Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Misc questions

Post Reply
 
User avatar
simsrw73
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sat Apr 17, 2021 10:53 pm
Location: Atlanta, GA (US)

Misc questions

Fri Dec 24, 2021 6:23 pm

https://github.com/simsrw73/documents/t ... smart-home

Guest VLAN Isolation:

Reading articles and posts, it's recommended to set default-forwarding to no and add a firewall rule. My testing seems to indicate that this is redundant. Is this correct?

/interface wireless
add default-forwarding=no ...

add action=drop chain=forward in-interface=vlan-guest out-interface-list=!WAN

DNS

What is the correct way to set up DNS on client network devices (switches, aps)? Do you leave it empty until you're ready to upgrade? Point it toward the router? Create static entries?

# Router
/ip dns set allow-remote-requests=yes servers=...

# Switch
/ip dns servers=192.168.99.1

Limit wireless device to certain SSIDs

This is dumb and not a MT issue. My Amazon Alexa devices want to keep jumping networks and deleting the network settings on Amazon's site does not seem to work. So I want to limit Alexa to interfaces: wlan-2g-iot & wlan-5g-iot. But I couldn't figure out a more direct way of saying that other than rejecting Alexa on the networks it was trying to jump to, ending up with three rules for each of 10 devices. Is there a better way, more direct way?

add authentication=no interface=wlan-2g mac-address=74:E2:0C:A2:49:D5
add authentication=no interface=wlan-2g-nest mac-address=74:E2:0C:A2:49:D5
add authentication=no interface=wlan-5g mac-address=74:E2:0C:A2:49:D5

Samba

Why are there duplicates in these (unused) sections in the default config?

/ip smb shares
add comment="default share" directory=/pub name=pub
add comment="default share" directory=/pub name=pub

/ip smb users
add name=guest
add name=guest

NTP

I cannot get NTP client working. I had this setup on my hEX S before upgrading to the rb5009 and implementing a VLAN config. I've tried several time servers and I'm pretty sure I've set it up as I had it before and made a firewall rule to open that port. But my router hangs listening for the remote NTP server and all my client network devices hang listing for the NTP server on the router. What am I getting wrong? Something on the Firewall? That's my biggest weakness currently. I'm pretty sure there's some redundancies and improvements that could be made to my config...

https://github.com/simsrw73/documents/t ... smart-home

Code: Select all
# dec/24/2021 10:08:20 by RouterOS 7.1.1
# software id = SYTB-ZK4C
#
# model = RB5009UG+S+
# serial number = EC1A0FCC6B92

/system identity
set name=RT1-Office-NR2

/interface ethernet
set [ find default-name=ether7 ] name=ether7-Access

/interface bridge
add admin-mac=DC:2C:6E:47:0F:C0 auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1

/interface bridge vlan
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=119

/interface vlan
add interface=bridge name=vlan-base vlan-id=99
add interface=bridge name=vlan-guest vlan-id=101
add interface=bridge name=vlan-iot vlan-id=107
add interface=bridge name=vlan-security vlan-id=119

/interface list
add name=WAN
add name=VLAN
add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=vlan-guest list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-base list=BASE
add interface=vlan-base list=VLAN
add interface=ether7-Access list=BASE
add interface=vlan-security list=VLAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes

/ip dhcp-client
add interface=ether1

/ip address
add address=192.168.99.1/24 interface=vlan-base network=192.168.99.0
add address=192.168.101.1/24 interface=vlan-guest network=192.168.101.0
add address=192.168.107.1/24 interface=vlan-iot network=192.168.107.0
add address=192.168.9.11/24 interface=ether7-Access network=192.168.9.0
add address=192.168.119.1/24 interface=vlan-security network=192.168.119.0

/ip pool
add name=dhcp_pool-base ranges=192.168.99.20-192.168.99.254
add name=dhcp_pool-guest ranges=192.168.101.20-192.168.101.254
add name=dhcp_pool-iot ranges=192.168.107.20-192.168.107.254
add name=dhcp_pool-security ranges=192.168.119.20-192.168.119.254

/ip dhcp-server
add address-pool=dhcp_pool-base interface=vlan-base name=dhcp-base
add address-pool=dhcp_pool-guest interface=vlan-guest name=dhcp-guest
add address-pool=dhcp_pool-iot interface=vlan-iot name=dhcp-iot
add address-pool=dhcp_pool-security interface=vlan-security name=\
    dhcp-security

/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.101.0/24 gateway=192.168.101.1
add address=192.168.107.0/24 gateway=192.168.107.1
add address=192.168.119.0/24 gateway=192.168.119.1

/ip firewall address-list
add address=ec1a0fcc6b92.sn.mynetname.net list=WAN_IP

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow VLAN_BASE" in-interface=\
    vlan-base log=yes
add action=accept chain=input comment="Allow LAN NTP queries-UDP" dst-port=\
    123 in-interface-list=VLAN log=yes log-prefix=NTP:: protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment=\
    "Isolation for wifi guest. Only allow internet." in-interface=vlan-guest \
    log=yes out-interface-list=!WAN
add action=accept chain=forward comment="Allow VLAN access Internet" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop everything else"

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.99.0/24 src-address=192.168.99.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port Fwd for Home Assistant" \
    dst-address-list=WAN_IP dst-port=8123 protocol=tcp to-addresses=\
    192.168.99.10

/ip neighbor discovery-settings
set discover-interface-list=BASE

/tool mac-server
set allowed-interface-list=BASE

/tool mac-server mac-winbox
set allowed-interface-list=BASE

/ip ssh
set strong-crypto=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011

/system clock
set time-zone-name=America/New_York

/ip cloud
set ddns-enabled=yes

/system ntp client
set enabled=yes

/system ntp client servers
add address=pool.ntp.org

/system ntp server
set broadcast=yes broadcast-addresses=192.168.99.255 enabled=yes

/system routerboard settings
set cpu-frequency=auto

/ip smb shares
add comment="default share" directory=/pub name=pub
add comment="default share" directory=/pub name=pub

/ip smb users
add name=guest
add name=guest
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19371
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Misc questions

Fri Dec 24, 2021 6:38 pm

I will take question number 1.

Depends!!

The act of removing the check from the checkbox from forwarding on the main Wireless settings TAB means that the WIFI clients are isolated from each other, regardless of being in the same subnet(VLAN). However, for example this does not mean they are separated from wired clients on the same VLAN.

As to the second part of your question that is a different scenario.
Most people after a bit of experience makes their firewall rulesets with the tactic of ONLY allow traffic, such that one has

Basic default ruleset
{Rules to allow traffic}
Drop all else

So in admin made rules one has
allow LAN to WAN
allow port forwarding (if required)
allow access to a common printer (if required)
etc..
Drop all else.

So you can see that I dont have to drop any traffic between vlans as that is done by default on the last rule.
The only thing I need to concern myself is with which traffic do I want to permit.
Top
 
User avatar
simsrw73
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sat Apr 17, 2021 10:53 pm
Location: Atlanta, GA (US)

Re: Misc questions

Mon Dec 27, 2021 8:46 pm

The act of removing the check from the checkbox from forwarding on the main Wireless settings TAB means that the WIFI clients are isolated from each other, regardless of being in the same subnet(VLAN). However, for example this does not mean they are separated from wired clients on the same VLAN.

As to the second part of your question that is a different scenario.
Most people after a bit of experience makes their firewall rulesets with the tactic of ONLY allow traffic
Thanks. Makes sense. Firewall is the next big topic I need to learn.
Top
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1497
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:
Contact k6ccc

Re: Misc questions

Mon Dec 27, 2021 8:55 pm

This is dumb and not a MT issue. My Amazon Alexa devices want to keep jumping networks and deleting the network settings on Amazon's site does not seem to work. So I want to limit Alexa to interfaces: wlan-2g-iot & wlan-5g-iot.
I am not understanding this statement. Your Alexa devices will only connect to the SSID that you set them up for. Think about it - how would it know the password for some other SSID unless you told it that information? I also have a 2.4GHz IoT SSID and a 5 GHz IoT SSID, and the only one that my Alexa devices know how to connect to is the 5GHz IoT SSID.
Top
 
User avatar
simsrw73
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sat Apr 17, 2021 10:53 pm
Location: Atlanta, GA (US)

Re: Misc questions

Mon Dec 27, 2021 9:14 pm

This is dumb and not a MT issue. My Amazon Alexa devices want to keep jumping networks and deleting the network settings on Amazon's site does not seem to work. So I want to limit Alexa to interfaces: wlan-2g-iot & wlan-5g-iot.
I am not understanding this statement. Your Alexa devices will only connect to the SSID that you set them up for. Think about it - how would it know the password for some other SSID unless you told it that information? I also have a 2.4GHz IoT SSID and a 5 GHz IoT SSID, and the only one that my Alexa devices know how to connect to is the 5GHz IoT SSID.
Before I had SSIDs for IOT & Guest, I had my echos on the main SSID. Then I tried to switch them to the IOT network. Even though I deleted that login information from Amazon's confg site, it keeps coming back. It may be that I need to take them all offline at the same time and delete the info. Hmm, it may also be Alexa running on PC or iPad that's keeping the information alive in the network. Somehow it's staying alive after I delete it which is extremely annoying. But I did initially set them up with that info, so no mystery... I just didn't explain completely.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 110 guests
  4. RouterOS
  5. Beginner Basics