.0/24 src-address=192.168.89.0/24
/ip ipsec policy
set 0 proposal="L2TP VPN Proposal"
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set show-dummy-rule=no
/lcd
set time-interval=hour
/lcd interface pages
set 0 interfaces=wlan1
/ppp secret
add comment="I don't remember the PASSWORD!" local-address=192.168.88.1 name=lcrawfordVPN \
    profile="L2TP VPN Profile" remote-address=192.168.88.250 service=l2tp
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTik-Anderson
/tool e-mail
set address=mail1.domain.local from=noreply-router-anderson@probizservices.com
/tool sniffer
set filter-interface="ether1 - WAN Ethernet Port" filter-ip-address=18.218.122.149/32 \
    filter-operator-between-entries=and filter-port=https
 
mkx
Forum Guru
Forum Guru
Posts: 3350
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mac-based VLAN on CRS-125, DHCP

Thu Dec 05, 2019 8:20 pm

There are quite a few things that seem wrong ... in order as they appear in the config file
  • vlan interface "VLAN 130 (Backups)" as a slave of another VLAN interface ... do you really use Q-in-Q (frames with double VLAN tags)?
  • if you want to assign static leases to certain DHCP clients, then you shoukd do it in /ip dhcp-server lease, not in /ip pool
  • generally it's not correct to have vlan interface both created off bridge (in /interface vlan) and member if same bridge (in /interface bridge port) ... the offending vlan interface is "VLAN 110 (Business)"
  • apart from mac-based VLAN settings you don't have any vlan config in /interface ethernet switch vlan ... you should configure port-based vlans there for trunk ports as well as for access ports. Be sure to add switch1-cpu interface config as well if CRS needs to interact with certain VLAN on IP level.
  • /interface list member config is useless as none of entries mention name of address list (to be used elsewhere, e.g. in firewall filter rules)
  • only assigned IP address is set to interface (ether2), which is member of a bridge ... IP address should be assigned to top-most interface (in your case for untagged that's bridge ... in case you want to assign address to be used in certain VLAN the address should be assigned to corresponding vlan interface)
  • in /ip dhcp-server lease address property should be single IP address, not string. If you need to add some comment, use comment property.
  • in firewall filter rules use as little matching criteria as possible. E.g. if you know src mac address or src IP address, then you probably don't need to filter on in-interface as well ...
  • one of firewall filter rules (not the last one) is add action=accept chain=forward ... none of rules for the same chain below this point matter ... firewall filter rules get evaluated in order from top to bottom. Generally firewall filter rule set seems a bit extensive, you might want to rethink them starting with default rules (if the default rule set is not empty)

You were asking about how to allow two VLANs to connect to internet but not each other. One of good ways is to use firewall rule pair such as this:
add chain=forward action=drop in-interface=<VLAN1> out-interface=<VLAN2>
add chain=forward action=drop in-interface=<VLAN2> out-interface=<VLAN1>

Keep in mind that ROS is two devices in one:
  1. a router which will happily route IP traffic between all of its L3 interfaces (those that have IP address bound)
  2. a firewall which will allow or block traffic flowing through device. Mind that packets are (implicitly) allowed if they reach the end of rule list for given chain.
BR,
Metod
 
CinciTech
just joined
Topic Author
Posts: 5
Joined: Wed Sep 05, 2018 6:56 pm
Location: Cincinnati, Ohio
Contact:

Re: Mac-based VLAN on CRS-125, DHCP

Thu Dec 05, 2019 9:54 pm

Adding to the mix, possibly confusing things and possibly hurting things: we used to have a second office location and I had a site to site VPN link connecting the two (site B had a little 8port Mikrotik, but same RouterOS and it worked beautifully). I left that configuration in place in case the owners decided to reopen the remote site in a different location, but perhaps there's some stuff that should get cleared out. Additionally, there are port-forwarded RDP connections, which I'm not a big fan of BUT there's something wrong with the ISP's handling of inbound VPN connectivity, so I've not been able to set up remote VPN sessions and the ISP has acknowledged they have a problem but don't appear to be able to fix it.

1. The VLAN interfaces are disabled, and could just get deleted. My goal is not to slave VLANs, but that may have been misconfigured in testing things out.
2. This is intentional. The assignment is actually happening in /ip dhcp-server lease, but I'm assigning named pool entries instead of IP. The webui view of the leases page doesn't correctly sort 1 before 10 before 100, so the naming of 001, 010 and 100 make it simpler to view the IPs in numerical order, and I'd rather view the intended name of each PC in-line instead of on the next line (the comment field is displayed on its own row and that's just wasting space). And unless you named IP pool entries in this way, the interface is "smart" enough to change IP ending in .010 to .10. I can post screenshots if that helps explain the use case BUT this method has been very effective for a couple years so I'd just as soon leave it as-is unless someone is looking to make changes to the webui.
3. "VLAN 110 (Business)" is the new VLAN I'm tinkering with. I'm a little hazy on the off-bridge and "in the same bridge" concepts. I believe I really want to create this VLAN separate from the default "bridge" bridge because the default DHCP server is handing out IPs to "bridge". Am I correct in presuming that I need to assign a bridge to each VLAN to allow me to assign the separate DHCP servers, or would one DHCP server assign IPs to the different mac addresses from multiple pools?
4. My goal is to allow a client PC plugged into a port to get one VLAN, while an administrative PC plugged into the same port would go to management VLAN. Wouldn't configuring port-based VLAN for access ports break this intended functionality? I did have the trunk configured when I was on-site, but I deleted it in returning the network to its normal functional state. Ultimately CRS only needs managed on the management VLAN, which doesn't yet exist. I started by adding switch1-cpu and a test port to a VLAN and locked myself out of configuring the CRS on all other ports. I reversed that quickly, as I'm only able to remotely manage the CRS from the business network at the moment.
5. The interface list was there by default; I have only added some description to the items that were there. I'm okay with deleting it if it serves no purpose but was not aware it was unnecessary.
6. Noted. Only issue there is adding a second DHCP server was marked "invalid" and I couldn't figure out why. I think the best step forward for this particular note is to try to configure it again when I'm on-site and do another export if it doesn't work.
7. As mentioned in #2, I definitely prefer to keep it this way (address property is an entry in pool), as this has worked quite well for a couple years. Comment property is more mess than helpful unless the interface is reworked.
8. & 9. Months ago I was working with firewall rules to allow outbound traffic from mail server and RDS server on port 25 but disallow all other port 25 outbound, and my intention was to eventually use this list to allow outbound traffic only on known ports. I did find that unless I was specific on my firewall rules, unexpected forwarding could happen (such as SMTP traffic being routed to our internal mail server instead of someone's GMail). Rules below the "add action=accept chain=forward" are the ones I had moved there to disable them but did not want to delete them yet. At some point I intend to get back to this project, but time is a finite object. That being said, perhaps firewall is not an efficient place to manage the firewall in this manner? It's worked pretty well so far, but maybe there's improvements to be had here.

Your example of using a firewall rule looks like good advice for preventing all communication for a fully isolated VLAN such as the backup VLAN. Am I correct in assuming that if I want one-way inbound traffic with responses back then I'd set one action to allow and the other to filter out existing connections from the drop action?
 
mkx
Forum Guru
Forum Guru
Posts: 3350
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mac-based VLAN on CRS-125, DHCP

Fri Dec 06, 2019 12:12 am

3. You can keep using single bridge with vlan interfaces. As you're dealing with VLANs using switch chip, VLAN separation should be maintained by properly configured switch chip and by using vlan interfaces. If wifi is active, configure it with vlan-mode=use-vlan vlan-id=<VID>. Then you assign separate DHCP servers to each vlan interface where needed, and configure it with appropriate address pool(s).
4. I've never dealt with mac-based VLANs, but my understanding is that mac-based vlans are overriding port-based vlans. But I may well be wrong here. I'd first try to have VLANs working in the simpler (port-based) scenarion and would add mac-based setup when simpler setup works ...
5. Interface lists do serve purpose ... but doesn't seem to have purpose in your particular config. See example below ...

Re firewall: default firewall has action=accept connection-state=established,related rule pretty high on the list. This rule takes care of most replies which means that further rules only deal with initial packets. If you had this rule active and wanted to allow connections from VLAN1 to VLAN2 and not in the other direction, then you'd keep only the second rule ...

Example of use of interface lists: let's say ether1 is WAN interface and ether2 and ether3 are LAN ..
/interface list
adf name=WAN
add name=LAN
/interface list member
add list=WAN interface=ether1
add list=LAN interface=ether2
add list=LAN interface=ether3
/ip firewall filter
add chain=forward action=allow connection-state=established,related
add chain=forward action=drop in-interface-list=WAN out-interface-list=LAN
/ip firewall nat
add action=src-nat chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=80 to-addresses=<i+LAN http server address>

Want to plug WAN line to sfp-sfpplus1 interface? No problem, add sfp-sfpplus1 interface to WAN interface list and you're done with firewall and NAT. Want to add wireless to LAN? Sure, add wifi interface to LAN interface list ...

Also MAC-based access to RB is by default limited to LAN interface list ...
BR,
Metod

Who is online

Users browsing this forum: No registered users and 88 guests