Community discussions

MikroTik App
 
User avatar
reevansxyz
just joined
Topic Author
Posts: 18
Joined: Sat Jul 02, 2022 7:49 pm
Location: Asia/Kuala_Lumpur
Contact:

RB5009UG+S+IN & CRS326-24G-2S+RM, need assistance with VLAN's

Tue Sep 20, 2022 5:23 am

Greetings!

I'm having a hard time trying to configure the below on my RB5009UG+S+IN (router) & CRS326-24G-2S+RM (switch) :
Image
Can someone kindly show me how to do it properly; this is my current router's config:
#| Interface(s)
#-------------------------------------------------------------------------------
/interface list add name=LAN comment="local area network"
/interface list add name=WAN comment="wide area network"
/interface ethernet
  set [ find default-name=ether1 ] comment="link to ONT, HG8240H5"
  set [ find default-name=ether5 ] disabled=yes
  set [ find default-name=ether6 ] disabled=yes
  set [ find default-name=ether7 ] disabled=yes
  set [ find default-name=ether8 ] disabled=yes
  set [ find default-name=sfp-sfpplus1 ] comment="link to SWI, CRS326-24G-2S+RM"
/interface vlan
  add name=vlan500 vlan-id=500 interface=ether1
/interface pppoe-client
  add name=pppoe-out1 max-mru=1492 max-mtu=1492 interface=vlan500 \
      user="username@unifi" password="dummypassword" keepalive-timeout=5 add-default-route=yes disabled=no \
      comment="unifi authentication"
/interface bridge
  add name=bridge1 disabled=no auto-mac=yes protocol-mode=rstp
/interface bridge port
  add bridge=bridge1 interface=ether2
  add bridge=bridge1 interface=ether3
  add bridge=bridge1 interface=ether4
  add bridge=bridge1 interface=sfp-sfpplus1
/interface list member add list=LAN interface=bridge1
/interface list member add list=WAN interface=pppoe-out1

#| DHCP
#-------------------------------------------------------------------------------
/ip pool  
  add name="dhcp_pool1" ranges=10.17.77.2-10.17.77.99 comment="static reserve"
  add name="dhcp_pool2" ranges=10.17.77.100-10.17.77.199 comment="dynamic reserve"
/ip dhcp-server
  add name=dhcp_main interface=bridge1 lease-time=1h address-pool="dhcp_pool2" disabled=no
/ip dhcp-server network
  add address=10.17.77.0/24 gateway=10.17.77.1 dns-server=10.17.77.1 domain=\
      mikrotik-rtr.lan wins-server=10.17.77.1
/ip address
  add address=10.17.77.1/24 interface=bridge1
/ip dns{
    set allow-remote-requests=yes cache-max-ttl=1d cache-size=81920KiB \
    max-concurrent-queries=1000 max-concurrent-tcp-sessions=40 servers=\
    9.9.9.9,149.112.112.112,2620:fe::fe,2620:fe::9
    static add address=10.17.77.1 name=mikrotik-rtr.lan comment="RB5009UG+S+IN"
    static add address=10.17.77.10 name=archerax73-ap.lan comment="Archer AX73"
    static add address=10.17.77.20 name=Reevans-MacBook-Pro.local comment="Reevan's MacBook Pro"
    static add address=10.17.77.21 name=Shirleys-MacBook-Pro.local comment="Shirley's MacBook Pro"
}

#| IPv6
#-------------------------------------------------------------------------------
/ipv6 nd
  set [ find default=yes ] disabled=yes
  add interface=bridge1 ra-interval=20s-1m mtu=1492 \
  dns=fd10:bad:a55::1 other-configuration=yes
/ipv6 nd prefix default
  set preferred-lifetime=12h valid-lifetime=1d
/ipv6 dhcp-client
  add interface=pppoe-out1 request=prefix pool-name=pppoe_pool6 \
      use-peer-dns=no rapid-commit=yes add-default-route=yes
/ipv6 address
  add address=::1 from-pool=pppoe_pool6 advertise=yes interface=bridge1
  add address=fd10:bad:a55::1 advertise=no interface=bridge1

/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"

#| IPv4 Firewall
#-------------------------------------------------------------------------------
/ip firewall {
  filter add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
  filter add chain=input action=drop connection-state=invalid comment="drop invalid"
  filter add chain=input action=accept protocol=icmp comment="accept ICMP"
  filter add chain=input action=accept dst-address=127.0.0.1 comment="accept to local loopback (for CAPsMAN)"
  filter add chain=input action=drop in-interface-list=!LAN comment="drop all not coming from LAN"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept in ipsec policy"
  filter add chain=forward action=accept ipsec-policy=out,ipsec comment="accept out ipsec policy"
  filter add chain=forward action=fasttrack-connection connection-state=established,related comment="fasttrack"
  filter add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related, untracked"
  filter add chain=forward action=drop connection-state=invalid comment="drop invalid"
  filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="drop all from WAN not DSTNATed"
  nat add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none comment="masquerade"
  nat add chain=dstnat action=dst-nat protocol=udp dst-port=53 to-address=10.17.77.1 to-ports=53 comment="transparent dns proxy, udp"
  nat add chain=dstnat action=dst-nat protocol=tcp dst-port=53 to-address=10.17.77.1 to-ports=53 comment="transparent dns proxy, tcp"
}

#| IPv6 Firewall
#-------------------------------------------------------------------------------
/ipv6 firewall {
  address-list add list=bad_ipv6 address=::/128 comment="unspecified address"
  address-list add list=bad_ipv6 address=::1 comment="lo"
  address-list add list=bad_ipv6 address=fec0::/10 comment="site-local"
  address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="ipv4-mapped"
  address-list add list=bad_ipv6 address=::/96 comment="ipv4 compat"
  address-list add list=bad_ipv6 address=100::/64 comment="discard only "
  address-list add list=bad_ipv6 address=2001:db8::/32 comment="documentation"
  address-list add list=bad_ipv6 address=2001:10::/28 comment="ORCHID"
  address-list add list=bad_ipv6 address=3ffe::/16 comment="6bone"
  filter add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
  filter add chain=input action=drop connection-state=invalid comment="drop invalid"
  filter add chain=input action=accept protocol=icmpv6 comment="accept ICMPv6"
  filter add chain=input action=accept protocol=udp port=33434-33534 comment="accept UDP traceroute"
  filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="accept DHCPv6-Client prefix delegation."
  filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="accept IKE"
  filter add chain=input action=accept protocol=ipsec-ah comment="accept ipsec AH"
  filter add chain=input action=accept protocol=ipsec-esp comment="accept ipsec ESP"
  filter add chain=input action=accept ipsec-policy=in,ipsec comment="accept all that matches ipsec policy"
  filter add chain=input action=drop in-interface-list=!LAN comment="drop everything else not coming from LAN"
  filter add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
  filter add chain=forward action=drop connection-state=invalid comment="drop invalid"
  filter add chain=forward action=drop src-address-list=bad_ipv6 comment="drop packets with bad src ipv6"
  filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="drop packets with bad dst ipv6"
  filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="rfc4890 drop hop-limit=1"
  filter add chain=forward action=accept protocol=icmpv6 comment="accept ICMPv6"
  filter add chain=forward action=accept protocol=139 comment="accept HIP"
  filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="accept IKE"
  filter add chain=forward action=accept protocol=ipsec-ah comment="accept ipsec AH"
  filter add chain=forward action=accept protocol=ipsec-esp comment="accept ipsec ESP"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept all that matches ipsec policy"
  filter add chain=forward action=drop in-interface-list=!LAN comment="drop everything else not coming from LAN"
  nat add chain=dstnat action=dst-nat protocol=udp dst-port=53 to-address=fd10:bad:a55::1/128 to-ports=53 comment="transparent dns proxy, udp"
  nat add chain=dstnat action=dst-nat protocol=tcp dst-port=53 to-address=fd10:bad:a55::1/128 to-ports=53 comment="transparent dns proxy, tcp"
}

#| Automated system configuration backup, every 1d
#-------------------------------------------------------------------------------
/system scheduler
  add interval=1d name=sys_conf_backup on-event=sys_conf_backup policy=\
      read,write,policy,test start-date=jan/01/1970 start-time=00:00:00
/system script{
  add dont-require-permissions=no name=sys_conf_backup owner=admin policy=\
      read,write,policy,test source=":log info \"initiating system configuration\
      \_backup\"\r\
      \n:delay 1s\r\
      \n/system backup\r\
      \n  save name=\"\" password=\"dummypassword\"\r\
      \n:log info \"completed system configuration backup\""
}

#| MISC Config
#-------------------------------------------------------------------------------
/ip dhcp-server lease
  add address=10.17.77.10 client-id=1:c0:6:c3:3b:41:74 mac-address=\
      C0:06:C3:3B:41:74 server=dhcp_main
  add address=10.17.77.20 client-id=1:b0:de:28:ec:e9:5d mac-address=\
      B0:DE:28:EC:E9:5D server=dhcp_main
  add address=10.17.77.21 client-id=1:3c:22:fb:b5:a6:39 mac-address=\
      3C:22:FB:B5:A6:39 server=dhcp_main
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip service
  set api disabled=yes
  set api-ssl disabled=yes
  set ftp disabled=yes
  set telnet disabled=yes
/ip ssh set strong-crypto=yes
/system clock set time-zone-name=Asia/Kuala_Lumpur
/system identity set name=mikrotik-rtr.lan
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool romon set enabled=yes secrets="dummypassword"
/user set admin password="dummypassword"
P.S. sorry for the messy topology, this is my 1st time making one.

Regards,
Reev
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB5009UG+S+IN & CRS326-24G-2S+RM, need assistance with VLAN's  [SOLVED]

Tue Sep 20, 2022 8:07 am

If you haven't already, I suggest you to go through this tutorial, it shows quite nicely how VLANs should be done on RouterOS. Both your devices should be configured in the same manner.
 
User avatar
reevansxyz
just joined
Topic Author
Posts: 18
Joined: Sat Jul 02, 2022 7:49 pm
Location: Asia/Kuala_Lumpur
Contact:

Re: RB5009UG+S+IN & CRS326-24G-2S+RM, need assistance with VLAN's

Tue Sep 20, 2022 8:12 am

If you haven't already, I suggest you to go through this tutorial, it shows quite nicely how VLANs should be done on RouterOS. Both your devices should be configured in the same manner.
thank a heap mkx, will let you know if I'm able to get it running successfully!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009UG+S+IN & CRS326-24G-2S+RM, need assistance with VLAN's

Tue Sep 20, 2022 2:04 pm

Two different techniques.........
One is the link provided by pcunite
Note my comments after the link. PARA C. - viewtopic.php?t=182373


And the other for the CRS will be different as explained here......
PARA P. - viewtopic.php?t=182373

Who is online

Users browsing this forum: cmmike, lmeira, mtkvvv, svh79 and 33 guests