Hello again.
I would like to have comments about my config.
My idea is:
Eth1 is WAN
Eth2-7 are LAN
Eth8 is MGMT (for management, configuration).
As You can see, there is a VLAN for each interface Eth2-Eth7.
All VLANs have their own dhcp-server, address pool, IP-addresses and so on.
Eth6, there is a Zyxel Access Point connected with 2 SSIDs. (VLAN-capable).
Both SSIDs have their own VLAN (60 and 65).
In firewall, there is a rule to allow Zyxel-configuration. (Zyxel and config-PC have fixed addresses).
I'm a worried about the Bridge section. Is my idea correct, to get VLAN 60 and 65 to the Zyxel?
And is there something missing, or is it possible to do this more simple?
At this point I don't want to get headache about bogons and so on and how to deal with them.
I want to get this part of the config "perfect" first.
In one of my earlier post, I told I will get fiber connection later. Operator sent a message that there is a "delay". Nice.
So I have not been testing this config in real world.
Anyway, firewall rule for Zyxel-configuration seems to be working, I can get connection to the AP from Eth8.
Waiting for Your intelligent comments....
# sep/15/2022 13:16:33 by RouterOS 7.5
# software id = XXXXX
#
# model = RB5009UG+S+
# serial number = XXXXX
/interface bridge
add ingress-filtering=no name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=M_LAPTOP_VLAN vlan-id=30
add interface=BR1 name=OMALAPTOP_VLAN vlan-id=40
add interface=BR1 name=OMA_PC_VLAN vlan-id=20
add interface=BR1 name=PI_VLAN vlan-id=50
add interface=BR1 name=TV_VLAN vlan-id=70
add interface=ether6 name=WLAN_BOX_SSID1_VLAN vlan-id=60
add interface=ether6 name=WLAN_BOX_SSID2_VLAN vlan-id=65
/interface list
add name=WAN
add name=LAN
add name=MGMT
/ip pool
add name=OMA_PC_POOL ranges=10.0.20.2-10.0.20.254
add name=M_LAPTOP_POOL ranges=10.0.30.2-10.0.30.254
add name=OMALAPTOP_POOL ranges=10.0.40.2-10.0.40.254
add name=PI_POOL ranges=10.0.50.2-10.0.50.254
add name=WLAN_BOX_SSID1_POOL ranges=10.0.60.2-10.0.60.254
add name=TV_POOL ranges=10.0.70.2-10.0.70.254
add name=WLAN_BOX_SSID2_POOL ranges=10.0.65.2-10.0.65.254
/ip dhcp-server
add address-pool=OMA_PC_POOL interface=OMA_PC_VLAN name=OMA_PC_DHCP
add address-pool=M_LAPTOP_POOL interface=M_LAPTOP_VLAN name=M_LAPTOP_DHCP
add address-pool=OMALAPTOP_POOL interface=OMALAPTOP_VLAN name=OMALAPTOP_DHCP
add address-pool=PI_POOL interface=PI_VLAN name=PI_DHCP
add address-pool=WLAN_BOX_SSID1_POOL interface=WLAN_BOX_SSID1_VLAN name=WLAN_BOX_SSID1_DHCP
add address-pool=TV_POOL interface=TV_VLAN name=TV_DHCP
add address-pool=WLAN_BOX_SSID2_POOL interface=WLAN_BOX_SSID2_VLAN name=WLAN_BOX_SSID2_DHCP
/interface bridge port
add bridge=BR1 comment="Only allow ingress packets without tags on Access Ports" frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=70
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=WLAN_BOX_SSID1_VLAN pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=WLAN_BOX_SSID2_VLAN pvid=65
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=BR1 tagged=BR1 vlan-ids=40
add bridge=BR1 tagged=BR1 vlan-ids=50
add bridge=BR1 tagged=BR1 vlan-ids=60
add bridge=BR1 tagged=BR1 vlan-ids=70
add bridge=BR1 tagged=BR1 vlan-ids=65
/interface list member
add interface=ether1 list=WAN
add interface=OMA_PC_VLAN list=LAN
add interface=M_LAPTOP_VLAN list=LAN
add interface=OMALAPTOP_VLAN list=LAN
add interface=PI_VLAN list=LAN
add interface=ether8 list=MGMT
add interface=WLAN_BOX_SSID1_VLAN list=LAN
add interface=TV_VLAN list=LAN
add interface=WLAN_BOX_SSID2_VLAN list=LAN
/ip address
add address=10.0.20.1/24 interface=OMA_PC_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=M_LAPTOP_VLAN network=10.0.30.0
add address=10.0.40.1/24 interface=OMALAPTOP_VLAN network=10.0.40.0
add address=10.0.50.1/24 interface=PI_VLAN network=10.0.50.0
add address=10.0.60.1/24 interface=WLAN_BOX_SSID1_VLAN network=10.0.60.0
add address=10.0.70.1/24 interface=TV_VLAN network=10.0.70.0
add address=10.0.80.1/24 interface=ether8 network=10.0.80.0
add address=10.0.65.1/24 interface=WLAN_BOX_SSID2_VLAN network=10.0.65.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
add address=10.0.50.0/24 dns-server=10.0.50.1 gateway=10.0.50.1
add address=10.0.60.0/24 dns-server=10.0.60.1 gateway=10.0.60.1
add address=10.0.65.0/24 dns-server=10.0.65.1 gateway=10.0.65.1
add address=10.0.70.0/24 dns-server=10.0.70.1 gateway=10.0.70.1
/ip dns
set servers=1.1.1.2,1.0.0.2
/ip firewall filter
add action=accept chain=input comment="\"Accept established, related, untracked\"" connection-state=established,related,untracked
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="\"Accept ICMP\"" protocol=icmp
add action=accept chain=input comment="\"Allow MGMT-list Full Access\"" in-interface-list=MGMT src-address=10.0.80.5
add action=accept chain=input comment="\"Allow LAN DNS queries\"" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="\"Allow LAN DNS queries\"" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="\"Drop all else\""
add action=accept chain=forward comment="\"Accept established, related, untracked\"" connection-state=established,related,untracked
add action=drop chain=forward comment="\"Drop invalid\"" connection-state=invalid
add action=drop chain=forward comment="\"drop access to clients behind NAT from WAN\"" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="\" Allow all VLANs to access the Internet only, NOT each other\"" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="\"Zyxel Access Point configuration\"" connection-state=established,related,new dst-address=10.0.60.254 in-interface=ether8 out-interface=WLAN_BOX_SSID1_VLAN src-address=10.0.80.5
add action=drop chain=forward comment="\"Drop all else\""
/ip firewall nat
add action=masquerade chain=srcnat comment="\"NAT\"" out-interface-list=WAN