Maybe this won't be like a big thing, but I have some doubts about my home network.
I bought a hAP (RB941-2nd) which I use as my main router. I have two more home routers from TP-Link (a TL-WR841N and a Arche-C60), which are in AP mode. One router is for the 2.4ghz, and the other just for the 5ghz band (I thought that having one device for each band was more reliable and optimal than having one device for both).
And that's it, at home we have around 5 phones, some at 2.4, others at 5 ghz, also 2 laptops, one at 5 and the other at 2.4, plus my two work laptops which are at 2.4.
Initially I wanted to do the following (all this before deciding to invest in mikrotik):
But now that I have the device, I was like... do I really want to do it like that? I mean, I'm no network guy, I'm just a power user (yes, from the 80's, 90's), and so far, the network is fine, is fast, just added some rules for queue management, and that's all. The network is on 192.168.88.1/24, and so far, the adblocking is done by each device using the host file... I even downclocked a bit the device to avoid overheating... (I mean, it stays around less that 5% all day long so, you can figure out 100mbps internet is not stressed at all).ether1 -> Internet
Firewall (good rules to prevent hacking and stuff)
Receive DHCP from ISP
Ad blocking? is a powerfull enough device, it could be nice to have instead of having the clients do the blocking.
Should I add an IP to have connection to the modem's interface? It would be a 192.168.100.x network, that's my guess so far.
Do traffic shaping? =D that would be awesome
ether2 -> to 2.4 AP
192.168.24.x/for around 10 devices network
192.168.24.1/28 (dhcp from 1 to 10)
ether3 -> to NAS
192.168.31.x/for around 01 device network
"aa", I have to choose, it would be for only 1 device anyways
192.168.31.0/31 (0 to 1)
ether4 -> to 5.8 AP
192.168.58.x/for around 10 devices network
192.168.58.1/28 (dhcp 1 to 15)
1 week life time.
ether3 must be reachable by ether2 and ether4.
It is quite a good device, maybe I overdid it (I convinced my wife to buy it for me hehe and also the extra router/ap).
What do you think? am I just overthinking?, should I leave it as it is?
As for config, I have the following:
MangleFlags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP rate limited 30/s
chain=input action=drop protocol=icmp limit=30,30:packet dst-limit=30,30,dst-address/1m40s log=no
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
5 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,rel
6 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
7 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""
8 X ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
9 X ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstna
11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
1 D ;;; special dummy rule to show fasttrack counters
2 D ;;; special dummy rule to show fasttrack counters
3 chain=postrouting action=mark-packet new-packet-mark=streaming passthrough=no connection-mark=streaming packet-mark=no-mark
4 chain=postrouting action=mark-packet new-packet-mark=misc-fast passthrough=no tcp-flags=ack protocol=tcp packet-mark=no-mark packet-size=40
5 chain=postrouting action=mark-packet new-packet-mark=misc-fast passthrough=no protocol=udp out-interface=ether1 packet-mark=no-mark dst-port=53
6 chain=postrouting action=mark-packet new-packet-mark=http passthrough=no connection-mark=http packet-mark=no-mark
7 ;;; Streaming
chain=postrouting action=mark-connection new-connection-mark=streaming connection-state=new protocol=tcp connection-mark=no-mark
8 ;;; Streaming
chain=postrouting action=mark-connection new-connection-mark=streaming connection-state=new protocol=udp connection-mark=no-mark
9 ;;; Web Browsing
chain=postrouting action=mark-connection new-connection-mark=http connection-state=new protocol=tcp connection-mark=no-mark out-interface=ether1
I think the firewall could be optimized but I'm not sure, also some rules I have the feeling are duplicated (I read about the order in which they have to be but I'm all confunsed), I don't know. What do you think?Flags: X - disabled, I - invalid
0 name="queue1" parent=ether1 packet-mark="" limit-at=9700k queue=default priority=8 max-limit=9700k burst-limit=0 burst-threshold=0 burst-time=0s
1 name="prio5-streaming" parent=queue1 packet-mark=streaming limit-at=6200k queue=default priority=5 max-limit=6200k burst-limit=0 burst-threshold=0
2 name="prio8-untagged" parent=queue1 packet-mark=no-mark limit-at=100k queue=default priority=8 max-limit=9500k burst-limit=0 burst-threshold=0
3 name="prio2-misc-fast" parent=queue1 packet-mark=misc-fast limit-at=1G queue=default priority=2 max-limit=1G burst-limit=0 burst-threshold=0
4 name="prio6-http" parent=queue1 packet-mark=http limit-at=100k queue=default priority=6 max-limit=9100k burst-limit=0 burst-threshold=0 burst-time=0s