I created a few Mk virtual devices on GNS3, and the project is growing up over time; I added wireguard tunnels to the original VLAN setup.
I noticed a strange dhcp lease for gns3 on the ether1 which also is the trunk port plugged to the "switch/ap" as shown by the image below:
Here is a screenshot of the lease window too:
As you can see, all the leases are for the green vlan, the first twos as expected, but I didn't understand where the last one comes from, even though the status is on "offered".
My MK setup:
Code: Select all
#
/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 protocol-mode=none \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=TRUNK
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-Mikrotik-A
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=Blue_VLAN vlan-id=30
add interface=BR1 name=Green_VLAN vlan-id=10
add interface=BR1 name=Red_VLAN vlan-id=20
/disk
set sata1 disabled=no
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=Green_POOL ranges=10.0.10.2-10.0.10.254
add name=Red_POOL ranges=10.0.20.2-10.0.20.254
add name=Blue_POOL ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=Green_POOL interface=Green_VLAN name=Green_DHCP
add address-pool=Red_POOL interface=Red_VLAN name=Red_DHCP
add address-pool=Blue_POOL interface=Blue_VLAN name=Blue_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether4 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether2 pvid=30
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 untagged=ether4 vlan-ids=99
add bridge=BR1 tagged=BR1,ether1 untagged=ether2 vlan-ids=30
add bridge=BR1 tagged=BR1,ether1 untagged=ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,ether1 vlan-ids=20
/interface list member
add interface=ether5 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=Blue_VLAN list=VLAN
add interface=Green_VLAN list=VLAN
add interface=Red_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface wireguard peers
add allowed-address=192.168.32.2/32,172.16.11.0/24,172.16.31.0/24 comment=\
SITE_B interface=WG-Mikrotik-A persistent-keepalive=25s public-key=\
"VjH/0AdK9cMNdE7ehJ1aFeFjbzCBBpxm9wJVgfQ="
/ip address
add address=10.0.10.1/24 interface=Green_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=Red_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=Blue_VLAN network=10.0.30.0
add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
add address=192.168.32.1/24 interface=WG-Mikrotik-A network=192.168.32.0
/ip dhcp-client
add interface=ether5 use-peer-dns=no
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.99.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.99.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=192.168.99.1 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input in-interface-list=WAN src-address=192.168.3.100
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment="Allow DNS services" dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow DNS services" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow Green_VLAN" in-interface=\
Green_VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
add action=accept chain=input comment="WIREGUARD port" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="input Green_VLAN from WG-B" \
src-address=172.16.11.0/24
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="Forward from Green to Green VLANs" \
dst-address=172.16.11.0/24 src-address=10.0.10.0/24
add action=accept chain=forward comment="Forward from Green to Green VLANs" \
dst-address=10.0.10.0/24 src-address=172.16.11.0/24
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface-list=\
VLAN
add action=drop chain=input comment="drop all else" log=yes log-prefix=\
drop_in
add action=drop chain=forward comment=Drop log=yes log-prefix=drop_forw
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
/ip route
add disabled=no dst-address=172.16.11.0/24 gateway=WG-Mikrotik-A \
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=172.16.31.0/24 gateway=WG-Mikrotik-A \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool romon
set enabled=yes
Could you please help figure it out? Thanks