Should the VLAN be in the bridge?
I have a routerBOARD 3011UiA
We use the following services:
WAN1, WAN2, WAN3 = Internet
SFP1 = uplink to switch
Capsman
I'm not sure whether I have to bridge over the switch or bridge.
QCA 8337 chipset says it is recommended over switch right? but SFP1 is not inside the switch?
Does VLAN filtering have to be on? or HW offload?
Code: Select all
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz name=2GHZ
add band=5ghz-n/ac control-channel-width=20mhz name=5GHZ
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=FIRMA vlan-id=100 vlan-mode=use-tag
/interface bridge
add name=BRIDGE vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=sfp1 ] auto-negotiation=no
/interface pppoe-client
add add-default-route=yes interface=ether3 name=WAN3 user=1111111
/interface vlan
add interface=sfp1 name=VLAN_99_MGT vlan-id=99
add interface=sfp1 name=VLAN_100_FIRMA vlan-id=100
add interface=sfp1 name=VLAN_200_GAST vlan-id=200
add interface=sfp1 name=VLAN_300_DMZ vlan-id=300
add interface=sfp1 name=VLAN_400_TELEFON vlan-id=400
add interface=sfp1 name=VLAN_500_PRIVAT vlan-id=500
add interface=sfp1 name=VLAN_600_LTE vlan-id=600
add interface=sfp1 name=VLAN_700_BACKUP vlan-id=700
add interface=sfp1 name=VLAN_700_SONSTIGES vlan-id=800
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=bridge_FIRMA
add authentication-types=wpa2-psk encryption=aes-ccm name=bridge_GAST
add authentication-types=wpa2-psk encryption=aes-ccm name=bridge_PRIVAT
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_FIRMA ranges=10.10.252.50-10.10.252.150
add name=dhcp_pool_GAST ranges=192.168.181.50-192.168.181.150
add name=dhcp_pool_PRIVAT ranges=192.168.152.50-192.168.152.150
add name=dhcp_pool_DMZ ranges=10.16.252.245-10.16.252.253
add name=dhcp_pool_BACKUP ranges=10.11.252.245-10.11.252.253
add name=dhcp_pool_MGT ranges=10.99.178.2-10.99.178.254
/ip dhcp-server
add address-pool=dhcp_pool_FIRMA interface=VLAN_100_FIRMA name=dhcp_FIRMA
add address-pool=dhcp_pool_GAST interface=VLAN_200_GAST name=dhcp_GAST
add address-pool=dhcp_pool_PRIVAT interface=VLAN_500_PRIVAT name=dhcp_PRIVAT
add address-pool=dhcp_pool_DMZ interface=VLAN_300_DMZ name=dhcp_DMZ
add address-pool=dhcp_pool_BACKUP interface=VLAN_700_BACKUP name=dhcp_BACKUP
add address-pool=dhcp_pool_MGT interface=VLAN_99_MGT name=dhcp_MGT
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=yes interface=all signal-range=-115..-76 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=yes interface=all signal-range=-75..115 ssid-regexp=""
/caps-man configuration
add channel=*3 datapath=FIRMA mode=ap name=TEST_CONFIG security=bridge_FIRMA ssid=TEST
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/ upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=TEST_CONFIG name-format=prefix-identity
/interface bridge port
add bridge=BRIDGE interface=ether4
add bridge=BRIDGE interface=ether5
add bridge=BRIDGE interface=ether6
add bridge=BRIDGE interface=ether7
add bridge=BRIDGE interface=ether8
add bridge=BRIDGE interface=ether9
add bridge=BRIDGE interface=sfp1
/interface bridge vlan
add bridge=BRIDGE vlan-ids=100
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN3 list=WAN
/ip address
add address=10.10.252.254/24 interface=VLAN_100_FIRMA network=10.10.252.0
add address=192.168.181.254/24 interface=VLAN_200_GAST network=192.168.181.0
add address=192.168.152.254/24 interface=VLAN_500_PRIVAT network=192.168.152.0
add address=10.16.252.254/24 interface=VLAN_300_DMZ network=10.16.252.0
add address=10.11.252.254/24 interface=VLAN_700_BACKUP network=10.11.252.0
add address=10.99.178.1/24 interface=VLAN_99_MGT network=10.99.178.0
/ip dhcp-client
add interface=WAN1
add interface=WAN2
/ip dhcp-server network
add address=10.10.252.0/24 dns-server=10.10.252.254 gateway=10.10.252.254
add address=10.11.252.0/24 dns-server=10.11.252.254 gateway=10.11.252.254
add address=10.16.252.0/24 dns-server=10.16.252.254 gateway=10.16.252.254
add address=10.99.178.0/24 dns-server=10.99.178.1 gateway=10.99.178.1
add address=192.168.152.0/24 dns-server=192.168.152.254 gateway=192.168.152.254
add address=192.168.181.0/24 dns-server=192.168.181.254 gateway=192.168.181.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.254.0/24 list=local
add address=10.16.0.0/16 list=local
add list=local
add address=10.10.252.0/24 list=local
add address=192.168.181.0/24 list=local
add address=192.168.152.0/24 list=local
add address=10.16.252.0/24 list=local
add address=10.11.252.0/24 list=local
add address=10.99.178.0/24 list=local
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22
set api disabled=yes
/ip ssh
set host-key-size=4096
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=TEST
/system logging
add action=auth topics=account
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.254.0/24
add allow-address=10.16.0.0/16
/tool graphing queue
add allow-address=192.168.254.0/24
add allow-address=10.16.0.0/16
/tool graphing resource
add allow-address=192.168.254.0/24
add allow-address=10.16.0.0/16
/tool romon
set enabled=yes