I'm actually struggling with one problem with my new router (rb5009).
Indeed, to be able to get an ip address from my ISP, I need to change the vlan priority of the dhcp packets.
I used to use switch rules to do it on my former rb3011, but the rb5009 does not support new-vlan-priority switch rules :-p
I also know, I could use bridge filter rules to achieve it, but as I need to use vlan filtering I ended with a 2 bridges configuration which is working, the problem of this configuration is that only the first bridge is hardware offloaded.... So I'm also loosing fastrack....
My question is the following, is there a better way to achieve it ? DFor instance with only one bridge ?
I'm posting here a sanitized configuration export (ipv6 part is also removed):
Code: Select all
# nov/29/2022 09:59:07 by RouterOS 7.6
# software id = NYZZ-0FRB
#
# model = RB5009UPr+S+
# serial number =
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=CH1
add band=2ghz-b/g/n frequency=2417 name=CH2
add band=2ghz-b/g/n frequency=2422 name=CH3
add band=2ghz-b/g/n frequency=2427 name=CH4
add band=2ghz-b/g/n frequency=2432 name=CH5
add band=2ghz-b/g/n frequency=2437 name=CH6
add band=2ghz-b/g/n frequency=2442 name=CH7
add band=2ghz-b/g/n frequency=2447 name=CH8
add band=2ghz-b/g/n frequency=2452 name=CH9
add band=2ghz-b/g/n frequency=2457 name=CH10
add band=2ghz-b/g/n frequency=2462 name=CH11
add band=2ghz-b/g/n frequency=2467 name=CH12
add band=2ghz-b/g/n frequency=2472 name=CH13
add band=5ghz-a/n/ac frequency=5180 name=CH36
add band=5ghz-a/n/ac frequency=5200 name=CH40
add band=5ghz-a/n/ac frequency=5220 name=CH44
add band=5ghz-a/n/ac frequency=5240 name=CH48
add band=5ghz-a/n/ac frequency=5260 name=CH52
add band=5ghz-a/n/ac frequency=5280 name=CH56
add band=5ghz-a/n/ac frequency=5300 name=CH60
add band=5ghz-a/n/ac frequency=5320 name=CH64
add band=5ghz-a/n/ac frequency=5500 name=CH100
add band=5ghz-a/n/ac frequency=5520 name=CH104
add band=5ghz-a/n/ac frequency=5540 name=CH108
add band=5ghz-a/n/ac frequency=5560 name=CH112
add band=5ghz-a/n/ac frequency=5580 name=CH116
add band=5ghz-a/n/ac frequency=5600 name=CH120
add band=5ghz-a/n/ac frequency=5620 name=CH124
add band=5ghz-a/n/ac frequency=5640 name=CH128
add band=5ghz-a/n/ac frequency=5660 name=CH132
add band=5ghz-a/n/ac frequency=5680 name=CH136
add band=5ghz-a/n/ac frequency=5700 name=CH140
add band=5ghz-a/n/ac frequency=5160 name=CH32
add band=5ghz-a/n/ac frequency=5340 name=CH68
add band=5ghz-a/n/ac frequency=5480 name=CH96
add band=5ghz-n/ac extension-channel=eeeC frequency=5500,5520,5540,5560 name=\
CH106
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=no name=bridge-LAN \
vlan-filtering=yes
add name=bridge-wan protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-TV poe-out=off
set [ find default-name=ether2 ] name=ether2-Livebox poe-out=off speed=\
100Mbps
set [ find default-name=ether3 ] name=ether3-Garage
set [ find default-name=ether4 ] name=ether4-PI
set [ find default-name=ether5 ] name=ether5-AP poe-out=off
set [ find default-name=ether6 ] name=ether6-Bureau poe-out=off
set [ find default-name=ether7 ] name=ether7-Cave
set [ find default-name=ether8 ] name=ether8-Salon
set [ find default-name=sfp-sfpplus1 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full name=sfp-wan
/interface vlan
add interface=bridge-LAN name=DMZ vlan-id=30
add interface=bridge-LAN name=vlan1 vlan-id=10
add interface=bridge-LAN name=vlan2 vlan-id=2
add interface=ether2-Livebox name=vlan832-livebox vlan-id=832
add interface=sfp-wan name=vlan832-wan vlan-id=832
add arp=disabled interface=sfp-wan loop-protect=off name=vlan840-wan vlan-id=\
840
/caps-man datapath
add bridge=bridge-LAN name=datapath_vlan2 vlan-id=2 vlan-mode=use-tag
add bridge=bridge-LAN name=datapath_vlan10 vlan-id=10 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=nonolk
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=Iot
/caps-man configuration
add channel=CH6 channel.band=2ghz-g/n .extension-channel=disabled country=\
france datapath=datapath_vlan2 datapath.local-forwarding=no mode=ap name=\
Iot security=Iot ssid=nonolk_g
add channel=CH106 channel.band=5ghz-n/ac country=france datapath=\
datapath_vlan10 mode=ap name=nonolk_net5 security=nonolk ssid=nonolk.net5
add datapath=datapath_vlan10 name=nonolk_net security=nonolk ssid=nonolk.net
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Orange_TV
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=class-identifier value="'sagem'"
add code=77 name=userclass value=\
""
add code=90 name=authsend value=""
/ip dhcp-server option
add code=120 name=SIP value=""
add code=119 name=domain-search value=\
0x0353545206616363657373116f72616e67652d6d756c74696d65646961036e657400
add code=125 name=VendorSPecific value=0x000005580c010a0001000000ffffffffff
add code=90 name=authsend value=\
0x0000000000000000000000646863706c697665626f786672323530
/ip pool
add name=pool-lan ranges=192.168.1.100-192.168.1.200
add name=pool-IOT ranges=192.168.2.100-192.168.2.200
add name=pool-livebox ranges=192.168.4.10-192.168.4.20
add name=poot-tv ranges=192.168.42.10-192.168.42.19
/ip dhcp-server
add add-arp=yes address-pool=pool-lan interface=vlan1 lease-time=8h name=Lan
add add-arp=yes address-pool=pool-IOT interface=vlan2 lease-time=8h name=IOT
add add-arp=yes address-pool=pool-livebox interface=vlan832-livebox \
lease-time=8h name=Livebox
add address-pool=poot-tv interface=ether1-TV lease-time=8h name=TV \
use-framed-as-classless=no
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Iot name-format=prefix \
name-prefix=garage_24_ radio-mac= slave-configurations=\
nonolk_net
add action=create-dynamic-enabled master-configuration=nonolk_net5 \
name-format=prefix name-prefix=garage_5_ radio-mac=
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp \
mac-protocol=ip new-priority=6 out-interface=vlan832-wan passthrough=yes
add action=set-priority chain=output dst-port=547 ip-protocol=udp \
mac-protocol=ipv6 new-priority=6 out-interface=vlan832-wan
/interface bridge port
add bridge=bridge-LAN comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5-AP pvid=10
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether6-Bureau
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether7-Cave
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether8-Salon
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4-PI pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3-Garage pvid=10
add bridge=bridge-wan interface=vlan832-wan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-LAN tagged=\
bridge-LAN,ether8-Salon,ether7-Cave,ether6-Bureau vlan-ids=10
add bridge=bridge-LAN tagged=\
bridge-LAN,ether6-Bureau,ether7-Cave,ether8-Salon vlan-ids=2
add bridge=bridge-LAN tagged=\
ether6-Bureau,ether7-Cave,ether8-Salon,bridge-LAN vlan-ids=30
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=DMZ list=LAN
add interface=ether2-Livebox list=LAN
add interface=ether1-TV list=Orange_TV
add interface=vlan840-wan list=Orange_TV
add interface=bridge-wan list=WAN
/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.3.1/24 interface=DMZ network=192.168.3.0
add address=192.168.4.1/24 interface=vlan832-livebox network=192.168.4.0
add address=192.168.255.254 comment="TV Orange" interface=vlan840-wan \
network=192.168.255.254
add address=192.168.42.1/24 interface=ether1-TV network=192.168.42.0
/ip dhcp-client
add dhcp-options=hostname,clientid,authsend,class-identifier,userclass \
interface=bridge-wan use-peer-ntp=no
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=53 protocol=udp src-address=\
192.168.3.2
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow multicast TV Orange" dst-port=\
8200,8202 in-interface=vlan840-wan protocol=udp
add action=accept chain=input comment="Service Orange TV" dst-port=5678 \
in-interface-list=Orange_TV protocol=udp
add action=accept chain=input comment="Allow IGMP for Orange TV" \
in-interface-list=Orange_TV protocol=igmp
add action=accept chain=forward comment="DNS/NTP pour le decodeur TV Orange" \
dst-port=53,123,5000 in-interface=ether1-TV out-interface=bridge-wan \
protocol=udp
add action=accept chain=forward comment="HTTP/S pour le decodeur TV Orange" \
dst-port=80,443,8554 in-interface=ether1-TV out-interface=bridge-wan \
protocol=tcp
add action=accept chain=forward comment="TV Orange" dst-port=8200,8202 \
in-interface=vlan840-wan out-interface=ether1-TV protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=debug
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward dst-address=192.168.10.1 protocol=icmp \
src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.10.1 dst-port=80,443 \
protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.3.2 in-interface=vlan1 \
protocol=icmp
add action=accept chain=forward dst-address=192.168.3.2 dst-port=22,443 \
protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.0.0/16 src-address=\
192.168.0.0/16
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=output new-priority=5 out-interface=vlan840-wan \
passthrough=yes src-address-type=local
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=bridge-wan \
protocol=tcp src-port="" to-addresses=192.168.3.2 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=bridge-wan protocol=\
tcp to-addresses=192.168.3.2 to-ports=80
/ip firewall service-port
set sip disabled=yes
/routing igmp-proxy interface
add alternative-subnets=193.0.0.0/8,81.0.0.0/8,172.0.0.0/8,80.0.0.0/8 \
interface=vlan840-wan upstream=yes
add interface=ether1-TV
/system clock
set time-zone-name=Europe/Paris
/system logging
add disabled=yes topics=radvd
/system ntp client
set enabled=yes
/system ntp client servers
add address=5.196.160.139
add address=212.85.158.10
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN