Thanks
Here I have the configuration export:
Code: Select all
# # mar/14/2023 11:42:49 by RouterOS 7.8
# software id = xxxxx
#
# model = RB4011iGS+
# serial number = xxxxx
/interface bridge
add arp=proxy-arp frame-types=admit-only-vlan-tagged name=bridge pvid=50 \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name="ether1_WAN(Public IP)"
set [ find default-name=ether2 ] name=ether2_PC
set [ find default-name=ether3 ] name=ether3_PC
set [ find default-name=ether4 ] name=ether4_PC
set [ find default-name=ether5 ] name=ether5_PC
set [ find default-name=ether6 ] name=ether6_NAS
set [ find default-name=ether7 ] comment="Trunk port ( VLAN20,50 )" name=\
ether7_Zyxel
set [ find default-name=ether8 ] comment="Trunk port (VLAN10,20,50)" name=\
ether8_CISCO
set [ find default-name=ether9 ] comment="Trunk port(VLAN20,40,50)" name=\
ether9_UBNT
set [ find default-name=ether10 ] name=ether10_MGMT poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13232 mtu=1420 name=VPN_Cameras
add listen-port=13231 mtu=1420 name=VPN_MGMT
/interface vlan
add interface=bridge name="VLAN10(Cameras)" vlan-id=10
add interface=bridge name="VLAN20(PC)" vlan-id=20
add interface=bridge name="VLAN30(NAS)" vlan-id=30
add interface=bridge name="VLAN40(Guest)" vlan-id=40
add interface=bridge name="VLAN50(MGMT)" vlan-id=50
/interface list
add name=MGMT
add name=WAN
add name=VLAN
add name="VLAN all"
add name="VLAN 10"
add name="VLAN 20"
add name="VLAN 30"
add name="VLAN 40"
add include="VLAN 10,VLAN 20,VLAN 30,VLAN 40" name="VLAN 10,20,30,40"
add include="VLAN 20,VLAN 30,VLAN 40" name="VLAN 20,30,40"
add include="VLAN 10,VLAN 30,VLAN 40" name="VLAN 10,30,40"
add include="VLAN 10,VLAN 20,VLAN 40" name="VLAN 10,20,40"
add include="VLAN 10,VLAN 20,VLAN 30" name="VLAN 10,20,30"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Cameras ranges=172.25.10.31-172.25.10.45
add name=PC ranges=172.25.20.2-172.25.20.50
add name=NAS ranges=172.25.30.2-172.25.30.4
add name=Guest ranges=172.25.40.2-172.25.40.50
add name=VPN_Cameras ranges=172.25.60.2-172.25.60.11
add name=VPN_MGMT ranges=172.25.70.71-172.25.70.75
add name=MGMT ranges=172.25.50.50-172.25.50.70
/ip dhcp-server
add address-pool=Cameras interface="VLAN10(Cameras)" name=Cameras
add address-pool=PC interface="VLAN20(PC)" name=PC
add address-pool=NAS interface="VLAN30(NAS)" name=NAS
add address-pool=Guest interface="VLAN40(Guest)" name=Wifi_Guest
add address-pool=MGMT interface="VLAN50(MGMT)" name=MGMT
/ip vrf
add disabled=yes interfaces="VLAN50(MGMT),VPN_MGMT" name=vrf1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether5_PC pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether6_NAS pvid=30
add bridge=bridge comment="Trunk port ( VLAN20,50 )" frame-types=\
admit-only-vlan-tagged interface=ether7_Zyxel
add bridge=bridge comment="Trunk port (VLAN10,20,50)" frame-types=\
admit-only-vlan-tagged interface=ether8_CISCO
add bridge=bridge comment="Trunk port(VLAN20,40,50)" frame-types=\
admit-only-vlan-tagged interface=ether9_UBNT
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether10_MGMT pvid=50
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=ether8_CISCO,bridge vlan-ids=10
add bridge=bridge tagged=bridge,ether8_CISCO,ether7_Zyxel,ether9_UBNT \
untagged=ether2_PC,ether3_PC,ether4_PC,ether5_PC vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether6_NAS vlan-ids=30
add bridge=bridge tagged=bridge,ether9_UBNT vlan-ids=40
add bridge=bridge tagged=bridge,ether7_Zyxel,ether8_CISCO,ether9_UBNT \
untagged=ether10_MGMT vlan-ids=50
/interface list member
add interface="VLAN50(MGMT)" list=MGMT
add interface="ether1_WAN(Public IP)" list=WAN
add interface="VLAN10(Cameras)" list=VLAN
add interface="VLAN20(PC)" list=VLAN
add interface="VLAN40(Guest)" list=VLAN
add interface="VLAN30(NAS)" list=VLAN
add interface="VLAN10(Cameras)" list="VLAN all"
add interface="VLAN20(PC)" list="VLAN all"
add interface="VLAN30(NAS)" list="VLAN all"
add interface="VLAN40(Guest)" list="VLAN all"
add interface="VLAN50(MGMT)" list="VLAN all"
add interface="VLAN10(Cameras)" list="VLAN 10"
add interface="VLAN20(PC)" list="VLAN 20"
add interface="VLAN30(NAS)" list="VLAN 30"
add interface="VLAN40(Guest)" list="VLAN 40"
/interface wireguard peers
add allowed-address=172.25.70.72/32 comment="VPN MGMT" interface=VPN_MGMT \
persistent-keepalive=30s public-key=\
"xxxxx"
add allowed-address=172.25.60.2/32 comment="VPN Cameras " interface=\
VPN_Cameras public-key="xxxxxx"
/ip address
add address=172.25.10.30/24 interface="VLAN10(Cameras)" network=172.25.10.0
add address=172.25.20.1/24 interface="VLAN20(PC)" network=172.25.20.0
add address=172.25.30.1/24 interface="VLAN30(NAS)" network=172.25.30.0
add address=172.25.40.1/24 interface="VLAN40(Guest)" network=172.25.40.0
add address=172.25.50.1/24 interface="VLAN50(MGMT)" network=172.25.50.0
add address=172.25.70.1/24 interface=VPN_MGMT network=172.25.70.0
add address=172.25.60.1/24 interface=VPN_Cameras network=172.25.60.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface="ether1_WAN(Public IP)"
/ip dhcp-server network
add address=172.25.10.0/24 dns-server=172.25.10.30 gateway=172.25.10.30 \
ntp-server=172.25.10.30
add address=172.25.20.0/24 dns-server=172.25.20.1 gateway=172.25.20.1 \
ntp-server=172.25.20.1
add address=172.25.30.0/24 dns-server=172.25.30.1 gateway=172.25.30.1 \
ntp-server=172.25.30.1
add address=172.25.40.0/24 dns-server=172.25.40.1 gateway=172.25.40.1 \
ntp-server=172.25.40.1
add address=172.25.50.0/24 dns-server=172.25.50.1 gateway=172.25.50.1 \
ntp-server=172.25.50.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.25.50.20 name=switchc.local
add address=172.25.50.5 name=switchz.local
add address=172.25.10.20 name=cameras.local
add address=172.25.30.10 name=nas.local
/ip firewall filter
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related hw-offload=yes
add action=accept chain=input comment="NTP client" in-interface=\
"ether1_WAN(Public IP)" protocol=udp src-port=123
add action=accept chain=input comment="Allow VPN MGMT on WAN" dst-port=13231 \
in-interface="ether1_WAN(Public IP)" protocol=udp
add action=accept chain=input comment="Allow VPN CAM on WAN" dst-port=13232 \
in-interface="ether1_WAN(Public IP)" protocol=udp
add action=accept chain=input comment="NTP local server" dst-port=123 \
in-interface="VLAN50(MGMT)" protocol=tcp
add action=accept chain=input comment="NTP local server" dst-port=123 \
in-interface="VLAN50(MGMT)" protocol=udp
add action=accept chain=input comment="established, related, untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow access to local DNS" dst-port=53 \
in-interface=all-vlan protocol=udp
add action=accept chain=forward comment="established, related, untracked" \
connection-state=established,related,untracked
add action=accept chain=forward comment=\
"VPN MGMT access to -> VLAN 10,20,30,40 " connection-state="" \
in-interface=VPN_MGMT out-interface-list=VLAN
add action=accept chain=forward comment="Allow access VPN_Cameras -> NVR" \
dst-address=172.25.10.20 in-interface=VPN_Cameras out-interface-list=\
"VLAN 10"
add action=accept chain=forward comment="Allow access FTP -> NAS" \
dst-address=172.25.30.10 dst-port=21 in-interface="VLAN20(PC)" \
out-interface="VLAN30(NAS)" protocol=tcp
add action=accept chain=forward comment="Allow access to NVR 443" \
dst-address=172.25.10.20 dst-port=443 in-interface="VLAN20(PC)" \
out-interface="VLAN10(Cameras)" protocol=tcp
add action=accept chain=forward comment="Allow access to NVR 80" dst-address=\
172.25.10.20 dst-port=80 in-interface="VLAN20(PC)" out-interface=\
"VLAN10(Cameras)" protocol=tcp
add action=accept chain=forward comment="Allow access to NVR 8000" \
dst-address=172.25.10.20 in-interface="VLAN20(PC)" out-interface=\
"VLAN10(Cameras)" port=8000 protocol=tcp
add action=accept chain=forward comment=SAMBA connection-state="" \
dst-address=172.25.30.10 dst-port=445 in-interface="VLAN20(PC)" \
out-interface="VLAN30(NAS)" protocol=tcp
add action=accept chain=forward comment=SAMBA dst-address=172.25.30.10 \
dst-port=135-139 in-interface="VLAN20(PC)" out-interface="VLAN30(NAS)" \
protocol=tcp
add action=accept chain=forward comment=SAMBA dst-address=172.25.30.10 \
dst-port=135-139 in-interface="VLAN20(PC)" out-interface="VLAN30(NAS)" \
protocol=udp
add action=accept chain=forward comment=\
"Allow access MGMT -> VLAN 10,20,30,40" in-interface-list=MGMT \
out-interface-list="VLAN 10,20,30,40"
add action=drop chain=input comment="Drop access WAN" connection-state="" \
in-interface="ether1_WAN(Public IP)"
add action=drop chain=input comment="Drop DNS access from the Internet" \
dst-port=53 in-interface="ether1_WAN(Public IP)" log=yes log-prefix=\
"DNS_INET_protokol=udp" protocol=udp
add action=drop chain=input comment="Drop DNS access from the Internet" \
dst-port=53 in-interface="ether1_WAN(Public IP)" log=yes log-prefix=\
"DNS_INET_protokol=tcp" protocol=tcp
add action=drop chain=forward comment=\
"Drop access to MGMT From VLAN 10,20,30,40" in-interface-list=\
"VLAN 10,20,30,40" out-interface-list=MGMT
add action=drop chain=forward comment=\
"Drop access to VLAN10 from VLAN20,30,40" in-interface-list="VLAN 10" \
out-interface-list="VLAN 20,30,40"
add action=drop chain=forward comment=\
"Drop access to VLAN20 from VLAN10,30,40" in-interface-list="VLAN 20" \
out-interface-list="VLAN 10,30,40"
add action=drop chain=forward comment=\
"Drop access to VLAN30 from VLAN10,20,40" in-interface-list="VLAN 30" \
out-interface-list="VLAN 10,20,40"
add action=drop chain=forward comment=\
"Drop access to VLAN40 from VLAN10,20,30" in-interface-list="VLAN 40" \
out-interface-list="VLAN 10,20,30"
add action=drop chain=forward comment=\
"Drop access to VLAN_Cameras from VLAN10" in-interface=VPN_Cameras \
out-interface="VLAN10(Cameras)"
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1_WAN(Public IP)"
/ip firewall service-port
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address="172.25.50.69/32,172.25.50.70/32,172.25.50.68/32,172.25.50.\
67/32,172.25.50.66/32,172.25.50.65/32,172.25.70.72/32"
set api-ssl disabled=yes
/ip smb
set allow-guests=no comment="" domain="" interfaces="VLAN30(NAS)"
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Prague
/system clock manual
set dst-delta=+01:00 time-zone=+01:00
/system identity
set name=Routr
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=195.113.144.201 iburst=no
add address=195.113.144.238
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT