Community discussions

MikroTik App
 
forthal
just joined
Topic Author
Posts: 7
Joined: Wed Jan 19, 2022 6:33 pm

VLAN setup in home

Tue Nov 29, 2022 2:51 am

Hello everyone,
I've tried to finally setup some VLAN separation in my home network due to upcoming changes. I was relying on:
- viewtopic.php?t=143620
- https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
- viewtopic.php?t=182373
- and a lot of posts related to Unify & Mikrotik combo

So far so good, my setup is working as I expected (more or less :D). I have some doubts or I need some clarification on some topics (which I could not understand on my own even after many time spent on reading docs).
I want to show you my network diagram with some description what is what, purpose of resources, etc.

1. Network diagram
network-diagram.jpg
2. Description

HOME_VLAN => Internet WIFI access (2G & 5G separated SSID): all users devices like laptops, PCs, phones, TV, Chromecast, etc.
IOT_VLAN => no Internet WIFI access (2G SSID): *future* all IoT devices without access to Internet like IP cams, etc.
TESTING_VLAN => no Internet WIFI & ETH access (2G SSID): VLAN for launching isolated machines (VMs) or connecting untrusted stuff for testing
IOT_INTERNET_VLAN => Internet WIFI access (2G SSID): all IoT devices which requires cloud access, but have to be isolated, e.g. Roborock (don't want to root my S5 Max vacuum cleaner due to Valetudo limitations compared to Roborock app)
DMZ_VLAN => Internet ETH access: VLAN for launching VMs on Proxmox where all virtual servers will be kept and services, e.g. Gitlab and other stuff (some of those will be exposed to Internet via Cloudflare Access)
MANAGEMENT_VLAN => Internet ETH access: physical servers, APs, etc. - all "admin" stuff that I want to have isolated from above cases

The idea is to create 4 "management" ethernet ports on Mikrotik to keep required physical stuff in MANAGEMENT_VLAN and to have 1 free port for "management" if required (e.g. to easily connect my laptop)

I'm using Android USB Tethering (lte2 is my WAN) because LTE modem in Mikrotik hAP ac3 LTE6 sucks a lot :) Weak antenas, only 2CA so my old OnePlus 6 (LineageOS 19) beats it, but thinking about switching to some LTE/5G modem, e.g. ZTE MF286D, but for now, it's sufficient.

Proxmox servers requires to have static IP (not reserved from DHCP) - underlay stuff rely on this IP address, so I that's why I left some IPs free in range to have no conflict in DHCP with duplicated IP addresses).
All other stuff I want to have visible in Mikrotik DHCP leases (some addresses are reserved as you can see in below config).

3. Configuration

3.1 Mikrotik configuration
/interface bridge
add name=bridge-custom protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=bridge-custom name=HOME_VLAN vlan-id=10
add interface=bridge-custom name=IOT_VLAN vlan-id=20
add interface=bridge-custom name=TESTING_VLAN vlan-id=30
add interface=bridge-custom name=IOT_INTERNET_VLAN vlan-id=40
add interface=bridge-custom name=DMZ_VLAN vlan-id=50
add interface=bridge-custom name=MANAGEMENT_VLAN vlan-id=99

/interface list
add name=WAN
add name=VLAN
add name=MANAGEMENT

/ip pool
add name=HOME_POOL ranges=192.168.10.2-192.168.10.254
add name=IOT_POOL ranges=192.168.20.2-192.168.20.254
add name=TESTING_POOL ranges=192.168.30.2-192.168.30.254
add name=IOT_INTERNET_POOL ranges=192.168.40.2-192.168.40.254
add name=DMZ_POOL ranges=192.168.50.2-192.168.50.254
add name=MANAGEMENT_POOL ranges=192.168.99.5-192.168.99.254

/ip dhcp-server
add address-pool=HOME_POOL interface=HOME_VLAN name=HOME_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP
add address-pool=TESTING_POOL interface=TESTING_VLAN name=TESTING_DHCP
add address-pool=IOT_INTERNET_POOL interface=IOT_INTERNET_VLAN name=IOT_INTERNET_DHCP
add address-pool=DMZ_POOL interface=DMZ_VLAN name=DMZ_DHCP
add address-pool=MANAGEMENT_POOL interface=MANAGEMENT_VLAN name=MANAGEMENT_DHCP

/interface bridge port
add bridge=bridge-custom interface=ether1 pvid=99
add bridge=bridge-custom interface=ether3 pvid=99
add bridge=bridge-custom frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=99
add bridge=bridge-custom frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge-custom interface=ether2 pvid=99

/ip neighbor discovery-settings
set discover-interface-list=MANAGEMENT

/interface bridge vlan
add bridge=bridge-custom tagged=bridge-custom,ether1 untagged=ether5 vlan-ids=10
add bridge=bridge-custom tagged=bridge-custom,ether1 vlan-ids=20
add bridge=bridge-custom tagged=bridge-custom,ether1,ether2,ether3 vlan-ids=30
add bridge=bridge-custom tagged=bridge-custom untagged=ether1,ether2,ether3,ether4 vlan-ids=99
add bridge=bridge-custom tagged=bridge-custom,ether1 vlan-ids=40
add bridge=bridge-custom tagged=ether2,ether3,bridge-custom vlan-ids=50

/interface list member
add interface=lte2 list=WAN
add interface=MANAGEMENT_VLAN list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=TESTING_VLAN list=VLAN
add interface=IOT_INTERNET_VLAN list=VLAN
add interface=DMZ_VLAN list=VLAN
add interface=MANAGEMENT_VLAN list=MANAGEMENT

/ip address
add address=192.168.10.1/24 interface=HOME_VLAN network=192.168.10.0
add address=192.168.20.1/24 interface=IOT_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=TESTING_VLAN network=192.168.30.0
add address=192.168.40.1/24 interface=IOT_INTERNET_VLAN network=192.168.40.0
add address=192.168.50.1/24 interface=DMZ_VLAN network=192.168.50.0
add address=192.168.99.1/24 interface=MANAGEMENT_VLAN network=192.168.99.0

/ip dhcp-server lease
add address=192.168.99.13 client-id=*** comment=\
    "Laptop ETH" mac-address=*** server=MANAGEMENT_DHCP
add address=192.168.10.4 client-id=*** comment="TV WIFI" \
    mac-address=*** server=HOME_DHCP
add address=192.168.10.13 client-id=*** comment=\
    "Laptop WIFI" mac-address=*** server=HOME_DHCP
add address=192.168.10.3 client-id=*** comment="Printer WIFI" \
    mac-address=*** server=HOME_DHCP
add address=192.168.99.5 client-id=*** comment=\
    "Unify AP AC LR ETH" mac-address=*** server=MANAGEMENT_DHCP
add address=192.168.40.2 client-id=*** comment=\
    "Roborock S5 Max" mac-address=*** server=IOT_INTERNET_DHCP

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.99.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.99.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.99.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.99.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.99.1 gateway=192.168.50.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip dns static
add address=192.168.99.1 name=router.lan

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MANAGEMENT_VLAN Full Access" \
    in-interface=MANAGEMENT_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop IOT_VLAN from Internet" \
    in-interface=IOT_VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop TESTING_VLAN from Internet" \
    in-interface=TESTING_VLAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip service
set telnet address=192.168.99.0/24 disabled=yes
set ftp address=192.168.99.0/24 disabled=yes
set www address=192.168.99.0/24
set ssh address=192.168.99.0/24
set www-ssl address=192.168.99.0/24
set api address=192.168.99.0/24
set winbox address=192.168.99.0/24
set api-ssl address=192.168.99.0/24

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN

/system clock
set time-zone-name=Europe/Warsaw

/system scheduler
add name=default-wan-on-boot on-event=set-lte2-as-wan policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup

/system script
add dont-require-permissions=no name=set-lte2-as-wan owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    delay 30\r\
    \n/system routerboard usb power-reset bus=1 duration=5\r\
    \n:delay 10\r\
    \n/interface list member set interface=lte2 list=WAN numbers=1"

/tool mac-server
set allowed-interface-list=MANAGEMENT

/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
3.2. Unify AP AC LR configuration
2022-11-29_01-38.png
3.3. Proxmox NIC configuration

I tried to follow this:
https://pve.proxmox.com/wiki/Network_Co ... twork_vlan

but ended up with following for 1st server:
root@pve1:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.99.2/24
        gateway 192.168.99.1
        bridge-ports enp2s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
and for 2nd one:
root@pve2:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.99.3/24
        gateway 192.168.99.1
        bridge-ports enp2s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

Questions

1. I thought if I have rule:
/ip firewall filter
add action=accept chain=input comment="Allow MANAGEMENT_VLAN Full Access" \
    in-interface=MANAGEMENT_VLAN

it'll allow me to easily access all hosts, services, etc. which are running in other VLANS via HTTP, SSH, ICMP etc., but it seems I need specific firewall rules for it which I do not like. Am I right?

2. Let's say I have cams in IOT_VLAN, but my Cam Software will be launched in DMZ_VLAN -> I assume I need to create specific rule in firewall in order to allow it, something like sharing printer in "Using RouterOS to VLAN your network" examples, yes?

3. Unify AP is not propagating stuff from DHCP from tagged VLANs with
frame-types=admit-only-untagged-and-priority-tagged
=> devices not getting IP addresses from HOME_VLAN's DHCP on tagged VLANs. When switched to
admit-all
all works just fine. Is it secure enough? Ingress filtering of course is enabled on every port.

4. Same story with Proxmox servers - VMs on DMZ_VLAN were not getting IPs from DHCP with config included in 3.3 and same setting as above (
frame-types=admit-only-untagged-and-priority-tagged
instead of
frame-types=admit-all
). Should it be that way?

5. I wanted to use "tagged" MANAGEMENT_VLAN on eth4, but when I connect my laptopt (Windows 11) WSL2 has no Internet access (looks like WSL2 is not supporting tagged VLANs), but on Windows I have Internet access, etc. Is it secure as well?

6. How to block access to 192.168.99.1 (Mikrotik router)? Should I disable IP services in Mikrotik or maybe some firewall rules? If I go with firewall what about accessing DNS from all VLANs? I've limited access for both Mikrotik user and all IP services (www, winbox) to MANAGEMENT_VLAN, but don't like that still I can hit login page from e.g. TESTING_VLAN (still some injection is possible to access Mikrotik :) )

7. I've completly disabled FASTTRACK - not sure is it worth to use when I have VLANS. Not sure if it will be a problem when I'll launch some MQTT server, etc.

8. Will it be safe to create WIFI for MANAGEMENT_VLAN? I know I can not broadcast SSID, but there are a lot of software to find hidden SSID so I'm broadcasting all SSID. I don't think that launching MANAGEMENT WIFI is safe (without RADIUS, etc.), but for sure it'd help me a lot for management :D Just asking what you think

9. I tried to create setup on Proxmox as per Proxmox docs (linked in 3.3.) (thought that I can pass MANAGEMENT_VLAN as tagged not untagged) and have to bridges on physical server, but it was not working :( Not sure why... I have only 1 ethernet card in my server.

In near future I'll add some switch and IP cams, NAS server, but with current knowledge, it shouldn't be difficult to change setup.

Thanks a lot for any answers, suggestions and help!
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup in home

Tue Nov 29, 2022 3:59 pm

(1) The unifi is a hybrid port, but what about the promox devices you have them setup as hybrid ports, same as UNIFI, just verifying !

(2) Input chain rules are redundant, if you give full access to VLANS, why do you need a separate management access,
the rule will never be seen by the router as will all other users the management users will hit the first rule ........
Yes you would have full access for ALL users with current rules........... USer only need usually DNS sometimes NTP........


/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related

add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MANAGEMENT_VLAN Full Access" \
in-interface=MANAGEMENT_VLAN

add action=drop chain=input comment=Drop

Better is............

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

connection-state=established,related

add action=accept chain=input comment="Allow MANAGEMENT_VLAN Full Access" \
in-interface=MANAGEMENT_VLAN
add action=accept chain=input in-interface-list=VLAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=VLAN dst-port=53 protocol=udp

add action=drop chain=input comment=Drop
+++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=forward in-interface-list=INTERNET out-interface-list=WAN
comment=" allowed VLAN Internet Access"

add action=drop chain=forward comment=Drop

where interface list is WAN, VLAN, MANAGEMENT, INTERNET
/interface list members
add interface=HOME_VLAN list=INTERNET
add interface=IOT_INTERNET list=INTERNET
add interface=DMZ-VLAN list=INTERNET
add interface=MANAGEMENT_VLAN list=INTERNET


(3) WHY, these two have no security from login standpoint should set to none.
set www address=192.168.99.0/24
set api address=192.168.99.0/24

same with this one, set to NONE!!
/tool mac-server

set allowed-interface-list=MANAGEMENT
 
forthal
just joined
Topic Author
Posts: 7
Joined: Wed Jan 19, 2022 6:33 pm

Re: VLAN setup in home

Tue Nov 29, 2022 5:34 pm

(1) The unifi is a hybrid port, but what about the promox devices you have them setup as hybrid ports, same as UNIFI, just verifying !
Proxmox devices, you mean "virtual machines"? I'm just choosing from UI the proper VLAN for desired VM/CT and it works, e.g.:
Screenshot_20221129_162710.png
so it looks Proxmox is handling that. I think it's good, but not sure if this is more secure than trunk port.
Example container configuration (it's default):
Screenshot_20221129_163709.png
(2) Input chain rules are redundant, if you give full access to VLANS, why do you need a separate management access,
the rule will never be seen by the router as will all other users the management users will hit the first rule ........
Yes you would have full access for ALL users with current rules........... USer only need usually DNS sometimes NTP........
Yay, this what exactly I needed. Yes, the rule for management was a mistake from my side (it was a bit late to catch this :D). Thanks a lot. I like the idea of creating separate list for Internet access - did not think about that.

(3) WHY, these two have no security from login standpoint should set to none.
Yes, www and api access are not needed, I've disabled them. Right now using only WINBOX, but later on I'll add something else in order to let terraform create some static DNS entries (Proxmox servers).
/tool mac-server set allowed-interface-list=MANAGEMENT
- I've copied it from one of the examples :( Fixed and changed to none.
I think best idea will be to separate one port for management (remove from bridge, e.g. eth4 in my case) - will work on it using this: viewtopic.php?t=181718

Thanks @anav
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup in home

Tue Nov 29, 2022 8:27 pm

Cannot comment on proximon as dont know it.
I would normally trunk vlans into a smart device that can read vlans.

On my home lan I used a trusted subnet as my management LAN.
I saw no point in having a whole vlan where no one was acually on it.

So what I do is the following.
interface=trusted subnet list=MANAGEMENT

and on input chain rules.

add chain=input action=accept in-interface-list=MANAGEMENT src-address-list=Trusted

Where trusted consists of specific IPs, (admin desktop, laptop wired and wifi, iphone - all on trusted subnet leases )

Furthermore I have forward chain rule.
add chain=forward action=accept in-interface-list=MANAGEMENT out-interface-list=LAN src-address-list=TRUSTED { so admin can access all vlans }

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

When on adds lets a wireguard setup, then simply add the WG setup to the interface list of MANAGEMENT
and any needed IPs to the source address list.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

All to say there is not need for an off port for trusted subnet or MANAGEMENT VLAN.................

WHat I do is use an off bridge port as two things.
a. emergency accesss in case bridge settings go wonky.
b. when doing major config changes that affect the bridge to avoid bridge hiccups.

viewtopic.php?t=181718
 
forthal
just joined
Topic Author
Posts: 7
Joined: Wed Jan 19, 2022 6:33 pm

Re: VLAN setup in home

Wed Nov 30, 2022 12:51 am

Sure thing. As I mentioned to Proxmox - only hybrid port works in my case. Making trunk so:
/interface bridge port
add bridge=bridge-custom interface=ether2 frame-types=admit-only-untagged-and-priority-tagged pvid=99
...
/interface bridge vlan
add bridge=bridge-custom tagged=ether2,bridge-custom vlan-ids=50
add bridge=bridge-custom tagged=bridge-custom,ether2 vlan-ids=99
does not work (no IP from DHCP, same as in Unify example), but as I dig in Internet, all people are advising to make "native" (MANAGEMENT_VLAN in my case) untagged and tag only VLANs used by "guests" (VMs, CTs - devices in Proxmox) in Proxmox setup

I'll think about "ADMIN" subnet. For sure it's really handy, but I'd like to not be inside MANAGEMENT_VLAN all the time as admin - do not want to make any mistake, etc. I'm getting to it only when required.

I have last problem, I'm unable to ping/access other VLANs from MANAGEMENT_VLAN (tried both Proxmox host 192.168.99.2 or Laptop 192.168.99.13 to ping: VM 192.168.50.2, printer 192.168.10.3, tv 192.168.10.4) - getting: "Request timed out"

Actual configuration (can IPv6 filter rules mess up connectivity inter VLAN in this case?):
/interface bridge
add name=bridge-custom protocol-mode=none vlan-filtering=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" disabled=yes
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-CCDABB wireless-protocol=802.11
/interface vlan
add interface=bridge-custom name=DMZ_VLAN vlan-id=50
add interface=bridge-custom name=HOME_VLAN vlan-id=10
add interface=bridge-custom name=IOT_INTERNET_VLAN vlan-id=40
add interface=bridge-custom name=IOT_VLAN vlan-id=20
add interface=bridge-custom name=MANAGEMENT_VLAN vlan-id=99
add interface=bridge-custom name=TESTING_VLAN vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=MANAGEMENT
add name=INTERNET
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    group-ciphers=tkip mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip
/ip pool
add name=HOME_POOL ranges=192.168.10.2-192.168.10.254
add name=IOT_POOL ranges=192.168.20.2-192.168.20.254
add name=TESTING_POOL ranges=192.168.30.2-192.168.30.254
add name=MANAGEMENT_POOL ranges=192.168.99.5-192.168.99.254
add name=IOT_INTERNET_POOL ranges=192.168.40.2-192.168.40.254
add name=DMZ_POOL ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=HOME_POOL interface=HOME_VLAN name=HOME_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP
add address-pool=TESTING_POOL interface=TESTING_VLAN name=TESTING_DHCP
add address-pool=MANAGEMENT_POOL interface=MANAGEMENT_VLAN name=MANAGEMENT_DHCP
add address-pool=DMZ_POOL interface=DMZ_VLAN name=DMZ_DHCP
add address-pool=IOT_INTERNET_POOL interface=IOT_INTERNET_VLAN name=\
    IOT_INTERNET_DHCP
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge \
    security-profile=*1 ssid=MikroTik-CCDABA wireless-protocol=802.11
/interface bridge port
add bridge=bridge-custom interface=ether1 pvid=99
add bridge=bridge-custom interface=ether3 pvid=99
add bridge=bridge-custom frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=99
add bridge=bridge-custom frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=10
add bridge=bridge-custom interface=ether2 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=MANAGEMENT
/interface bridge vlan
add bridge=bridge-custom comment="WSL does not work with tagged VLAN" tagged=\
    bridge-custom,ether1 untagged=ether5 vlan-ids=10
add bridge=bridge-custom tagged=bridge-custom,ether1 vlan-ids=20
add bridge=bridge-custom tagged=bridge-custom,ether1,ether2,ether3 vlan-ids=30
add bridge=bridge-custom tagged=bridge-custom untagged=\
    ether1,ether2,ether3,ether4 vlan-ids=99
add bridge=bridge-custom tagged=bridge-custom,ether1 vlan-ids=40
add bridge=bridge-custom tagged=ether2,ether3,bridge-custom vlan-ids=50
/interface list member
add interface=lte2 list=WAN
add interface=MANAGEMENT_VLAN list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=TESTING_VLAN list=VLAN
add interface=MANAGEMENT_VLAN list=MANAGEMENT
add interface=IOT_INTERNET_VLAN list=VLAN
add interface=DMZ_VLAN list=VLAN
add interface=HOME_VLAN list=INTERNET
add interface=IOT_INTERNET_VLAN list=INTERNET
add interface=MANAGEMENT_VLAN list=INTERNET
add interface=DMZ_VLAN list=INTERNET
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.10.1/24 interface=HOME_VLAN network=192.168.10.0
add address=192.168.20.1/24 interface=IOT_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=TESTING_VLAN network=192.168.30.0
add address=192.168.99.1/24 interface=MANAGEMENT_VLAN network=192.168.99.0
add address=192.168.40.1/24 interface=IOT_INTERNET_VLAN network=192.168.40.0
add address=192.168.50.1/24 interface=DMZ_VLAN network=192.168.50.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=192.168.99.13 client-id=*** comment=\
    "Laptop ETH" mac-address=*** server=MANAGEMENT_DHCP
add address=192.168.10.4 client-id=*** comment="TV WIFI" \
    mac-address=***  server=HOME_DHCP
add address=192.168.10.13 client-id=*** comment=\
    "Laptop WIFI" mac-address=*** server=HOME_DHCP
add address=192.168.10.3 client-id=*** comment="Printer WIFI" \
    mac-address=*** server=HOME_DHCP
add address=192.168.99.5 client-id=** comment=\
    "Unify AP AC LR ETH" mac-address=*** server=MANAGEMENT_DHCP
add address=192.168.40.2 client-id=*** comment=\
    "Roborock S5 Max WIFI" mac-address=*** server=IOT_INTERNET_DHCP
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.99.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.99.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.99.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.99.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.99.1 gateway=192.168.50.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.99.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=\
    127.0.0.1
add action=accept chain=input comment="Allow MANAGEMENT_VLAN Full Access" \
    connection-state=established,related in-interface=MANAGEMENT_VLAN 
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=VLAN \
    protocol=tcp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=VLAN \
    protocol=udp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="Allowed VLAN Internet Access" \
    in-interface-list=INTERNET out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet address=192.168.99.0/24 disabled=yes
set ftp address=192.168.99.0/24 disabled=yes
set www address=192.168.99.0/24 disabled=yes
set ssh address=192.168.99.0/24 disabled=yes
set www-ssl address=192.168.99.0/24 disabled=yes
set api address=192.168.99.0/24 disabled=yes
set winbox address=192.168.99.0/24
set api-ssl address=192.168.99.0/24 disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN
/system clock
set time-zone-name=Europe/Warsaw
/system scheduler
add name=default-wan-on-boot on-event=set-lte2-as-wan policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=set-lte2-as-wan owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":de\
    lay 30\r\
    \n/system routerboard usb power-reset bus=1 duration=5\r\
    \n:delay 10\r\
    \n/interface list member set interface=lte2 list=WAN numbers=1"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
Thanks,
Last edited by forthal on Wed Nov 30, 2022 1:02 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup in home

Wed Nov 30, 2022 1:01 am

Probably if you are using IPV6 with your ISP, then I am useless for advice LOL
 
forthal
just joined
Topic Author
Posts: 7
Joined: Wed Jan 19, 2022 6:33 pm

Re: VLAN setup in home

Wed Nov 30, 2022 1:03 am

Not using IPv6 with my ISP - only IPv4.

I've checked that If I change rule:
/ip firewall filter
add action=accept chain=input comment="Allow MANAGEMENT_VLAN Full Access" connection-state=established,related in-interface=MANAGEMENT_VLAN
to
/ip firewall filter
add action=accept chain=forward comment="Allow MANAGEMENT_VLAN Full Access" connection-state=established,related in-interface=MANAGEMENT_VLAN
ping and accessing other VLANs from MANAGEMENT_VLAN work.
 
forthal
just joined
Topic Author
Posts: 7
Joined: Wed Jan 19, 2022 6:33 pm

Re: VLAN setup in home

Tue Dec 06, 2022 4:16 pm

Seems I've figured that out, it's still not perfect, but works totally for my needs:
/interface bridge
add name=bridge-custom protocol-mode=none vlan-filtering=yes

/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" disabled=yes

/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-CCDABB wireless-protocol=802.11

/interface vlan
add interface=bridge-custom name=DMZ_VLAN vlan-id=50
add interface=bridge-custom name=HOME_VLAN vlan-id=10
add interface=bridge-custom name=IOT_INTERNET_VLAN vlan-id=40
add interface=bridge-custom name=IOT_VLAN vlan-id=20
add interface=bridge-custom name=MANAGEMENT_VLAN vlan-id=99
add interface=bridge-custom name=TESTING_VLAN vlan-id=30

/interface list
add name=WAN
add name=VLAN
add name=MANAGEMENT
add name=INTERNET
add name=LAN

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    group-ciphers=tkip mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip

/ip pool
add name=HOME_POOL ranges=192.168.10.2-192.168.10.254
add name=IOT_POOL ranges=192.168.20.2-192.168.20.254
add name=TESTING_POOL ranges=192.168.30.2-192.168.30.254
add name=MANAGEMENT_POOL ranges=192.168.99.5-192.168.99.254
add name=IOT_INTERNET_POOL ranges=192.168.40.2-192.168.40.254
add name=DMZ_POOL ranges=192.168.50.2-192.168.50.254

/ip dhcp-server
add address-pool=HOME_POOL interface=HOME_VLAN name=HOME_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP
add address-pool=TESTING_POOL interface=TESTING_VLAN name=TESTING_DHCP
add address-pool=MANAGEMENT_POOL interface=MANAGEMENT_VLAN name=\
    MANAGEMENT_DHCP
add address-pool=DMZ_POOL interface=DMZ_VLAN name=DMZ_DHCP
add address-pool=IOT_INTERNET_POOL interface=IOT_INTERNET_VLAN name=\
    IOT_INTERNET_DHCP

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge \
    security-profile=*1 ssid=MikroTik-CCDABA wireless-protocol=802.11

/interface bridge port
add bridge=bridge-custom interface=ether1 pvid=99
add bridge=bridge-custom interface=ether3 pvid=99
add bridge=bridge-custom frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=99
add bridge=bridge-custom frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=10
add bridge=bridge-custom interface=ether2 pvid=99

/ip neighbor discovery-settings
set discover-interface-list=MANAGEMENT

/interface bridge vlan
add bridge=bridge-custom comment="WSL does not work with tagged VLAN" tagged=\
    bridge-custom,ether1 untagged=ether5 vlan-ids=10
add bridge=bridge-custom tagged=bridge-custom,ether1 vlan-ids=20
add bridge=bridge-custom tagged=bridge-custom,ether1,ether2,ether3 vlan-ids=\
    30
add bridge=bridge-custom tagged=bridge-custom untagged=\
    ether1,ether2,ether3,ether4 vlan-ids=99
add bridge=bridge-custom tagged=bridge-custom,ether1 vlan-ids=40
add bridge=bridge-custom tagged=ether2,ether3,bridge-custom vlan-ids=50

/interface list member
add interface=lte2 list=WAN
add interface=MANAGEMENT_VLAN list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=TESTING_VLAN list=VLAN
add interface=MANAGEMENT_VLAN list=MANAGEMENT
add interface=IOT_INTERNET_VLAN list=VLAN
add interface=DMZ_VLAN list=VLAN
add interface=HOME_VLAN list=INTERNET
add interface=IOT_INTERNET_VLAN list=INTERNET
add interface=MANAGEMENT_VLAN list=INTERNET
add interface=DMZ_VLAN list=INTERNET
add interface=DMZ_VLAN list=LAN
add interface=HOME_VLAN list=LAN
add interface=IOT_INTERNET_VLAN list=LAN
add interface=IOT_VLAN list=LAN

/interface ovpn-server server
set auth=sha1,md5

/ip address
add address=192.168.10.1/24 interface=HOME_VLAN network=192.168.10.0
add address=192.168.20.1/24 interface=IOT_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=TESTING_VLAN network=192.168.30.0
add address=192.168.99.1/24 interface=MANAGEMENT_VLAN network=192.168.99.0
add address=192.168.40.1/24 interface=IOT_INTERNET_VLAN network=192.168.40.0
add address=192.168.50.1/24 interface=DMZ_VLAN network=192.168.50.0

/ip cloud
set update-time=no

/ip dhcp-server lease
add address=192.168.99.13 client-id=*** comment=\
    "Laptop ETH" mac-address=*** server=MANAGEMENT_DHCP
add address=192.168.10.4 client-id=*** comment="TV WIFI" \
    mac-address=*** server=HOME_DHCP
add address=192.168.10.13 client-id=*** comment=\
    "Laptop WIFI" mac-address=*** server=HOME_DHCP
add address=192.168.10.3 client-id=*** comment="Printer WIFI" \
    mac-address=*** server=HOME_DHCP
add address=192.168.99.5 client-id=*** comment=\
    "Unify AP AC LR ETH" mac-address=*** server=MANAGEMENT_DHCP
add address=192.168.40.2 client-id=*** comment=\
    "Roborock S5 Max WIFI" mac-address=*** server=\
    IOT_INTERNET_DHCP
add address=192.168.99.9 client-id=*** comment=\
    "Laptop WIFI" mac-address=*** server=MANAGEMENT_DHCP
add address=192.168.99.23 client-id=*** comment=\
    "iPhone WIFI" mac-address=*** server=MANAGEMENT_DHCP

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.99.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.99.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.99.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.99.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.99.1 gateway=192.168.50.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip dns static
add address=192.168.99.1 name=router.lan

/ip firewall address-list
add address=192.168.99.13 list=TRUSTED
add address=192.168.99.23 list=TRUSTED
add address=192.168.99.9 list=TRUSTED

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input comment="Allow TRUSTED in MANAGEMENT winbox" \
    connection-state="" dst-port=8291 in-interface-list=MANAGEMENT protocol=\
    tcp src-address-list=TRUSTED
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=VLAN \
    protocol=tcp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=VLAN \
    protocol=udp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "Allow TRUSTED in MANAGEMENT full access" in-interface-list=MANAGEMENT \
    out-interface-list=LAN src-address-list=TRUSTED
add action=accept chain=forward comment="Allowed VLAN Internet Access" \
    in-interface-list=INTERNET out-interface-list=WAN
add action=drop chain=forward comment=Drop

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip service
set telnet address=192.168.99.0/24 disabled=yes
set ftp address=192.168.99.0/24 disabled=yes
set www address=192.168.99.0/24 disabled=yes
set ssh address=192.168.99.0/24 disabled=yes
set www-ssl address=192.168.99.0/24
set api address=192.168.99.0/24 disabled=yes
set winbox address=192.168.99.0/24
set api-ssl address=192.168.99.0/24 disabled=yes

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN

/system clock
set time-zone-name=Europe/Warsaw

/system package update
set channel=development

/system scheduler
add name=default-wan-on-boot on-event=set-lte2-as-wan policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup

/system script
add dont-require-permissions=no name=set-lte2-as-wan owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    delay 30\r\
    \n/system routerboard usb power-reset bus=1 duration=5\r\
    \n:delay 10\r\
    \n/interface list member set interface=lte2 list=WAN numbers=1"

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup in home

Tue Dec 06, 2022 6:14 pm

Looks good,
(1) would get rid of incomplete config entries.....

add action=accept chain=input comment="Allow TRUSTED in MANAGEMENT winbox" \
connection-state="" dst-port=8291 in-interface-list=MANAGEMENT protocol=\
tcp src-address-list=TRUSTED


(2) Are you sure this gives you as admin the full access of all VLANS, as the LAN list is not as complete at your VLAN LIST? Or more precisely, you wont have access to the testing vlan.

add action=accept chain=forward comment=\
"Allow TRUSTED in MANAGEMENT full access" in-interface-list=MANAGEMENT \
out-interface-list=LAN src-address-list=TRUSTED


(3) Otherwise looks great!
 
forthal
just joined
Topic Author
Posts: 7
Joined: Wed Jan 19, 2022 6:33 pm

Re: VLAN setup in home

Tue Dec 06, 2022 10:35 pm

(1) Ahh, forgot about this one :D Nice catch!
(2) Yup, want to have full separation of "TESTING" VLAN - totally intended.

Much appreciated help, thanks a lot! I've learnt so much.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup in home

Tue Dec 06, 2022 11:01 pm

Not sure what you mean by full separation LOL. If you allow yourself as admin to access the test vlan, the test vlan cannot access the admin vlan........ So one way transmission rules are in effect.
The only traffic coming from the test vlan would be return traffic to admin queries..... Just so you know.
 
forthal
just joined
Topic Author
Posts: 7
Joined: Wed Jan 19, 2022 6:33 pm

Re: VLAN setup in home

Wed Dec 07, 2022 1:06 pm

I totally get it, but do not want to access something "less secure" as admin from TESTING_VLAN. I know that full physical separation is much better (will do that in future), but for my case it's enough to launch VM in TESTING_VLAN and launch something to test what is going on. I'll have separate port in switch to access TESTING_VLAN and having WIFI for it as well, so that's enough.
 
brainlabs
just joined
Posts: 7
Joined: Fri Feb 10, 2023 2:49 pm

Re: VLAN setup in home

Fri Feb 10, 2023 3:00 pm

Hi All
I have a question around management IP address not been reached from the WAN port.
I have mikrotik using PPPoE for Internet access and a management vlan 100, which is in a bridge and that vlan is participating in that bridge.

I can access the device via the PPPoE public ip address, no problem. but what i want to is disable that via the Firewall but before I can do that I need to be able to reach the device via the management IP.

in terms of that management IP it can ping its gateway, but when I ping that device i get request time out.

please help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup in home

Fri Feb 10, 2023 6:47 pm

start your own thread, provide a diagram, provide current config /export file=anynameyouwish (minus router serial number and any public WANIP information).

Finally, please describe your user requirements, without any mention of config,
identify users/devices, groups of users/devices.............
identify what traffic they need to accomplish and what they shouldnt be able to do............. without any config speak.

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], infabo and 51 guests