I recently purchased an RB-5009 to replace two Netgear switches I have. As I struggled last time viewtopic.php?t=173677, setting up my RB-4011 I have been careful this time in setting up my configuration changes one at a time, but seem to be missing some fundamental understanding about RouterOS or the order changes should be implemented. This at some point in my configuration changes kicks me out and prevents further access to the router until it is powered off and reset.
This is my test configuration (which I think should do what I want)
Code: Select all
###############################################################################
# Topic: RB-5009 Initial Setup and VLAN configuration Post 1
# Example: Isolated VLANs with upstream Router, no WAN, no Firewall
# Web: https://forum.mikrotik.com/viewtopic.php?t=891803
# RouterOS: 7.0.5 Stable
# Model: RB5009UG+S+
# Date: 2021-11-18
# Notes: Working example of intial setup and configuration changes.
# Thanks: Mikrotik
###############################################################################
# VLAN Overview
#######################################
# 1 = Default_VLAN1 NOT IN USE
# 50 = Server_VLAN50 (Management VLAN) (192.168.5.0/24)
# 100 = Back_VLAN100 (192.168.10.0/24)
# 200 = Cabin_VLAN200 (192.168.20.0/24)
# 300 = House_VLAN300 (192.168.30.0/24)
# 400 = Wifi_VLAN400 (192.168.40.0/24)
# 500 = Guest_VLAN500 (192.168.50.0/24)
# 600 = IoT_VLAN600 (192.168.60.0/24)
# Interfaces
#######################################
/interface ethernet
set [ find default-name=ether1 ] name=Eth1_SG-2100_Port2
set [ find default-name=ether2 ] name=Eth2_Hammerstein
set [ find default-name=ether3 ] name=Eth3_Backberry
set [ find default-name=ether4 ] name=Eth4_Kodi
set [ find default-name=ether5 ] name=Eth5_UNUSED
set [ find default-name=ether6 ] name=Eth6_UNUSED
set [ find default-name=ether7 ] name=Eth7_UNUSED
set [ find default-name=ether8 ] name=Eth8_UNUSED
/interface vlan
add interface=RB-5009_Bridge name=Server_VLAN50 vlan-id=50
/interface list
add comment="All network ports" name=LAN
add comment="VLAN Trunk to SG-2100" name=VLAN_Trunk
add comment="All Server_VLAN50 devices" name=Server_VLAN50
add comment="All Back_VLAN100 devices" name=Back_VLAN100
add comment="All VLAN devices" name=VLAN
/interface list member
add interface=RB-5009_Bridge list=LAN
add interface=Eth1_SG-2100_Port2 list=LAN
add interface=Eth2_Hammerstein list=LAN
add interface=Eth3_Backberry list=LAN
add interface=Eth4_Kodi list=LAN
add interface=RB-5009_Bridge list=VLAN_Trunk
add interface=Eth1_SG-2100_Port2 list=VLAN_Trunk
add interface=Eth1_SG-2100_Port2 list=Server_VLAN50
add interface=Eth3_Backberry list=Server_VLAN50
add interface=Eth2_Hammerstein list=Back_VLAN100
add interface=Eth4_Kodi list=Back_VLAN100
# Bridge
#######################################
/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no name=RB-5009_Bridge vlan-filtering=no
/interface bridge port
add bridge=RB-5009_Bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=Eth1_SG-2100_Port2
add bridge=RB-5009_Bridge interface=Eth2_Hammerstein pvid=100
add bridge=RB-5009_Bridge interface=Eth3_Backberry pvid=50
add bridge=RB-5009_Bridge interface=Eth4_Kodi pvid=100
/interface bridge vlan
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth1_SG-2100_Port2 vlan-ids=50,100,200,300,400,500,600
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth2_Hammerstein vlan-ids=100
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth3_Backberry vlan-ids=50
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth4_Kodi vlan-ids=100
# IP Services
#######################################
/ip address
add address=192.168.5.250/24 interface=Server_VLAN50 network=192.168.5.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-table=main suppress-hw-offload=no
/ip pool
add name=BACK_VLAN100-dhcp ranges=192.168.10.101-192.168.10.199
/ip dhcp-server
add address-pool=BACK_VLAN100-dhcp interface=RB-5009_Bridge name=TMP_DHCPSVR
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 ntp-server=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=192.168.5.1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip cloud
set update-time=no
# Firewall
#######################################
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
# System
#######################################
/system clock
set time-zone-autodetect=no time-zone-name=Pacific/Auckland
/system identity
set name=RB-5009
/system ntp client
set enabled=yes primary-ntp=192.168.5.1 server-dns-names=nz.pool.ntp.org
/system ntp client servers
add address=192.168.5.1
/system package update
set channel=testing
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/ip ssh
set strong-crypto=yes
Any thoughts or feedback on whether the script should work as expected or any glaringly obvious problems / errors?
EDIT: FYI I already have a pfSense firewall providing Internet / IP Services / Routing / VLANs which is connected to an existing RB4011 (with VLANs) the RB-5009 will connect to the 2nd LAN port on the firewall, so basically only need the access ports, trunk and IP address for the management VLAN (Server_VLAN50 / 192.168.5.250/24) so I can replace the existing Netgears with the RB-5009.