Code: Select all
[admin@MikroTik] > /export hide-sensitive
# oct/21/2021 17:02:04 by RouterOS 6.48.5
# software id = 9H22-PVVS
#
# model = 960PGS
# serial number = XXXXXXXXXXXX
/interface bridge
add ingress-filtering=yes name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add interface=bridge1 name=vlan11 vlan-id=11
add interface=bridge1 name=vlan61 vlan-id=61
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan61_pool ranges=192.168.4.100-192.168.4.230
/ip dhcp-server
add address-pool=vlan61_pool disabled=no interface=vlan61 lease-time=3w name=lte
/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=11
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=64
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=69
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=69
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether4,ether5 vlan-ids=69
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=64
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=61
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=11
/ip address
add address=192.168.4.1/24 interface=vlan61 network=192.168.4.0
/ip dhcp-client
add add-default-route=no disabled=no interface=bridge1 use-peer-dns=no
add disabled=no interface=vlan11 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.4.0/24 gateway=192.168.4.1 netmask=24
/ip firewall filter
add action=drop chain=input in-interface=vlan11
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan11 src-address=192.168.4.0/24
/ip route
add distance=1 dst-address=192.168.20.0/24 gateway=192.168.60.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes primary-ntp=192.168.60.1
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
- eth1 (hybrid trunk port connected to main router / firewall)
- eth2 (failover wan, hence the nat to gain a separate gateway ip)
- eth3 (access port - vlan 64)
- eth4 (access port - vlan 69)
- eth5 (access port - vlan 69)
- Is it possible to simply this config without losing any of the functionality?
- What are the advantages and disadvantages of removing eth2 from the bridge?
- In this case, is there a better way to allow access to the management interface only via eth1?
- In this case, is this one firewall rule sufficient to prevent any access to the managment interface through eth2?
- Should I worry about only getting roughly 850 Mbit/s via iperf3 through VLAN64 between eth1 (trunk port) and eth4 (access port)?