# model = RB4011iGS+5HacQ2HnD
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment="VLAN PRUEBAS"
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] comment=LAN
set [ find default-name=ether7 ] comment=LAN
set [ find default-name=ether8 ] comment=LAN
set [ find default-name=ether9 ] comment=LAN
set [ find default-name=ether10 ] comment=eth10-OffBridge
/interface vlan
add interface=ether1 name=vlan6 vlan-id=6
add interface=Puente name=vlanHOME-11 vlan-id-11
add interface=Puente name=vlanCAP-10 vlan-id=10
add name=WAN
add name=LAN
add name=BASE
/interface wireless
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlanHome-11 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlanCAP-10 name=dhcp2
/interface bridge port
add bridge=Puente interface=ether2 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether4 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether5 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether6 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether7 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether8 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether9 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=Puente tagged=Puente,ether3 vlan-ids=10
add bridge=Puente tagged=Puente,ether3 untagged=ether2,ether4,ether5,ether6,ether7,ether8,ether9 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlanCAP-10 list=LAN
add interface=vlanHOME-11 list=LAN
add interface=vlanHOME-11 list=BASE
add interface=eth10-OffBridge list=BASE
/interface wireless cap
set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=\ { maybe vlan10 here is what is needed ?? }
wlan1,wlan2
/ip address
add address=192.168.1.1/24 interface=vlanHOME-11 network=192.168.1.0
add address=192.168.200.1/24 interface=vlanCAP-10 network=192.168.200.0
add address=192.168.5.1/24 interface=ether10-OffBridge
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=\
"Regla para aceptar solo las conexiones relacionadas establecidas y untracked:" \
connection-state=established,related,untracked
add action=drop chain=input comment="Regla para denegar conexiones invalidas" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=BASE comment=\
"Regla para aceptar el trafico que viene de nuestra BASE" \
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment=\
"Regla para aceptar el trafico LAN para DNS TCP" \
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=UDP comment=\
"Regla para aceptar el trafico LAN para DNS UDP" \
add action=drop chain=input comment="Drop all else"
{Forward Chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"Regla para aceptar solo las conexiones relacionadas establecidas y untracked" \
connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid comment=\
"Regla para denegar conexiones invalidas"
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=\
"Regla para aceptar el trafico que saldr\E1 l'internet que viene de LAN" \
add action=accept chain=input connection-state=dstnat comment=\
"entrar lo que este en DST-NAT"
add action=drop comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=5000 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=6281 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=6150 protocol=\
tcp to-addresses=192.168.1.40
add action=dst-nat chain=dstnat comment="CAMARA TERRAZA" in-interface=\
pppoe-out1 dst-port=6170,443 protocol=tcp to-addresses=192.168.1.8
/ip ssh
set ????????????
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
# model = 951G-2HnD
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge \
ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment="VLAN INVITADOS"
set [ find default-name=ether5 ] name=ether5-OffBridge
/interface vlan
add interface=bridge1 name=vlan11-home vlan-id=11 { required as this is the base vlan }
add interface=bridge1 name=vlan10 vlan-id=10 { not required as only passing data through but is good for the reader to understand }
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list
add name=MANAGE
/interface list members
add interface=vlan11-home list=MANAGE
add interface=ether5-OffBridge list=MANAGE
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge port
add bridge=bridge1 interface=ether1 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=wlan1 pvid=10 ingress-filtering=yes frame-types=admit-priority-and-untagged
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=11
add bridge=bridge1 tagged=bridge1 untagged=wlan1 vlan-ids=10
/ip address
add address=192.168.5.1/24 interface=ether5-OffBridge network=192.168.5.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 comment="ensures route avail through trusted subnet gateway"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
Is not the user wanted settings, are the default for v6.xx and when migrating to another version, where the new default are no / no, the export show that.WARNING - Why is SSH setup without crypto, what is the purpose???
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
Also in CLI accessed via New Terminal you can type...............Is not the user wanted settings, are the default for v6.xx and when migrating to another version, where the new default are no / no, the export show that.WARNING - Why is SSH setup without crypto, what is the purpose???
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip ssh
set allow-none-crypto=no forwarding-enabled=no
{
/caps-man configuration
set [find] security.authentication-types=wpa2-psk security.encryption=aes-ccm
/caps-man security
set [find] authentication-types=wpa2-psk
/interface pppoe-client
set [find] keepalive-timeout=10
/interface wireless security-profiles
set Misclaves authentication-types=wpa2-psk eap-methods=passthrough management-protection=disabled supplicant-identity=MikroTik
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,!dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=static
/ip ssh
set allow-none-crypto=no forwarding-enabled=no
}
/ip neighbor discovery-settings
set discover-interface-list=static
Ready!!Also in CLI accessed via New Terminal you can type...............
Is not the user wanted settings, are the default for v6.xx and when migrating to another version, where the new default are no / no, the export show that.
/ip ssh set allow-none-crypto=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
Thanks for the help.WARNING - Why is SSH setup without crypto, what is the purpose???
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
{ Another error just noted, is incorrect = /ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 it should be the bridge for your config setup }
However I am suggesting an alternative approach }
{ Another error noted, REMOVE the IP DHCP client (warning message indicates an issue) it is NOT required as the dhcp client is handled already in pppoe-client settings!! }
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether1
{ Missing is pppoe-1 as a WAN interface list member }
{ Format for destination nat is dst-port = )
{ Also why is this lease time set to 10 seconds, recommend at least 1 day ?????
add address-pool=dhcp_pool2 disabled=no interface=vlan10ETH3 lease-time=10s \ }
{ Firewall rules, many small errors, the big one is Port Forwarding DST nat rules dont belong in the input chain! }
In general, there should be a trusted subnet.
It can be the LAN subnet on the RB4011, it could be vlan10 for example or you can add one.
It should be one that your PC is normally connected to as you configure the devices from this pc.
All attached smart devices (such as APs and Switches that can read vlan tags such as the RB95 ) should have an IP address from this subnet.
The solution I would find easiest to implement is to add vlan11
This will be the home vlan currently your 192.168.1.0 subnet.
Router: BEFORE you start, recommend both firmwares should be the same if possible.
***** I include only changed portions for the most part****
.................Code: Select all# model = RB4011iGS+5HacQ2HnD /interface ethernet set [ find default-name=ether1 ] comment=WAN set [ find default-name=ether2 ] comment=LAN set [ find default-name=ether3 ] comment="VLAN PRUEBAS" set [ find default-name=ether4 ] comment=LAN set [ find default-name=ether5 ] comment=LAN set [ find default-name=ether6 ] comment=LAN set [ find default-name=ether7 ] comment=LAN set [ find default-name=ether8 ] comment=LAN set [ find default-name=ether9 ] comment=LAN set [ find default-name=ether10 ] comment=eth10-OffBridge /interface vlan add interface=ether1 name=vlan6 vlan-id=6 add interface=Puente name=vlanHOME-11 vlan-id-11 add interface=Puente name=vlanCAP-10 vlan-id=10 add name=WAN add name=LAN add name=BASE /interface wireless /ip pool add name=dhcp ranges=192.168.1.2-192.168.1.254 add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254 /ip dhcp-server add address-pool=dhcp disabled=no interface=vlanHome-11 name=dhcp1 add address-pool=dhcp_pool2 disabled=no interface=vlanCAP-10 name=dhcp2 /interface bridge port add bridge=Puente interface=ether2 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged add bridge=Puente interface=ether4 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged add bridge=Puente interface=ether5 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged add bridge=Puente interface=ether6 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged add bridge=Puente interface=ether7 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged add bridge=Puente interface=ether8 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged add bridge=Puente interface=ether9 pvid=11 ingress-filtering=yes frame-types=admit-priority-and-untagged add bridge=Puente interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged /ip neighbor discovery-settings set discover-interface-list=BASE /interface bridge vlan add bridge=Puente tagged=Puente,ether3 vlan-ids=10 add bridge=Puente tagged=Puente,ether3 untagged=ether2,ether4,ether5,ether6,ether7,ether8,ether9 vlan-ids=11 /interface list member add interface=ether1 list=WAN add interface=pppoe-out1 list=WAN add interface=vlanCAP-10 list=LAN add interface=vlanHOME-11 list=LAN add interface=vlanHOME-11 list=BASE add interface=eth10-OffBridge list=BASE /interface wireless cap set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=\ { maybe vlan10 here is what is needed ?? } wlan1,wlan2 /ip address add address=192.168.1.1/24 interface=vlanHOME-11 network=192.168.1.0 add address=192.168.200.1/24 interface=vlanCAP-10 network=192.168.200.0 add address=192.168.5.1/24 interface=ether10-OffBridge /ip dhcp-server network add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1 /ip dns set servers=8.8.8.8,8.8.4.4 /ip firewall filter {Input Chain} add action=accept chain=input comment=\ "Regla para aceptar solo las conexiones relacionadas establecidas y untracked:" \ connection-state=established,related,untracked add action=drop chain=input comment="Regla para denegar conexiones invalidas" \ connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input in-interface-list=BASE comment=\ "Regla para aceptar el trafico que viene de nuestra BASE" \ add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment=\ "Regla para aceptar el trafico LAN para DNS TCP" \ add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=UDP comment=\ "Regla para aceptar el trafico LAN para DNS UDP" \ add action=drop chain=input comment="Drop all else" {Forward Chain} add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment=\ "Regla para aceptar solo las conexiones relacionadas establecidas y untracked" \ connection-state=established,related,untracked add action=drop chain=forward connection-state=invalid comment=\ "Regla para denegar conexiones invalidas" add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=\ "Regla para aceptar el trafico que saldr\E1 l'internet que viene de LAN" \ add action=accept chain=input connection-state=dstnat comment=\ "entrar lo que este en DST-NAT" add action=drop comment="Drop all else" /ip firewall nat add action=masquerade chain=srcnat out-interface=pppoe-out1 add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=5000 protocol=\ tcp to-addresses=192.168.1.18 add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=6281 protocol=\ tcp to-addresses=192.168.1.18 add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=6150 protocol=\ tcp to-addresses=192.168.1.40 add action=dst-nat chain=dstnat comment="CAMARA TERRAZA" in-interface=\ pppoe-out1 dst-port=6170,443 protocol=tcp to-addresses=192.168.1.8 /ip ssh set ???????????? /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=BASE
The only thing I am not sure about is this line.
/interface wireless cap
#
set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=\
wlan1,wlan2
I am guessing this may what is needed ??
set bridge=Puente discovery-interfaces=vlan10 enabled=yes interfaces=wlan1,wlan2 ????
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
RB4011
(1) Have an old pool default entry and missing the pool for the vlans. OKAY I see them later so simply get rid of the pool that refers to 192.168.88.x
Each vlan identified with parent interface of the bridge requires.
ip pool
dhcp server
dhcp server network
IP address
I dont see 192.168.88.x and I see dhcp server and poll
not working yet
(2) Okay for BRIDGE ports ether3 is a trunk port carrying both vlans tagged, so this is incorrect.
/interface bridge vlan
add bridge=Puente tagged=Puente untagged=ether3 vlan-ids=10
add bridge=Puente tagged=Puente,ether3 untagged=\
ether2,ether4,ether5,ether6,ether7,ether8 vlan-ids=11
that line should be
add bridge=Puente tagged=Puente,ether3 [/color]vlan-ids=10
(3) In keeping with this theme lets look at the corresponding /interface bridge port setting
/interface bridge port
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=ether9 pvid=11
add bridge=Puente interface=ether10
add bridge=Puente frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether3 pvid=10
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan1 pvid=11
add bridge=Puente frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan2 pvid=11
You can see the discrepancy clearly here where you are saying ether3 is for only tagged traffic and yet with the pvid you are stating to tag incoming traffic with vlan10 as if it was connected to a dumb device.........
Correct line is.
add bridge=Puente frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether3
Buenos, so the config is basically working now?Hello:
Well it works now.
The detail of the IP 0.0.0.0, how can it be solved?