Sweet, have some time to look at the config....... (will add as I read through and will state done when finished looking at it).
Overview............
# 200+ = SENIOR HIGH SCHOOL - 192.168.
100.0/24, 192.168.210.0/24 (teacher), 192.168.220.0/22 (student)
should that not be
.200 ?
(1) Okay I am not sure what you are doing with the management interface..........?
Typically this is a vlan that only the Admin can access for the purposes of configuring all smart devices etc.
Therefore I do not understand why you are treating it like an untagged flow of traffic to the CRS switch.
a. It should be a VLAN trunked to the switch along with the other data vlans.
(i) for the purpose of assigning the IP address of all smart devices on the management vlan
(ii) potentially you want the admin VLAN to be accessible to you FROM a particular CRS SWITCH port. ( like to your desk )
(if one is the admin typically they dont necessarily have the hex on their desk but they may have one or two ethernet jacks at the wall or in my case a small managed switch at my desk so that I can quickly plug into any network from my PC, including the management network).
B. All to say is that I understand ether5-backup being a management only accessible port, but I would use this as a configuration port and an emergency access port
OFF THE BRIDGE.
In other words with any complex setup that has a bridge, its not hard for it to get frozen up during config changes.............. hence I now do my configs involving bridge changes from off the bridge.
In other words to be a viable backup, recommend taking it off the bridge..
What I mean is illustrated here:
viewtopic.php?t=181718
(2) Thus the bridge port could look like............
/interface bridge port
add bridge=BR-BACKBONE interface=portBond_3-4 ingress-filtering=yes frame-types=admit-only-vlan-tagged
If so for an ether5 access just assign an IP address and add ether5 to the management interface list!
192.168.5.5.1/24
add interface=ether5-backup list=BASEs
add interface=VLAN_MGMT list=BASEs
(3) What I dont understand is why your vlan5 is included in BASEs ?? Its not a management vlan??
If you want access to it as the admin thats easy...... just use a forward chain rule.
add chain=forward action=accept in-interface-list=BASEs out-interface=vlan_5
(4) REMOVE MSTP from bridge config entry, keep RSTP as per default. Unless you have a specific reason to use it ???
(5) Lets look at interface bridge vlans, if you take the suggestion of running vlan99 as part of the trunk port, as you should.
Then this also works
/interface bridge vlan
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4 vlan-ids=99,5,10,20,30,100,110,120,200,210,220,.345,789,1777,1888,1999
By the way where your config really goes astray is the fact that you assign vlan99 as an access port to ether5 BUT THEN assign as a tagged port. (see below)
/interface bridge port
add bridge=BR-BACKBONE pvid=99 interface=ether5-backup
/interface bridge vlan
add bridge=BR-BACKBONE
tagged=BR-BACKBONE,portBond_3-4,
ether5-backup vlan-ids
=99
It also appears you wanted to send every vlan to ether5, WHY? You just need the management vlan or the off bridge network?
a. you need to be able to reach your desk on management vlan from a CRS port etc...
b. then you have a firewall rule allowing access to all vlans one way.
add chain=forward action=accept in-interface-list=BASEs out-interface-list=VLANs
Oops you dont have all the vlans identified as
members to your INTERFACE LIST entry --->
VLANs ??
(6) Lets fix your interface lists and firewall address list. USE of firewall address lists is BEST SUITED for when you have a few users in one subnet or across subnets or groups of users from within a subnet or across subnets or if combined with whole subnets. Use of Interface lists is BEST SUITED for usually TWO OR MORE WHOLE Subnets. The only exception is the management interface list which often contains only the single management vlan.
Therefore the firewall address lists entries, FOR WAN1, FOR WAN2 and DEVICES, is NOT required, and you can keep the interface list ones.
However looking at the two different entries for the same thing, I discovered that you have a discrepancy!
7 entries-WAN1 (interface list)
VLAN 20 is mistakenly assigned to WAN1 in interface list for WAN1.
6 entries-WAN2 (interface list)
6 entries-WAN1 (firewall address list)
7 entries -WAN2 (firewall address list)
SOLUTION: Fix error on interface list, add then
populate the interface list entry VLANs with the members..........
(7) SOURCE NAT RULE is not configged properly
, first there is no such interface as all-vlan, its bound to be a list anyway and I think you meant
in-interface-list=VLANs
add action=redirect chain=dstnat dst-port=53 in-interface=all-vlan protocol=udp
Why only udp and not TCP??
(8) Raw rules are really not required, suggest just use drop all rule at end of input chain (and forward chain). aka remove.
add action=drop chain=prerouting dst-port=53 in-interface-list=WANs port="" protocol=udp src-address-type=!local
add action=drop chain=prerouting dst-port=53 in-interface-list=WANs port="" protocol=tcp src-address-type=!local
(9) Your firewall rules leave much to be desired NOT organized, incomplete and not efficient............. (put chains together....)
Suggest the following.....
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=BASEs
add action=accept chain=input in-interface-list=VLANs dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=VLANs dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"
*****
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related (
disable if you need to mangle )
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add chain=forward action=accept in-interface-list=VLANs_to_WAN1 out-interface-list=WANs comment="Add VLANs internet access, exclude 1777,1888,1999"
add chain=forward action=accept in-interface-list=VLANs_to_WAN2 out-interface-list=WANs comment="Add VLANs internet access, exclude 1777,1888,1999"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat (
disable if not doing port forwarding)
add action=drop chain=forward
***** ensure this is the last rule put in place at least after allowing management access, otherwise you will lock yourself out.
With the above rules in place all traffic is effectively blocked, typically no one blocks ports like you did with no specific direction. Dont see the value in these rules.
Have you seen this as an issue?
add action=drop chain=forward comment="Port 139,445" connection-state="" dst-port="" log=yes log-prefix=Wanacry port=137,138,139,445,3389 protocol=tcp ???
Assuming your not running SMB servers, email servers or RDP servers etc..........
All school computers etc should be patched up for latest concerns anyway and that was is 2017..........
You would be far better off using some sort of service to stop users from accessing bad WANIPs out there vice rules no one else uses.
like these two..........
https://itexpertoncall.com/promotional/moab.html
OR
https://axiomcyber.com/shield/
(10) If, these three vlans do not go out the internet, in accordance with your firewall rules (not included in FOR WAN1, or FOR WAN2), why are they on the ROUTING RULES for WAN ACCESS????
# 1777 = Voice - 172.17.77.0/24
# 1888 = IoT - 172.18.88.0/24
# 1999 = CCTV - 172.19.99.0/24
add chain=forward action=accept connection-state=new in-interface-list=VLANs_to_WAN1 out-interface-list=WANs comment="Add VLANs internet access, exclude 1777,1888,1999"
add chain=forward action=accept connection-state=new in-interface-list=VLANs_to_WAN2 out-interface-list=WANs comment="Add VLANs internet access, exclude 1777,1888,1999"
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=
172.17.77.0/24 table=rtab-
ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=
172.18.18.0/24 table=rtab-
ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=
172.19.19.0/24 table=rtab
-ISP2
(11) ROUTES amended.......... (will assume above routing rules added in error). REMOVE ANY mangle rules............. not required as far as I can see.
/ip route
add comment="WAN1 (directed to WAN1 Table: rtab-ISP1)" disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=pppoe-WAN1 pref-src="" routing-table=rtab-ISP1 scope=30 suppress-hw-offload=yes target-scope=10
add comment="WAN2 (directed to WAN2 Table: rtab-ISP2)" disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 pref-src="" routing-table=rtab-ISP2 scope=30 suppress-hw-offload=yes target-scope=10
add comment="WAN2 (main table available WAN2)" disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=yes target-scope=10
add comment="WAN1 (main table available WAN1)" disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=pppoe-WAN1 pref-src="" routing-table=main scope=30 suppress-hw-offload=yes target-scope=10
....................
/routing rule
add action=lookup disabled=no src-address=10.199.155.0/24 table=rtab-ISP1 comment=Streaming-VLAN_5
add action=lookup disabled=no src-address=192.168.10.0/24 table=rtab-ISP1 comment=Office-VLAN_10
add action=lookup disabled=no src-address=192.168.100.0/24 table=rtab-ISP1 comment=JH-VLAN_100
add action=lookup disabled=no src-address=192.168.110.0/24 table=rtab-ISP1 comment=JH-Teacher-VLAN_110
add action=lookup disabled=no src-address=192.168.200.0/24 table=rtab-ISP1 comment=SH-VLAN_200
add action=lookup disabled=no src-address=192.168.210.0/24 table=rtab-ISP1 comment=SH-Teacher-VLAN_210
add action=lookup disabled=no src-address=10.199.99.0/25 table=rtab-ISP2 comment=Management-VLAN_99
add action=lookup disabled=no src-address=192.168.20.0/24 table=rtab-ISP2 comment=Office-VLAN_20
add action=lookup disabled=no src-address=192.168.30.0/23 table=rtab-ISP2 comment=Office-VLAN_30
add action=lookup disabled=no src-address=192.168.120.0/22 table=rtab-ISP2 comment=JH-Student-VLAN_120
add action=lookup disabled=no src-address=192.168.220.0/22 table=rtab-ISP2 comment=SH-Student-VLAN_220
add action=lookup disabled=no src-address=172.23.45.0/23 table=rtab-ISP2 comment=Guest-Office-VLAN_345
add action=lookup disabled=no src-address=172.27.89.0/23 table=rtab-ISP2 comment=Guest-School-VLAN_789