Community discussions

MikroTik App
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Disable router webinterface from Guest network

Mon Dec 05, 2022 8:21 am

Hi

I have a hac ac 2 router with this config
# dec/05/2022 07:02:22 by RouterOS 7.6
# software id = KKLQ-E0BD
#
# model = RBD52G-5HacD2HnD

/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf fast-forward=no \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-emerg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_vlan10 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool_vlan1 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool_vlan30 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool_vlan10 interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 interface=vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool_vlan1 interface=vlan1 name=dhcp_vlan1
add address-pool=dhcp_pool_vlan30 interface=vlan30 name=dhcp_vlan30
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan2 pvid=10
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge untagged=ether2,ether3,wlan1,wlan2 \
    vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=1
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=ether5-emerg list=LAN
add interface=vlan10 list=LAN
add interface=vlan1 list=LAN
add interface=vlan30 list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key=\
    "REMOVED"
/ip address
add address=192.168.0.1/24 comment=defconf interface=vlan10 network=\
    192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.5.2/24 interface=ether5-emerg network=192.168.5.0
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=dhcp_vlan10
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=dhcp_vlan10
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=dhcp_vlan10
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=dhcp_vlan10
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=dhcp_vlan10
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=dhcp_vlan10
add address=192.168.0.14 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=dhcp_vlan10
add address=192.168.0.20 mac-address=9C:93:4E:6C:CF:C2 server=dhcp_vlan10
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=dhcp_vlan10
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=dhcp_vlan10
add address=192.168.0.73 client-id=1:94:9a:a9:dc:b:e4 mac-address=\
    94:9A:A9:DC:0B:E4 server=dhcp_vlan10
add address=192.168.20.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan20
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=dhcp_vlan10
add address=192.168.20.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan20
add address=192.168.20.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan20
add address=192.168.20.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan20
add address=192.168.20.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan20
add address=192.168.20.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan20
add address=192.168.20.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan20
add address=192.168.20.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan20
add address=192.168.20.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan20
add address=192.168.20.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan20
add address=192.168.20.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan20
add address=192.168.0.21 mac-address=00:09:DC:80:05:EB server=dhcp_vlan10
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=dhcp_vlan10
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=dhcp_vlan10
add address=192.168.0.72 client-id=1:d8:a3:5c:7d:5d:c2 mac-address=\
    D8:A3:5C:7D:5D:C2 server=dhcp_vlan10
add address=192.168.20.50 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=dhcp_vlan20
add address=192.168.20.23 mac-address=40:F5:20:00:57:07 server=dhcp_vlan20
add address=192.168.20.24 mac-address=40:F5:20:01:5B:6F server=dhcp_vlan20
add address=192.168.1.2 mac-address=C0:74:AD:1B:5E:C4 server=dhcp_vlan1
add address=192.168.1.3 mac-address=C0:74:AD:23:CD:90 server=dhcp_vlan1
add address=192.168.20.12 mac-address=CC:50:E3:F3:66:C8 server=dhcp_vlan20
add address=192.168.20.11 mac-address=34:94:54:72:95:D3 server=dhcp_vlan20
add address=192.168.20.25 mac-address=E8:DB:84:B5:DF:1A server=dhcp_vlan20
add address=192.168.0.8 client-id=1:1c:69:7a:63:b1:91 mac-address=\
    1C:69:7A:63:B1:91 server=dhcp_vlan10
add address=192.168.0.11 client-id=1:0:c:29:3:74:de mac-address=\
    00:0C:29:03:74:DE server=dhcp_vlan10
add address=192.168.0.12 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:3a:dd:cf:87:3:17:7b:24 mac-address=\
    00:0C:29:36:7D:61 server=dhcp_vlan10
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:db:e5:75:90:9b:83:3:d mac-address=\
    00:0C:29:6D:1E:10 server=dhcp_vlan10
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=removed.sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.66.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface=vlan10 out-interface=vlan10
add action=accept chain=forward dst-port=1883 in-interface=vlan20 \
    out-interface=vlan10 protocol=tcp
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward in-interface=vlan10 out-interface=vlan1
add action=accept chain=forward dst-address=192.168.0.20 in-interface=vlan30 \
    out-interface=vlan10
add action=accept chain=forward in-interface=wireguard1 out-interface=vlan20
add action=accept chain=forward in-interface=wireguard1 out-interface=vlan10
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.11
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=13231 protocol=udp to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=19132 protocol=udp to-addresses=192.168.0.16
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=2022 protocol=tcp src-port="" to-addresses=192.168.0.9 to-ports=\
    22
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I have it connected with a Grandstream AP with 3 vlan.
Now I want to disable access to the webinterface from vlan 20 and 30 but I can't figure out how to do it.

Can someone here explain how to do it?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5411
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Disable router webinterface from Guest network

Mon Dec 05, 2022 8:43 am

One possible way (could be others have a more elegant solution):
Firewall, drop incoming connections originating from subnets corresponding to VLAN20/30, targetted towards your router for TCP ports 80 (http) and 443 (https).
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Disable router webinterface from Guest network

Mon Dec 05, 2022 7:25 pm

Hi

I tried it like this but no success
# dec/05/2022 18:22:05 by RouterOS 7.6
# software id = KKLQ-E0BD
#
# model = RBD52G-5HacD2HnD

/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf fast-forward=no \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-emerg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_vlan10 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool_vlan1 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool_vlan30 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool_vlan10 interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 interface=vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool_vlan1 interface=vlan1 name=dhcp_vlan1
add address-pool=dhcp_pool_vlan30 interface=vlan30 name=dhcp_vlan30
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan2 pvid=10
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge untagged=ether2,ether3,wlan1,wlan2 \
    vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=1
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=ether5-emerg list=LAN
add interface=vlan10 list=LAN
add interface=vlan1 list=LAN
add interface=vlan30 list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key=\
    "REMOVED"
/ip address
add address=192.168.0.1/24 comment=defconf interface=vlan10 network=\
    192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.5.2/24 interface=ether5-emerg network=192.168.5.0
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=dhcp_vlan10
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=dhcp_vlan10
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=dhcp_vlan10
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=dhcp_vlan10
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=dhcp_vlan10
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=dhcp_vlan10
add address=192.168.0.14 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=dhcp_vlan10
add address=192.168.0.20 mac-address=9C:93:4E:6C:CF:C2 server=dhcp_vlan10
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=dhcp_vlan10
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=dhcp_vlan10
add address=192.168.0.73 client-id=1:94:9a:a9:dc:b:e4 mac-address=\
    94:9A:A9:DC:0B:E4 server=dhcp_vlan10
add address=192.168.20.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan20
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=dhcp_vlan10
add address=192.168.20.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan20
add address=192.168.20.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan20
add address=192.168.20.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan20
add address=192.168.20.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan20
add address=192.168.20.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan20
add address=192.168.20.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan20
add address=192.168.20.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan20
add address=192.168.20.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan20
add address=192.168.20.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan20
add address=192.168.20.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan20
add address=192.168.0.21 mac-address=00:09:DC:80:05:EB server=dhcp_vlan10
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=dhcp_vlan10
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=dhcp_vlan10
add address=192.168.0.72 client-id=1:d8:a3:5c:7d:5d:c2 mac-address=\
    D8:A3:5C:7D:5D:C2 server=dhcp_vlan10
add address=192.168.20.50 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=dhcp_vlan20
add address=192.168.20.23 mac-address=40:F5:20:00:57:07 server=dhcp_vlan20
add address=192.168.20.24 mac-address=40:F5:20:01:5B:6F server=dhcp_vlan20
add address=192.168.1.2 mac-address=C0:74:AD:1B:5E:C4 server=dhcp_vlan1
add address=192.168.1.3 mac-address=C0:74:AD:23:CD:90 server=dhcp_vlan1
add address=192.168.20.12 mac-address=CC:50:E3:F3:66:C8 server=dhcp_vlan20
add address=192.168.20.11 mac-address=34:94:54:72:95:D3 server=dhcp_vlan20
add address=192.168.20.25 mac-address=E8:DB:84:B5:DF:1A server=dhcp_vlan20
add address=192.168.0.8 client-id=1:1c:69:7a:63:b1:91 mac-address=\
    1C:69:7A:63:B1:91 server=dhcp_vlan10
add address=192.168.0.11 client-id=1:0:c:29:3:74:de mac-address=\
    00:0C:29:03:74:DE server=dhcp_vlan10
add address=192.168.0.12 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:3a:dd:cf:87:3:17:7b:24 mac-address=\
    00:0C:29:36:7D:61 server=dhcp_vlan10
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:db:e5:75:90:9b:83:3:d mac-address=\
    00:0C:29:6D:1E:10 server=dhcp_vlan10
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=removed.sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.66.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface=vlan10 out-interface=vlan10
add action=accept chain=forward dst-port=1883 in-interface=vlan20 \
    out-interface=vlan10 protocol=tcp
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward in-interface=vlan10 out-interface=vlan1
add action=accept chain=forward dst-address=192.168.0.20 in-interface=vlan30 \
    out-interface=vlan10
add action=accept chain=forward in-interface=wireguard1 out-interface=vlan20
add action=accept chain=forward in-interface=wireguard1 out-interface=vlan10
add action=drop chain=forward dst-address=192.168.0.1 dst-port=80 protocol=\
    tcp src-address=192.168.20.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.11
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=13231 protocol=udp to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=19132 protocol=udp to-addresses=192.168.0.16
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=2022 protocol=tcp src-port="" to-addresses=192.168.0.9 to-ports=\
    22
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Disable router webinterface from Guest network

Mon Dec 05, 2022 9:37 pm

(1) Why fast-forward=no and interface filtering also set to no on bridge setting??

(2) Remove VLAN=1 definition, default vlan1 is used by the router (bridge) in the background. Simply use another vlan ID for real data/traffic.
In this case what you really mean is that vlan15 (renamed it), is your trusted subnet and one which the grandstream needs to get its IP address from.
So grandstream is as stupid as ubiquiti wifi then.........

(3) Add ingress filtering=yes on bridge ports! ( all of them except the hybrid port going to grandstreaam )

(4) Your ether 4 /interface bridge port setting should show the pvid for the untagged port, its missing, in this case using 15 renamed.

(5) vlans 20 and 30 can be combined on /interface bridge vlans.

(6) Add TRUSTED subnet to ensure only one LAN has access to neighbours discovery winbox, input chain etc.............. (in addition added ether5-emerg and wireguard1)

(7) Input chain order corrected, no need to put rules before accepted established etc..... Rules made clearer with better security, entire LAN no longer has access to the router........

From:
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.66.0/24

add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN[/size
]


TO:
add action=accept chain=input in-interface-list=TRUSTED
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"

(8) Dont need connection=new etc.......
From:
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward connection-nat-state=dstnat
comment="allow port forwarding" \


(9) Im confused as to why you want vlan10 to be able to access the trusted vlan1 (or now 15).
Which is the trusted VLAN?
In other words, if in fact VLAN10 is the actual trusted home VLAN then the grandstream should not be getting vlan1 untagged or vlan15 in the new case.
It should be getting vlan10 untagged and thus get its IP address from vlan10. If you need an WLAN on the grandstream on VLAN1 now vlan15 then its simply another Data VLAN that goes accross ether 4, just like 20,30 etc.........

so please describe the differences between purpose of vlan1 Now 15 and vlan10.

(10) This appears to be a nonsensical rule................. Purppose ?
add action=accept chain=forward in-interface=vlan10 out-interface=vlan10[/i]

(11) This rule is NOT required..................... VLAN20 has no access to VLAN10 !! ( by virtue of drop all rule at end )
add action=drop chain=forward dst-address=192.168.0.1 dst-port=80 protocol=\
tcp src-address=192.168.20.0/24


(12) FROM
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

TO:
/tool mac-server
set allowed-interface-list=NONE { not a secure access method }
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED { self-explanetory }
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Disable router webinterface from Guest network

Mon Dec 05, 2022 9:41 pm

For example.............
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf \
     name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-emerg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan1 vlan-id=15
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_vlan10 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool_vlan15 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool_vlan30 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool_vlan10 interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 interface=vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool_vlan15 interface=vlan1 name=dhcp_vlan1
add address-pool=dhcp_pool_vlan30 interface=vlan30 name=dhcp_vlan30
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan2 pvid=10
add bridge=bridge comment=defconf interface=ether4  pvid=15
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge untagged=ether2,ether3,wlan1,wlan2 \
    vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20,30
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=15
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=ether5-emerg list=LAN
add interface=vlan10 list=LAN
add interface=vlan15 list=LAN
add interface=vlan30 list=LAN
add interface=wireguard1 list=LAN
add interface=vlan15 list=TRUSTED
add interface=ether5-emerg list=TRUSTED
add interface=wireguard1 list=TRUSTED
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key=\
    "REMOVED"
/ip address
add address=192.168.0.1/24 comment=defconf interface=vlan10 network=\
    192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.5.2/24 interface=ether5-emerg network=192.168.5.0
add address=192.168.1.1/24 interface=vlan15 network=192.168.1.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=removed.sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard" in-interface=wireguard1\
    dst-port=13231 protocol=udp
add action=accept chain=input in-interface-list=TRUSTED
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward dst-port=1883 in-interface=vlan20 \
    out-interface=vlan10 protocol=tcp
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward in-interface=vlan10 out-interface=vlan15
add action=accept chain=forward dst-address=192.168.0.20 in-interface=vlan30 \
    out-interface=vlan10
add action=accept chain=forward in-interface=wireguard1 out-interface=vlan20
add action=accept chain=forward in-interface=wireguard1 out-interface=vlan10
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.11
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Disable router webinterface from Guest network

Tue Dec 06, 2022 9:30 am

1) I don't know

2) I submitted a ticket to Grandstream that it could not get an IP if it didn't have a default network with VLAN 1. They have now updated their firmware to be able to set an VLAN ID for discovery/management. I think that is why I have a VLAN1 with ID 1.

9) I want VLAN10 to be my trusted VLAN, See answer 2

10) I think my hairpin nat did not work without it?

11) This was my attempt to block router webinterface from VLAN20

Thank you for your help.
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Disable router webinterface from Guest network

Wed Dec 07, 2022 11:12 pm

Should I just delete VLAN1 and set management VLAN on Grandstream to 10?
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Disable router webinterface from Guest network

Wed Dec 14, 2022 10:35 am

I have now changed to this configuration, I have ingress filtering on all bridge port but it doesnt show in config. Is it default setting?
# dec/14/2022 09:31:33 by RouterOS 7.6
# software id = KKLQ-E0BD
#
# model = RBD52G-5HacD2HnD

/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] full-duplex=no
set [ find default-name=ether5 ] name=ether5-emerg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_vlan10 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool_vlan1 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool_vlan30 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool_vlan10 interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 interface=vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool_vlan30 interface=vlan30 name=dhcp_vlan30
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan2 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge untagged=ether2,ether3,wlan1,wlan2 \
    vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20,30
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add interface=ether5-emerg list=TRUSTED
add interface=vlan10 list=TRUSTED
add interface=wireguard1 list=TRUSTED
add interface=vlan10 list=LAN
add interface=ether5-emerg list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key=\
    "REMOVED"
/ip address
add address=192.168.0.1/24 comment=defconf interface=vlan10 network=\
    192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.5.2/24 interface=ether5-emerg network=192.168.5.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=dhcp_vlan10
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=dhcp_vlan10
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=dhcp_vlan10
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=dhcp_vlan10
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=dhcp_vlan10
add address=192.168.0.20 mac-address=9C:93:4E:6C:CF:C2 server=dhcp_vlan10
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=dhcp_vlan10
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=dhcp_vlan10
add address=192.168.0.73 client-id=1:94:9a:a9:dc:b:e4 mac-address=\
    94:9A:A9:DC:0B:E4 server=dhcp_vlan10
add address=192.168.20.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan20
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=dhcp_vlan10
add address=192.168.20.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan20
add address=192.168.20.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan20
add address=192.168.20.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan20
add address=192.168.20.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan20
add address=192.168.20.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan20
add address=192.168.20.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan20
add address=192.168.20.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan20
add address=192.168.20.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan20
add address=192.168.20.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan20
add address=192.168.20.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan20
add address=192.168.0.21 mac-address=00:09:DC:80:05:EB server=dhcp_vlan10
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=dhcp_vlan10
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=dhcp_vlan10
add address=192.168.0.72 client-id=1:d8:a3:5c:7d:5d:c2 mac-address=\
    D8:A3:5C:7D:5D:C2 server=dhcp_vlan10
add address=192.168.20.50 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=dhcp_vlan20
add address=192.168.20.23 mac-address=40:F5:20:00:57:07 server=dhcp_vlan20
add address=192.168.20.24 mac-address=40:F5:20:01:5B:6F server=dhcp_vlan20
add address=192.168.0.2 mac-address=C0:74:AD:1B:5E:C4 server=dhcp_vlan10
add address=192.168.0.3 mac-address=C0:74:AD:23:CD:90 server=dhcp_vlan10
add address=192.168.20.12 mac-address=CC:50:E3:F3:66:C8 server=dhcp_vlan20
add address=192.168.20.11 mac-address=34:94:54:72:95:D3 server=dhcp_vlan20
add address=192.168.20.25 mac-address=E8:DB:84:B5:DF:1A server=dhcp_vlan20
add address=192.168.0.8 client-id=1:1c:69:7a:63:b1:91 mac-address=\
    1C:69:7A:63:B1:91 server=dhcp_vlan10
add address=192.168.0.11 client-id=1:0:c:29:3:74:de mac-address=\
    00:0C:29:03:74:DE server=dhcp_vlan10
add address=192.168.0.12 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:3a:dd:cf:87:3:17:7b:24 mac-address=\
    00:0C:29:36:7D:61 server=dhcp_vlan10
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:db:e5:75:90:9b:83:3:d mac-address=\
    00:0C:29:6D:1E:10 server=dhcp_vlan10
add address=192.168.0.13 client-id=1:0:c:29:4f:ed:80 mac-address=\
    00:0C:29:4F:ED:80 server=dhcp_vlan10
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=removed.sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    in-interface=wireguard1 protocol=udp
add action=accept chain=input in-interface-list=TRUSTED
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward dst-port=1883 in-interface=vlan20 \
    out-interface=vlan10 protocol=tcp
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward dst-address=192.168.0.20 in-interface=vlan30 \
    out-interface=vlan10
add action=accept chain=forward in-interface=wireguard1 out-interface=vlan20
add action=accept chain=forward in-interface=wireguard1 out-interface=vlan10
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.11
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=13231 protocol=udp to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=19132 protocol=udp to-addresses=192.168.0.16
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=2022 protocol=tcp src-port="" to-addresses=192.168.0.9 to-ports=\
    22
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
But now I cant access my LAN when connected to Wireguard.
 
erlinden
Forum Guru
Forum Guru
Posts: 1921
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Disable router webinterface from Guest network

Wed Dec 14, 2022 10:42 am

Grandstream, if using Cloud GWN, requires an Internet connection on the default VLAN (otherwise you are not able to configure the accesspoint). This can be accomplished by having an Internet VLAN untagged on the port where the GWN is connected to.

Not sure if all is set including management VLAN you can remove the Internet connection on the default VLAN.

I always turn on logging to find out what is blocking.
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Disable router webinterface from Guest network

Wed Dec 14, 2022 12:51 pm

Grandstream, if using Cloud GWN, requires an Internet connection on the default VLAN (otherwise you are not able to configure the accesspoint). This can be accomplished by having an Internet VLAN untagged on the port where the GWN is connected to.

Not sure if all is set including management VLAN you can remove the Internet connection on the default VLAN.

I always turn on logging to find out what is blocking.
I dont use Cloud GWN. And Grandstream dosent have anything to do with the Wireguard VPN
 
ressof
just joined
Topic Author
Posts: 21
Joined: Mon Nov 29, 2021 10:18 am

Re: Disable router webinterface from Guest network

Sun Dec 18, 2022 10:43 am

Solved it by change this line in firewall
add action=accept chain=input comment="allow WireGuard" dst-port=13231 in-interface=wireguard1 protocol=udp
to
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp

Who is online

Users browsing this forum: Ahrefs [Bot], bananaboy1101, emunt6, uxertxo and 88 guests