first of all, I wanna thank you for your awesome work in this forum, especially those threads, where the author pasts a final working config are really really helpful.
I purchased a RB5009 a few weeks ago and finally found some time to tinker with it. I plan to replace my Ubiquiti USG with the RB and sadly I need to do some double-nat stuff cause I have a Fritzbox by my provider, but nevermind, that worked so far...
Furthermore there is a 8 Port Ubiquiti switch plus an AP Pro in my living room and an CRS305 in my office (my first Mikrotik device, now I'm hooked...)
Right now I want 5 VLANs, 3 of those are for Wifi (IoT, Guest, Home), one managment and the normal LAN.
Code: Select all
#######################################
# VLAN Overview
#######################################
# 10 = LAN - 10.0.9.1/24
# 20 = WLAN - 10.0.20.1/24
# 30 = Guest WLAN - 10.0.30.1/24
# 50 = IoT - 10.0.50.1/24
# 99 = MGMT VLAN - 192.168.99.1/24
#######################################
# Port Overview
#######################################
# ether1 - Access port VLAN 10
# ether2 - Access port VLAN 10
# ether3 - Access port VLAN 10
# ether4 - Access port VLAN 10
# ether5 - HP ILOM, VLAN 99
# ether6 - Management Interface, VLAN 99
# ether7 - Trunk to Switch in Living Space
# ether8 - WAN Interface, DHCP Client
# sfp-sfpplus1 - Trunk to CRS305
# lte1 - USB Lte fallback
Currently I'm struggleing a bit with the Firewall rules and would appreciate some feedback. All VLans except the IoT one need internet access, only a single IoT device right now should be enabled. Furthermore I want to allow all LAN devices to access the WLAN and IoT devices (vice versa for WLAN devices). The Guest WLAN should be completely isolated.
The WebUi (192.168.99.1) should only be accessible from the Managment VLAN.
Is there any shortcut to prevent any other VLANs to access the WebUi, right now it's accessible on all Gateway IPs? Furthermore I ask myself if I'm missing something with the other rules, it seems to be too easy oO.
Code: Select all
/ip firewall filter
##################
# INPUT CHAIN
##################
add chain=input action=accept comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add chain=input action=drop comment="defconf: drop invalid" connection-state=invalid
add chain=input action=accept comment="defconf: accept ICMP" protocol=icmp
add chain=input action=drop comment="defconf: drop all not coming from VLAN" in-interface-list=!VLAN
##################
# FORWARD CHAIN
##################
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
## Some communication between VLANs
add chain=forward action=accept in-interface=Corporate_VLAN out-interface=WLAN_VLAN comment="Corporate => WLAN"
add chain=forward action=accept in-interface=WLAN_VLAN out-interface=Corporate_VLAN comment="WLAN => Corporate"
add chain=forward action=accept in-interface=Corporate_VLAN out-interface=IoT_VLAN comment="Corporate => IoT"
add chain=forward action=accept in-interface=WLAN_VLAN out-interface=IoT_VLAN comment="WLAN => IoT"
## Allow internet access for specific IoT Devices only
add chain=forward action=accept out-interface-list=WAN src-mac-address=2C:F4:32:16:02:F
## Allow IoT Devices to access MQTT Gateway
add chain=forward action=accept dst-address=10.0.9.17 dst-port=1883 in-interface=IoT_VLAN protocol=tcp
## Drop all other IoT traffic (the S in IoT means security...)
add chain=forward action=drop in-interface=IoT_VLAN out-interface-list=WAN
## Allow internet access for all other VLANs
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade ipsec-policy=out,none out-interface-list=WAN comment="Default masquerade"
Code: Select all
######################################################
######################################################
####
#### RB5009 Configuration
####
####
######################################################
######################################################
#######################################
# VLAN Overview
#######################################
# 10 = LAN - 10.0.9.1/24
# 20 = WLAN - 10.0.20.1/24
# 30 = Guest WLAN - 10.0.30.1/24
# 50 = IoT - 10.0.50.1/24
# 99 = MGMT VLAN - 192.168.99.1/24
#######################################
# Port Overview
#######################################
# ether1 - Access port VLAN 10
# ether2 - Access port VLAN 10
# ether3 - Access port VLAN 10
# ether4 - Access port VLAN 10
# ether5 - HP ILOM, VLAN 99
# ether6 - Management Interface, VLAN 99
# ether7 - Trunk to Switch in Living Space
# ether8 - WAN Interface, DHCP Client
# sfp-sfpplus1 - Trunk to CRS305
# lte1 -
######################################################
#### ####
#### System Configuration ####
#### ####
######################################################
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=rb5009
/ip ssh
set always-allow-password-login=yes
######################################################
#### ####
#### Create Bridge ####
#### ####
######################################################
/interface bridge
add name=BR1 vlan-filtering=yes
/interface bridge port
add bridge=BR1 interface=ether1 pvid=10
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 comment="ILOM" pvid=99
add bridge=BR1 interface=ether6 comment="Management Port" pvid=99
add bridge=BR1 interface=ether7 comment="Trunk Living Room"
add bridge=BR1 interface=sfp-sfpplus1 comment="Trunk CRS305"
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether6,ether7,sfp-sfpplus1 vlan-ids=10 comment="LAN"
add bridge=BR1 tagged=BR1,ether6,ether7,sfp-sfpplus1 vlan-ids=20 comment="WLAN"
add bridge=BR1 tagged=BR1,ether6,ether7,sfp-sfpplus1 vlan-ids=30 comment="Guest VLAN"
add bridge=BR1 tagged=BR1,ether6,ether7,sfp-sfpplus1 vlan-ids=50 comment="IoT VLAN"
add bridge=BR1 tagged=BR1,ether7,sfp-sfpplus1 untagged=ether5,ether6 vlan-ids=99 comment="Mgmt VLAN"
######################################################
#### ####
#### Configure WAN Networking ####
#### ####
######################################################
/ip dhcp-client
add comment=WAN interface=ether8
######################################################
#### ####
#### LAN Network ####
#### ####
######################################################
/interface vlan
add interface=BR1 name=Corporate_VLAN vlan-id=10
/ip address
add interface=Corporate_VLAN address=10.0.9.1/24
/ip pool
add name=Corporate_POOL ranges=10.0.9.20-10.0.9.200 comment="Corporate Pool"
/ip dhcp-server
add address-pool=Corporate_POOL interface=Corporate_VLAN name=Corporate_DHCP disabled=no
/ip dhcp-server network
add address=10.0.9.0/24 dns-server=10.0.9.1 gateway=10.0.9.1
######################################################
#### ####
#### WLAN Network ####
#### ####
######################################################
/interface vlan
add interface=BR1 name=WLAN_VLAN vlan-id=20
/ip address
add interface=WLAN_VLAN address=10.0.20.1/24
/ip pool
add name=WLAN_POOL ranges=10.0.20.20-10.0.20.200 comment="WLAN Pool"
/ip dhcp-server
add address-pool=WLAN_POOL interface=WLAN_VLAN name=WLAN_DHCP disabled=no
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
######################################################
#### ####
#### Guest WLAN Network ####
#### ####
######################################################
/interface vlan
add interface=BR1 name=Guest_VLAN vlan-id=30
/ip address
add interface=Guest_VLAN address=10.0.30.1/24
/ip pool
add name=Guest_POOL ranges=10.0.30.20-10.0.30.200 comment="Guest WLAN Pool"
/ip dhcp-server
add address-pool=Guest_POOL interface=Guest_VLAN name=Guest_DHCP disabled=no
/ip dhcp-server network
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
######################################################
#### ####
#### IoT WLAN Network ####
#### ####
######################################################
/interface vlan
add interface=BR1 name=IoT_VLAN vlan-id=50
/ip address
add interface=IoT_VLAN address=10.0.50.1/24
/ip pool
add name=IoT_POOL ranges=10.0.50.20-10.0.50.200 comment="IoT WLAN Pool"
/ip dhcp-server
add address-pool=IoT_POOL interface=IoT_VLAN name=IoT_DHCP disabled=no
/ip dhcp-server network
add address=10.0.50.0/24 dns-server=10.0.50.1 gateway=10.0.50.1
######################################################
#### ####
#### Management Network ####
#### ####
######################################################
/interface vlan
add interface=BR1 name=Mgmt_VLAN vlan-id=99
/ip address
add interface=Mgmt_VLAN address=192.168.99.1/24
/ip pool
add name=Mgmt_POOL ranges=192.168.99.11-192.168.99.50 comment="Mgmt Pool"
/ip dhcp-server
add address-pool=Mgmt_POOL interface=Mgmt_VLAN name=Mgmt_DHCP disabled=no
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
######################################################
#### ####
#### Configure DNS ####
#### ####
######################################################
/ip dns
set servers "9.9.9.9,8.8.8.8,1.1.1.1,1.0.0.1,4.2.2.2"
set allow-remote-requests=yes
######################################################
#### ####
#### Interface List ####
#### ####
######################################################
/interface list
add name=VLAN comment="VLAN Interfaces"
add name=MGMT comment="MGMT Interfaces"
add name=WAN comment="WAN Interfaces"
/interface list member
add interface=lte1 list=WAN
add interface=ether8 list=WAN
add interface=Mgmt_VLAN list=VLAN
add interface=Corporate_VLAN list=VLAN
add interface=WLAN_VLAN list=VLAN
add interface=IoT_VLAN list=VLAN
add interface=Mgmt_VLAN list=MGMT
######################################################
#### ####
#### Firewall ####
#### ####
######################################################
/ip firewall filter
##################
# INPUT CHAIN
##################
add chain=input action=accept comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add chain=input action=drop comment="defconf: drop invalid" connection-state=invalid
add chain=input action=accept comment="defconf: accept ICMP" protocol=icmp
add chain=input action=drop comment="defconf: drop all not coming from VLAN" in-interface-list=!VLAN
##################
# FORWARD CHAIN
##################
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
## Some communication between VLANs
add chain=forward action=accept in-interface=Corporate_VLAN out-interface=WLAN_VLAN comment="Corporate => WLAN"
add chain=forward action=accept in-interface=WLAN_VLAN out-interface=Corporate_VLAN comment="WLAN => Corporate"
add chain=forward action=accept in-interface=Corporate_VLAN out-interface=IoT_VLAN comment="Corporate => IoT"
add chain=forward action=accept in-interface=WLAN_VLAN out-interface=IoT_VLAN comment="WLAN => IoT"
## Allow internet access for specific IoT Devices only
add chain=forward action=accept out-interface-list=WAN src-mac-address=2C:F4:32:16:02:F
## Allow IoT Devices to access MQTT Gateway
add chain=forward action=accept dst-address=10.0.9.17 dst-port=1883 in-interface=IoT_VLAN protocol=tcp
## Drop all other IoT traffic (the S in IoT means security...)
add chain=forward action=drop in-interface=IoT_VLAN out-interface-list=WAN
## Allow internet access for all other VLANs
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade ipsec-policy=out,none out-interface-list=WAN comment="Default masquerade"
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus1]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from Mgmt_VLAN
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT