I have a hac ac 2 router with this config
Code: Select all
# dec/05/2022 07:02:22 by RouterOS 7.6
# software id = KKLQ-E0BD
#
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf fast-forward=no \
ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-emerg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_vlan10 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool_vlan1 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool_vlan30 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool_vlan10 interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 interface=vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool_vlan1 interface=vlan1 name=dhcp_vlan1
add address-pool=dhcp_pool_vlan30 interface=vlan30 name=dhcp_vlan30
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wlan2 pvid=10
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge untagged=ether2,ether3,wlan1,wlan2 \
vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=1
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=ether5-emerg list=LAN
add interface=vlan10 list=LAN
add interface=vlan1 list=LAN
add interface=vlan30 list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key=\
"REMOVED"
/ip address
add address=192.168.0.1/24 comment=defconf interface=vlan10 network=\
192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.5.2/24 interface=ether5-emerg network=192.168.5.0
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
mac-address=30:58:90:1E:C1:CE server=dhcp_vlan10
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=dhcp_vlan10
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=dhcp_vlan10
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
CC:D2:81:5E:E4:3B server=dhcp_vlan10
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
B8:AE:ED:EA:E8:96 server=dhcp_vlan10
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
00:11:32:83:C0:1B server=dhcp_vlan10
add address=192.168.0.14 client-id=\
ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
00:0C:29:85:E8:C8 server=dhcp_vlan10
add address=192.168.0.20 mac-address=9C:93:4E:6C:CF:C2 server=dhcp_vlan10
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=dhcp_vlan10
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=dhcp_vlan10
add address=192.168.0.73 client-id=1:94:9a:a9:dc:b:e4 mac-address=\
94:9A:A9:DC:0B:E4 server=dhcp_vlan10
add address=192.168.20.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan20
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
EA:F3:91:85:9E:2A server=dhcp_vlan10
add address=192.168.20.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan20
add address=192.168.20.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan20
add address=192.168.20.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan20
add address=192.168.20.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan20
add address=192.168.20.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan20
add address=192.168.20.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan20
add address=192.168.20.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan20
add address=192.168.20.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan20
add address=192.168.20.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan20
add address=192.168.20.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan20
add address=192.168.0.21 mac-address=00:09:DC:80:05:EB server=dhcp_vlan10
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
C4:57:6E:D2:E2:08 server=dhcp_vlan10
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=dhcp_vlan10
add address=192.168.0.72 client-id=1:d8:a3:5c:7d:5d:c2 mac-address=\
D8:A3:5C:7D:5D:C2 server=dhcp_vlan10
add address=192.168.20.50 client-id=1:a4:2b:b0:13:21:13 mac-address=\
A4:2B:B0:13:21:13 server=dhcp_vlan20
add address=192.168.20.23 mac-address=40:F5:20:00:57:07 server=dhcp_vlan20
add address=192.168.20.24 mac-address=40:F5:20:01:5B:6F server=dhcp_vlan20
add address=192.168.1.2 mac-address=C0:74:AD:1B:5E:C4 server=dhcp_vlan1
add address=192.168.1.3 mac-address=C0:74:AD:23:CD:90 server=dhcp_vlan1
add address=192.168.20.12 mac-address=CC:50:E3:F3:66:C8 server=dhcp_vlan20
add address=192.168.20.11 mac-address=34:94:54:72:95:D3 server=dhcp_vlan20
add address=192.168.20.25 mac-address=E8:DB:84:B5:DF:1A server=dhcp_vlan20
add address=192.168.0.8 client-id=1:1c:69:7a:63:b1:91 mac-address=\
1C:69:7A:63:B1:91 server=dhcp_vlan10
add address=192.168.0.11 client-id=1:0:c:29:3:74:de mac-address=\
00:0C:29:03:74:DE server=dhcp_vlan10
add address=192.168.0.12 client-id=\
ff:9f:6e:85:24:0:2:0:0:ab:11:3a:dd:cf:87:3:17:7b:24 mac-address=\
00:0C:29:36:7D:61 server=dhcp_vlan10
add address=192.168.0.10 client-id=\
ff:9f:6e:85:24:0:2:0:0:ab:11:db:e5:75:90:9b:83:3:d mac-address=\
00:0C:29:6D:1E:10 server=dhcp_vlan10
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=removed.sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.66.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet access" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface=vlan10 out-interface=vlan10
add action=accept chain=forward dst-port=1883 in-interface=vlan20 \
out-interface=vlan10 protocol=tcp
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward in-interface=vlan10 out-interface=vlan1
add action=accept chain=forward dst-address=192.168.0.20 in-interface=vlan30 \
out-interface=vlan10
add action=accept chain=forward in-interface=wireguard1 out-interface=vlan20
add action=accept chain=forward in-interface=wireguard1 out-interface=vlan10
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
protocol=tcp to-addresses=192.168.0.11
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=13231 protocol=udp to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=19132 protocol=udp to-addresses=192.168.0.16
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
dst-port=2022 protocol=tcp src-port="" to-addresses=192.168.0.9 to-ports=\
22
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Now I want to disable access to the webinterface from vlan 20 and 30 but I can't figure out how to do it.
Can someone here explain how to do it?