The whole thing goes so far that the relevant ports get IP addresses from the desired address range from the desired DHCP servers and Internet access also works. Only the VLAN does not work, i.e. cross-VLAN communication is possible.
Furthermore, the access restriction to the router via MAC server does not work and router access is possible from every VLAN.
The network diagram:
-->>
ether1 for WAN (default)
ether2, ether3, ether4, ether5 for VLAN "Entertainment".
- PIV 50, 10.10.50.1/24, Lease room 10.10.50.10 - 10.10.50.250
ether6, ether7, ether8, ether9 and 5 GHz WLAN fpr VLAN "Office".
- PIV 30, 10.10.30.1/24, Lease room 10.10.30.10 - 10.10.30.250
2.4 GHz WLAN for VLAN "Guest"
- PIV 70, 10.10.70.1/24, Lease room 10.10.70.10 - 10.10.70.250
ether10 für VLAN MGMT
- PIV 99, 10.10.99.1/24, Lease room 10.10.99.10 - 10.10.99.250
<<--
The router configuration:
-->>
Code: Select all
# sep/30/2021 19:32:41 by RouterOS 6.48.4
# software id = 8ZEH-Z64L
#
# model = RB4011iGS+5HacQ2HnD
# serial number = no one cares
/interface bridge
add admin-mac=2C:C8:1B:40:F0:85 auto-mac=no comment=defconf disabled=yes name=Bridge
add name=Bridge_VLAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=Bridge_VLAN name=VLAN_30 vlan-id=30
add interface=Bridge_VLAN name=VLAN_50 vlan-id=50
add interface=Bridge_VLAN name=VLAN_70 vlan-id=70
add interface=Bridge_VLAN name=VLAN_99 vlan-id=99
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="VLAN 30, 50, 70 and 99" name=List_3579
add comment="VLAN 99 only" name=List_99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Tygat \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Tyche \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=germany disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge name=Tyche security-profile=Tyche ssid=Tyche \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge name=Tygat secondary-channel=auto \
security-profile=Tygat ssid=Tygat wireless-protocol=802.11 wps-mode=\
disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Pool_99 ranges=10.10.99.10-10.10.99.250
add name=Pool_50 ranges=10.10.50.10-10.10.50.250
add name=Pool_70 ranges=10.10.70.10-10.10.70.250
add name=Pool_30 ranges=10.10.30.10-10.10.30.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=Bridge name=defconf
add address-pool=Pool_30 disabled=no interface=VLAN_30 name=DHCP_30
add address-pool=Pool_50 disabled=no interface=VLAN_50 name=DHCP_50
add address-pool=Pool_70 disabled=no interface=VLAN_70 name=DHCP_70
add address-pool=Pool_99 disabled=no interface=VLAN_99 name=DHCP_99
/interface bridge port
add bridge=Bridge_VLAN comment=Entertainment frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=50
add bridge=Bridge_VLAN comment=Entertainment frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=50
add bridge=Bridge_VLAN comment=Entertainment frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=50
add bridge=Bridge_VLAN comment=Entertainment frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=50
add bridge=Bridge_VLAN comment=Office frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=30
add bridge=Bridge_VLAN comment=Office frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=30
add bridge=Bridge_VLAN comment=Office frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=30
add bridge=Bridge_VLAN comment=MGMT frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 pvid=99
add bridge=Bridge comment="Fiber currently unused" disabled=yes interface=sfp-sfpplus1
add bridge=Bridge_VLAN comment="5 GHz WLAN for Office " frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=Tygat pvid=30
add bridge=Bridge_VLAN comment="2.4 GHz WLAN for Guest" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=Tyche pvid=70
add bridge=Bridge_VLAN comment=Office frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=List_99
/interface bridge vlan
add bridge=Bridge_VLAN comment="VLAN for Office" tagged=Bridge_VLAN vlan-ids=30
add bridge=Bridge_VLAN comment="VLAN for Entertainment" tagged=Bridge_VLAN vlan-ids=50
add bridge=Bridge_VLAN comment="VLAN for Guest" tagged=Bridge_VLAN vlan-ids=70
add bridge=Bridge_VLAN comment="VLAN for MGMT" tagged=Bridge_VLAN vlan-ids=99
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf disabled=yes interface=Bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN_99 list=List_99
add interface=VLAN_30 list=List_3579
add interface=VLAN_50 list=List_3579
add interface=VLAN_70 list=List_3579
add interface=VLAN_99 list=List_3579
/ip address
add address=192.168.88.1/24 comment=defconf interface=Bridge network=192.168.88.0
add address=10.10.99.1/24 comment=MGMT interface=VLAN_99 network=10.10.99.0
add address=10.10.30.1/24 comment=Office interface=VLAN_30 network=10.10.30.0
add address=10.10.50.1/24 comment=Entertainment interface=VLAN_50 network=10.10.50.0
add address=10.10.70.1/24 comment=Guest interface=VLAN_70 network=10.10.70.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.30.0/24 dns-server=10.10.99.1 gateway=10.10.30.1
add address=10.10.50.0/24 dns-server=10.10.99.1 gateway=10.10.50.1
add address=10.10.70.0/24 dns-server=10.10.99.1 gateway=10.10.70.1
add address=10.10.99.0/24 dns-server=10.10.99.1 gateway=10.10.99.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=213.73.91.35,194.95.202.198,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=List_3579
add action=accept chain=input comment="VLAN 99 full local access" in-interface=VLAN_99
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="edited: drop ICMP // defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="NAS (LAN 1) no WAN" src-mac-address=24:5E:BE:15:05:27
add action=drop chain=forward comment="NAS (LAN 2) no WAN" src-mac-address= 24:5E:BE:15:05:28
add action=drop chain=forward comment="Printer (LAN) no WAN" src-mac-address=F4:81:39:E2:8A:54
add action=drop chain=forward comment="Printer (WLAN) no WAN" src-mac-address=74:C6:3B:A0:88:F6
add action=accept chain=forward comment="VLAN go WAN not across VLAN" connection-state=new in-interface-list=List_3579 out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router
/system leds
add interface=Tyche leds="Tyche_signal1-led,Tyche_signal2-led,Tyche_signal3-led,Tyche_signal4-led,Tyche_signal5-led" type=wireless-signal-strength
add interface=Tyche leds=Tyche_tx-led type=interface-transmit
add interface=Tyche leds=Tyche_rx-led type=interface-receive
/tool graphing interface
add interface=ether1
/tool mac-server
set allowed-interface-list=List_99
/tool mac-server mac-winbox
set allowed-interface-list=List_99
Quick note:
- The "Bridge" and the "sfp-sfpplus1" interface are device standards and have been deactivated. If everything goes well, I might delete Bridge too.
- The IP filters no. 12 to 15 should prevent NAS and printers with 2 interfaces each from accessing the WAN and must be above filter 16 (prevent cross-VLAN communication), otherwise they will not work. On their part, however, they have no effect on No. 16, since No. 12 to 15 can be deactivated without affecting the VLAN.
Thanks in advance for any hint and advise!
kind reagrds
forenuser
Edit: fixed the brokoen link at the beginning