Community discussions

MikroTik App
 
User4011
newbie
Topic Author
Posts: 38
Joined: Tue Jun 29, 2021 12:36 am

Disconnected from LAN port and All other connections loose IP!

Sat Mar 25, 2023 8:12 pm

Problem: When I disconnect my laptop LAN port connection to Eth9 (MGMT VLAN) or Eth10 (default VLAN), other client connections (VLAN 50, VLAN 30 wifi) loose connection, receiving 169 addresses.

When I re-connect my laptop LAN port connection, all connections are restored, receive addresses in their DHCP ranges and have internet access restored, communications are as expected.
all vlans and network traffic can communicate with each other and access internet as needed.

Everything was normal, until only recently this week. Recently, I upgraded to 7.8. All was working well, until I went messing with SFP settings after realizing I hadn’t checked to see if I was getting 10GB from both interfaces to and from Aruba S2500. Set all settings back to the way they were before (working fine at 1GB) I changed them, but problem persisted.
I also had made some firewall rule changes which included alterations to Address Lists. Aside from a firewall config that needs revisiting at a later point, I’m not too clear as to why this is happening.

I’ve even most firewall rules in the meantime in Filter rules and Raw in the meantime. Problem still persists. Unplug LAN from laptop, down goes everything. Very frustrating.

Export of my config.
# mar/25/2023 12:50:42 by RouterOS 7.8
# software id = L2GF-7Z2L
#
# model = RB4011iGS+
# serial number = *
/interface bridge
add admin-mac=* auto-mac=no comment=defconf name=bridge \
    protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=sfp-sfpplus1 ] loop-protect=on speed=1Gbps
/interface vlan
add comment="VLAN for Mgmt" interface=bridge name=MGMT vlan-id=99
add comment=Hypervisor interface=bridge name=VLAN10 vlan-id=10
add comment=Servers interface=bridge name=VLAN20 vlan-id=20
add comment=Data interface=bridge name=VLAN30 vlan-id=30
add comment=Work interface=bridge name=VLAN50 vlan-id=50
add comment="Untrusted LAN" interface=bridge name=VLAN60 vlan-id=60
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Work
add name=VLAN
add name=Winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=vpn
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip pool
add name="default VLAN" ranges=192.168.88.10-192.168.88.254
add name=VLAN50 ranges=192.168.50.100-192.168.50.150
add name=VLAN60 ranges=192.168.60.100-192.168.60.150
add name=MGMT ranges=192.168.99.20-192.168.99.100
add name=VLAN30 ranges=192.168.30.100-192.168.30.150
add name=VLAN10 ranges=192.168.10.100-192.168.10.150
add name=VLAN20 ranges=192.168.20.100-192.168.20.150
/ip dhcp-server
add address-pool="default VLAN" interface=bridge name=defconf
add address-pool=VLAN50 interface=VLAN50 name=VLAN50
add address-pool=VLAN60 interface=VLAN60 name=VLAN60
add address-pool=MGMT interface=MGMT name=MGMT
add address-pool=VLAN30 interface=VLAN30 name=VLAN30
add address-pool=VLAN10 interface=VLAN10 name=VLAN10
add address-pool=VLAN20 interface=VLAN20 name=VLAN20
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add disabled=yes name=PS4 target=VLAN50,VLAN50
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=99
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
    ether10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=sfp-sfpplus1
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether8
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="VLAN 99" tagged=bridge,sfp-sfpplus1,ether8 \
    untagged=ether9 vlan-ids=99
add bridge=bridge comment="VLAN 50" tagged=bridge,sfp-sfpplus1,ether8 \
    vlan-ids=50
add bridge=bridge comment="VLAN 60" tagged=bridge,sfp-sfpplus1,ether8 \
    vlan-ids=60
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 untagged=ether7,ether3 \
    vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN50 list=VLAN
add interface=VLAN60 list=VLAN
add interface=VLAN30 list=VLAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add interface=bridge list=Winbox
add interface=MGMT list=Winbox
add interface=VLAN30 list=Winbox
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.99.1/24 comment=MGMT interface=MGMT network=192.168.99.0
add address=192.168.50.1/24 comment=WORK interface=VLAN50 network=\
    192.168.50.0
add address=192.168.60.1/24 comment="Untrusted LAN" interface=VLAN60 network=\
    192.168.60.0
add address=192.168.30.1/24 comment=Data interface=VLAN30 network=\
    192.168.30.0
add address=192.168.10.1/24 comment=Hyper interface=VLAN10 network=\
    192.168.10.0
add address=192.168.20.1/24 comment=Servers interface=VLAN20 network=\
    192.168.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.30.103 client-id=1:74:d8:3e:8b:f4:89 mac-address=\
    74:D8:3E:8B:F4:89 server=VLAN30
add address=192.168.30.109 client-id=1:9c:3d:cf:c:8f:c0 mac-address=\
    9C:3D:CF:0C:8F:C0 server=VLAN30
add address=192.168.50.100 client-id=1:d8:bb:c1:7a:37:81 mac-address=\
    D8:BB:C1:7A:37:81 server=VLAN50
add address=192.168.88.254 client-id=1:0:2b:67:c9:3f:7 mac-address=\
    00:2B:67:C9:3F:07 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=Hyper gateway=192.168.10.1
add address=192.168.20.0/24 comment=Server gateway=192.168.20.1
add address=192.168.30.0/24 comment=Data gateway=192.168.30.1
add address=192.168.50.0/24 comment=Work gateway=192.168.50.1
add address=192.168.60.0/24 comment="Untrusted LAN" gateway=192.168.60.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.99.0/24 comment=MGMT gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6 to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add list=ddos-attackers
add list=ddos-target
add address=1.0.1.0/24 comment=CHINA list=CountryIPBlocks
...
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_src_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890" list=bad_src_ipv4
add address=127.0.0.0/8 comment="defconf:  RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf:  RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf:  RFC6890" list=bad_ipv4
add address=192.51.100.0/24 comment="defconf:  RFC6890" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf:  RFC6890" list=bad_ipv4
add address=240.0.0.0/24 comment="defconf:  RFC6890" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.99.0/24 list=MGMT_address
add address=192.168.99.2-192.168.99.254 list=allowed_to_router
add address=192.168.50.1-192.168.50.254 list=WORK
add address=192.168.60.1-192.168.60.254 list=VLAN60
add address=192.168.30.1-192.168.30.254 comment="DATA (Lan+Wifi)" list=VLAN30
add address=192.168.88.1-192.168.88.254 list=BRIDGE
add address=192.168.88.1 list="BRIDGE IP"
add address=192.168.99.1 list="BRIDGE MGMT IP"
add address=192.168.99.2 list="ARUBAS SWITCH"
add address=192.168.99.0/24 list="MGMT VLAN"
add address=192.168.30.103 list=allowed_to_router
add address=192.168.20.1-192.168.20.254 list=VLAN20
add address=192.168.10.1-192.168.88.10.254 list=VLAN10
add address=192.168.88.0/24 list=MGMT_address
add address=192.168.10.0/24 list=LAN
add address=192.168.20.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.50.0/24 list=LAN
add address=192.168.60.0.24 list=LAN
add address=192.168.88.0/24 list=LAN
add address=192.168.99.0/24 list=LAN
add address=tiktok.com comment=TikTok.com list=tiktok
add address=147.160.176.0/24 comment=TikTok.com list=tiktok
add address=147.160.177.0/24 comment=TikTok.com list=tiktok
add address=147.160.178.0/24 comment=TikTok.com list=tiktok
add address=147.160.179.0/24 comment=TikTok.com list=tiktok
add address=147.160.180.0/24 comment=TikTok.com list=tiktok
add address=147.160.181.0/24 comment=TikTok.com list=tiktok
add address=147.160.182.0/24 comment=TikTok.com list=tiktok
add address=147.160.183.0/24 comment=TikTok.com list=tiktok
add address=147.160.184.0/24 comment=TikTok.com list=tiktok
add address=147.160.185.0/24 comment=TikTok.com list=tiktok
add address=147.160.187.0/24 comment=TikTok.com list=tiktok
add address=147.160.188.0/24 comment=TikTok.com list=tiktok
add address=147.160.189.0/24 comment=TikTok.com list=tiktok
add address=147.160.190.0/24 comment=TikTok.com list=tiktok
add address=147.160.191.0/24 comment=TikTok.com list=tiktok
add address=103.136.221.0/24 comment=TikTok.com list=tiktok
add address=103.136.220.0/24 comment=TikTok.com list=tiktok
add address=103.136.220.0/23 comment=TikTok.com list=tiktok
add address=192.64.14.0/24 comment=TikTok.com list=tiktok
add address=199.103.24.0/24 comment=TikTok.com list=tiktok
add address=199.103.25.0/24 comment=TikTok.com list=tiktok
add address=130.44.212.0/24 comment=TikTok.com list=tiktok
add address=130.44.213.0/24 comment=TikTok.com list=tiktok
add address=130.44.214.0/24 comment=TikTok.com list=tiktok
add address=130.44.215.0/24 comment=TikTok.com list=tiktok
add address=139.177.224.0/24 comment=TikTok.com list=tiktok
add address=139.177.225.0/24 comment=TikTok.com list=tiktok
add address=139.177.226.0/24 comment=TikTok.com list=tiktok
add address=139.177.254.0/24 comment=TikTok.com list=tiktok
add address=139.177.255.0/24 comment=TikTok.com list=tiktok
add address=192.168.88.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=8291 log=yes log-prefix=Winbox \
    protocol=tcp src-address-list=allowed_to_router
add action=accept chain=input dst-port=8844 protocol=tcp src-address-list=\
    allowed_to_router
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN log=yes log-prefix=\
    "defconf: drop all not coming from LAN"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=accept chain=forward comment="VLAN Internet Access only!" \
    connection-state=new disabled=yes in-interface-list=VLAN \
    out-interface-list=WAN
add action=drop chain=forward disabled=yes dst-address-list=!WORK \
    src-address-list=WORK
add action=accept chain=forward comment="VLAN30 to Aruba Switch Admin page" \
    disabled=yes dst-address-list="MGMT VLAN" dst-port=4343 log=yes \
    log-prefix="Aruba Web Interface" protocol=tcp src-address-list=\
    allowed_to_router
add action=accept chain=input comment=\
    "IP addresses that are allowed to access the router" disabled=yes log=yes \
    log-prefix=Winbox src-address-list=allowed_to_router
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
    disabled=yes dst-address-list=VLAN20 dst-port=8006 protocol=tcp \
    src-address-list=VLAN30
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
    disabled=yes dst-address-list=VLAN20 dst-port=8006 protocol=tcp \
    src-address-list=BRIDGE
add action=accept chain=forward comment="VLAN30 to ProxMox ssh by IP" \
    disabled=yes dst-address-list=VLAN20 dst-port=22 protocol=tcp \
    src-address-list=BRIDGE
add action=accept chain=forward comment="VLAN30 to ProxMox ssh by IP" \
    disabled=yes dst-address-list=VLAN20 dst-port=22 protocol=tcp \
    src-address-list=VLAN30
add action=accept chain=forward disabled=yes dst-address-list=\
    "BRIDGE MGMT IP" dst-port=8443 protocol=tcp src-address-list=VLAN30
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    disabled=yes dst-address-list=not_in_internet
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    disabled=yes log=yes log-prefix="defconf: drop bad forward IPs" \
    src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" disabled=yes \
    dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=\
    !Public_from_LAN out-interface=!bridge
add action=drop chain=input comment="defconf: drop invalid for input chain" \
    connection-state=invalid disabled=yes log=yes log-prefix=\
    "defconf: drop invalid input chain"
add action=drop chain=input comment="DROP ALL" disabled=yes log=yes \
    log-prefix="DROP ALL"
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" disabled=yes \
    in-interface=ether1 log=yes log-prefix=\
    "Drop incoming from internet which is not public IP" src-address-list=\
    not_in_internet
add action=drop chain=forward comment=\
    "defconf: drop invalid for forward chain" connection-state=invalid \
    disabled=yes log=yes log-prefix="drop invalid for forward chain"
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN log=yes \
    log-prefix=!NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment="defconf: enable for transparent fi\
    rewall to quickly disable RAW filtering without disabling all RAW rules"
add action=drop chain=prerouting disabled=yes dst-address-list=ddos-target \
    log=yes log-prefix="DDoS Raw drop" src-address-list=ddos-attackers
add action=drop chain=prerouting log=yes log-prefix=\
    "CountryBlockIP - China Iran" src-address-list=CountryIPBlocks
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
    yes src-address-list=not_in_internet
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" disabled=yes \
    in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    disabled=yes jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\
    yes
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip ipsec identity
add auth-method=digital-signature certificate="Home server2" comment=\
    "Home client2" generate-policy=port-strict match-by=certificate \
    mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate=\
    "Home client2"
add auth-method=digital-signature certificate="Home server" comment=\
    "Home client1" generate-policy=port-strict match-by=certificate \
    mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate=\
    "Home client1"
/ip ipsec mode-config
add address-pool=*D name=vpn
/ip ipsec policy
add dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=0.0.0.0/0 \
    template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=20022
set www-ssl address=192.168.30.103/32,192.168.88.254/32,192.168.88.0/24 \
    certificate=https-cert disabled=no port=8844 tls-version=only-1.2
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.99.0/24,192.168.30.103/32
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ip traffic-flow
set interfaces=VLAN50
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=fe02::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: allow established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=drop chain=input disabled=yes in-interface=ether1 log=yes \
    log-prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input disabled=yes
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accepts icmpv6 after raw" \
    in-interface=!ether1 protocol=icmpv6
add action=drop chain=forward disabled=yes log-prefix=IPV6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB4011
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Winbox
/tool mac-server ping
set enabled=no
Any additional information needed, I'll gladly provide. Feel free to offer config suggestions, etc. Would be much appreciated.

Humbly,
 
User4011
newbie
Topic Author
Posts: 38
Joined: Tue Jun 29, 2021 12:36 am

Re: Disconnected from LAN port and All other connections loose IP!

Sun Mar 26, 2023 1:33 am

DHCP addresses will bind when I'm plugged into "mgmt" VLAN eth router ports 9,10.

Unplug? Poof... Wifi clients connected to AP on eth3 VLAN 30, vlan50 drops.... picking up 169.x.x.x addresses.

Hmm....
Last edited by User4011 on Sun Mar 26, 2023 5:19 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Disconnected from LAN port and All other connections loose IP!

Sun Mar 26, 2023 4:08 am

Yeah get rid of the bridge giving out dhcp and stick to all vlans, much cleaner............
 
User4011
newbie
Topic Author
Posts: 38
Joined: Tue Jun 29, 2021 12:36 am

Re: Disconnected from LAN port and All other connections loose IP!

Sun Mar 26, 2023 5:29 am

I'll disable this tomorrow and check:
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
 
User4011
newbie
Topic Author
Posts: 38
Joined: Tue Jun 29, 2021 12:36 am

Re: Disconnected from LAN port and All other connections loose IP!

Sun Mar 26, 2023 4:40 pm

DHCP disable 88.png
No change.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Disconnected from LAN port and All other connections loose IP!

Sun Mar 26, 2023 4:49 pm

The evidence, that matters is the lastest config, not picture...........
 
User4011
newbie
Topic Author
Posts: 38
Joined: Tue Jun 29, 2021 12:36 am

Re: Disconnected from LAN port and All other connections loose IP!

Sun Mar 26, 2023 6:32 pm

Disconnected the AP from eth3 and connected to eth7 (also configured for VLAN30), no more drops. Hmmm....
# mar/26/2023 10:36:39 by RouterOS 7.8
# software id = L2GF-7Z2L
#
# model = RB4011iGS+
# serial number = ***
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge \
    protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=sfp-sfpplus1 ] loop-protect=on speed=1Gbps
/interface vlan
add comment="VLAN for Mgmt" interface=bridge name=MGMT vlan-id=99
add comment=Hypervisor interface=bridge name=VLAN10 vlan-id=10
add comment=Servers interface=bridge name=VLAN20 vlan-id=20
add comment=Data interface=bridge name=VLAN30 vlan-id=30
add comment=Work interface=bridge name=VLAN50 vlan-id=50
add comment="Untrusted LAN" interface=bridge name=VLAN60 vlan-id=60
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Work
add name=VLAN
add name=Winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=vpn
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add disabled=yes exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add disabled=yes enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip pool
add name="default VLAN" ranges=192.168.88.10-192.168.88.254
add name=VLAN50 ranges=192.168.50.100-192.168.50.150
add name=VLAN60 ranges=192.168.60.100-192.168.60.150
add name=MGMT ranges=192.168.99.20-192.168.99.100
add name=VLAN30 ranges=192.168.30.100-192.168.30.150
add name=VLAN10 ranges=192.168.10.100-192.168.10.150
add name=VLAN20 ranges=192.168.20.100-192.168.20.150
/ip dhcp-server
add address-pool="default VLAN" disabled=yes interface=bridge name=defconf
add address-pool=VLAN50 interface=VLAN50 name=VLAN50
add address-pool=VLAN60 interface=VLAN60 name=VLAN60
add address-pool=MGMT interface=MGMT name=MGMT
add address-pool=VLAN30 interface=VLAN30 name=VLAN30
add address-pool=VLAN10 interface=VLAN10 name=VLAN10
add address-pool=VLAN20 interface=VLAN20 name=VLAN20
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add disabled=yes name=PS4 target=VLAN50,VLAN50
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=99
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
    ether10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=sfp-sfpplus1
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="VLAN 99" tagged=bridge,sfp-sfpplus1,ether8 \
    untagged=ether9 vlan-ids=99
add bridge=bridge comment="VLAN 50" tagged=bridge,sfp-sfpplus1,ether8 \
    vlan-ids=50
add bridge=bridge comment="VLAN 60" tagged=bridge,sfp-sfpplus1,ether8 \
    vlan-ids=60
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 untagged=ether7,ether3 \
    vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN50 list=VLAN
add interface=VLAN60 list=VLAN
add interface=VLAN30 list=VLAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add interface=bridge list=Winbox
add interface=MGMT list=Winbox
add interface=VLAN30 list=Winbox
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.99.1/24 comment=MGMT interface=MGMT network=192.168.99.0
add address=192.168.50.1/24 comment=WORK interface=VLAN50 network=\
    192.168.50.0
add address=192.168.60.1/24 comment="Untrusted LAN" interface=VLAN60 network=\
    192.168.60.0
add address=192.168.30.1/24 comment=Data interface=VLAN30 network=\
    192.168.30.0
add address=192.168.10.1/24 comment=Hyper interface=VLAN10 network=\
    192.168.10.0
add address=192.168.20.1/24 comment=Servers interface=VLAN20 network=\
    192.168.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.30.103 client-id=1:74:d8:3e:8b:f4:89 mac-address=\
    74:D8:3E:8B:F4:89 server=VLAN30
add address=192.168.30.109 client-id=1:9c:3d:cf:c:8f:c0 mac-address=\
    9C:3D:CF:0C:8F:C0 server=VLAN30
add address=192.168.50.100 client-id=1:d8:bb:c1:7a:37:81 mac-address=\
    D8:BB:C1:7A:37:81 server=VLAN50
add address=192.168.88.254 client-id=1:0:2b:67:c9:3f:7 mac-address=\
    00:2B:67:C9:3F:07 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=Hyper gateway=192.168.10.1
add address=192.168.20.0/24 comment=Server gateway=192.168.20.1
add address=192.168.30.0/24 comment=Data gateway=192.168.30.1
add address=192.168.50.0/24 comment=Work gateway=192.168.50.1
add address=192.168.60.0/24 comment="Untrusted LAN" gateway=192.168.60.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.99.0/24 comment=MGMT gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6 to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add list=ddos-attackers
add list=ddos-target
add address=1.0.1.0/24 comment=CHINA list=CountryIPBlocks
....
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_src_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890" list=bad_src_ipv4
add address=127.0.0.0/8 comment="defconf:  RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf:  RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf:  RFC6890" list=bad_ipv4
add address=192.51.100.0/24 comment="defconf:  RFC6890" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf:  RFC6890" list=bad_ipv4
add address=240.0.0.0/24 comment="defconf:  RFC6890" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.99.0/24 list=MGMT_address
add address=192.168.99.2-192.168.99.254 list=allowed_to_router
add address=192.168.50.1-192.168.50.254 list=WORK
add address=192.168.60.1-192.168.60.254 list=VLAN60
add address=192.168.30.1-192.168.30.254 comment="DATA (Lan+Wifi)" list=VLAN30
add address=192.168.88.1-192.168.88.254 list=BRIDGE
add address=192.168.88.1 list="BRIDGE IP"
add address=192.168.99.1 list="BRIDGE MGMT IP"
add address=192.168.99.2 list="ARUBAS SWITCH"
add address=192.168.99.0/24 list="MGMT VLAN"
add address=192.168.30.103 list=allowed_to_router
add address=192.168.20.1-192.168.20.254 list=VLAN20
add address=192.168.10.1-192.168.88.10.254 list=VLAN10
add address=192.168.88.0/24 list=MGMT_address
add address=192.168.10.0/24 list=LAN
add address=192.168.20.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.50.0/24 list=LAN
add address=192.168.60.0.24 list=LAN
add address=192.168.88.0/24 list=LAN
add address=192.168.99.0/24 list=LAN
add address=tiktok.com comment=TikTok.com list=tiktok
add address=147.160.176.0/24 comment=TikTok.com list=tiktok
add address=147.160.177.0/24 comment=TikTok.com list=tiktok
add address=147.160.178.0/24 comment=TikTok.com list=tiktok
add address=147.160.179.0/24 comment=TikTok.com list=tiktok
add address=147.160.180.0/24 comment=TikTok.com list=tiktok
add address=147.160.181.0/24 comment=TikTok.com list=tiktok
add address=147.160.182.0/24 comment=TikTok.com list=tiktok
add address=147.160.183.0/24 comment=TikTok.com list=tiktok
add address=147.160.184.0/24 comment=TikTok.com list=tiktok
add address=147.160.185.0/24 comment=TikTok.com list=tiktok
add address=147.160.187.0/24 comment=TikTok.com list=tiktok
add address=147.160.188.0/24 comment=TikTok.com list=tiktok
add address=147.160.189.0/24 comment=TikTok.com list=tiktok
add address=147.160.190.0/24 comment=TikTok.com list=tiktok
add address=147.160.191.0/24 comment=TikTok.com list=tiktok
add address=103.136.221.0/24 comment=TikTok.com list=tiktok
add address=103.136.220.0/24 comment=TikTok.com list=tiktok
add address=103.136.220.0/23 comment=TikTok.com list=tiktok
add address=192.64.14.0/24 comment=TikTok.com list=tiktok
add address=199.103.24.0/24 comment=TikTok.com list=tiktok
add address=199.103.25.0/24 comment=TikTok.com list=tiktok
add address=130.44.212.0/24 comment=TikTok.com list=tiktok
add address=130.44.213.0/24 comment=TikTok.com list=tiktok
add address=130.44.214.0/24 comment=TikTok.com list=tiktok
add address=130.44.215.0/24 comment=TikTok.com list=tiktok
add address=139.177.224.0/24 comment=TikTok.com list=tiktok
add address=139.177.225.0/24 comment=TikTok.com list=tiktok
add address=139.177.226.0/24 comment=TikTok.com list=tiktok
add address=139.177.254.0/24 comment=TikTok.com list=tiktok
add address=139.177.255.0/24 comment=TikTok.com list=tiktok
add address=192.168.88.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=8291 log=yes log-prefix=Winbox \
    protocol=tcp src-address-list=allowed_to_router
add action=accept chain=input dst-port=8844 protocol=tcp src-address-list=\
    allowed_to_router
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN log=yes log-prefix=\
    "defconf: drop all not coming from LAN"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access only!" \
    connection-state=new disabled=yes in-interface-list=VLAN \
    out-interface-list=WAN
add action=drop chain=forward disabled=yes dst-address-list=!WORK \
    src-address-list=WORK
add action=accept chain=input comment=\
    "IP addresses that are allowed to access the router" disabled=yes log=yes \
    log-prefix=Winbox src-address-list=allowed_to_router
add action=accept chain=forward comment="Aruba Switch Admin page" disabled=\
    yes dst-address-list="ARUBAS SWITCH" dst-port=4343 log=yes log-prefix=\
    "Aruba Web Interface" protocol=tcp src-address-list=allowed_to_router
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
    disabled=yes dst-address-list=VLAN20 dst-port=8006 protocol=tcp \
    src-address-list=VLAN30
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
    disabled=yes dst-address-list=VLAN20 dst-port=8006 protocol=tcp \
    src-address-list=BRIDGE
add action=accept chain=forward comment="VLAN30 to ProxMox ssh by IP" \
    disabled=yes dst-address-list=VLAN20 dst-port=22 protocol=tcp \
    src-address-list=BRIDGE
add action=accept chain=forward comment="VLAN30 to ProxMox ssh by IP" \
    disabled=yes dst-address-list=VLAN20 dst-port=22 protocol=tcp \
    src-address-list=VLAN30
add action=accept chain=forward disabled=yes dst-address-list=\
    "BRIDGE MGMT IP" dst-port=8443 protocol=tcp src-address-list=VLAN30
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    disabled=yes dst-address-list=not_in_internet
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    disabled=yes log=yes log-prefix="defconf: drop bad forward IPs" \
    src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" disabled=yes \
    dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=\
    !Public_from_LAN out-interface=!bridge
add action=drop chain=input comment="defconf: drop invalid for input chain" \
    connection-state=invalid disabled=yes log=yes log-prefix=\
    "defconf: drop invalid input chain"
add action=drop chain=input comment="DROP ALL" disabled=yes log=yes \
    log-prefix="DROP ALL"
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" disabled=yes \
    in-interface=ether1 log=yes log-prefix=\
    "Drop incoming from internet which is not public IP" src-address-list=\
    not_in_internet
add action=drop chain=forward comment=\
    "defconf: drop invalid for forward chain" connection-state=invalid \
    disabled=yes log=yes log-prefix="drop invalid for forward chain"
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN log=yes \
    log-prefix=!NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment="defconf: enable for transparent fi\
    rewall to quickly disable RAW filtering without disabling all RAW rules"
add action=drop chain=prerouting disabled=yes dst-address-list=ddos-target \
    log=yes log-prefix="DDoS Raw drop" src-address-list=ddos-attackers
add action=drop chain=prerouting log=yes log-prefix=\
    "CountryBlockIP - China Iran" src-address-list=CountryIPBlocks
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
    yes src-address-list=not_in_internet
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" disabled=yes \
    in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    disabled=yes jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\
    yes
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment="defconf:  TCP flag filter" protocol=\
    tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip ipsec identity
add auth-method=digital-signature certificate="Home server2" comment=\
    "Home client2" disabled=yes generate-policy=port-strict match-by=\
    certificate mode-config=vpn peer=vpn policy-template-group=vpn \
    remote-certificate="Home client2"
add auth-method=digital-signature certificate="Home server" comment=\
    "Home client1" disabled=yes generate-policy=port-strict match-by=\
    certificate mode-config=vpn peer=vpn policy-template-group=vpn \
    remote-certificate="Home client1"
/ip ipsec mode-config
add address-pool=*D name=vpn
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=20022
set www-ssl address=\
    192.168.30.103/32,192.168.88.254/32,192.168.88.0/24,192.168.99.0/24 \
    certificate=https-cert disabled=no port=8844 tls-version=only-1.2
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.99.0/24,192.168.30.103/32
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ip traffic-flow
set interfaces=VLAN50
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=fe02::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: allow established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=drop chain=input disabled=yes in-interface=ether1 log=yes \
    log-prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input disabled=yes
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accepts icmpv6 after raw" \
    in-interface=!ether1 protocol=icmpv6
add action=drop chain=forward disabled=yes log-prefix=IPV6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB4011
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Winbox
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Disconnected from LAN port and All other connections loose IP!

Sun Mar 26, 2023 7:20 pm

Quick Look.

1. Decide on etherport type as an ACCESS port ( add pvid ) or TRUNK Port and change frame types.

/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2
pvid=missing

2. Same issue with etherport 10....................
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
ether10
missing pvid=???

3. Not an error as the config auto populates untagged etheports on /interface bridge vlan settings, but I prefer to see them to ensure the OP knows what he/she or other is doing. Plus you will then be consistent in approach as for example you do show untaggings for other ports!!

FROM:
add bridge=bridge comment="VLAN 60" tagged=bridge,sfp-sfpplus1,ether8 \
vlan-ids=60

TO:
add bridge=bridge comment="VLAN 60" tagged=bridge,sfp-sfpplus1,ether8 untagged=ether4 vlan-ids=60

4. NOTE in support of 1., both etherport2 and etherport10 are missing, aka not identified in /interface bridge vlans.

5. Remove interface bridge vlan from interface-lis=LAN it is not required and aLSO interface-list=Bridge
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=bridge list=Winbox


6. This address is no old and no longer required should be removed.
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0

SAME goes for this POOL
add name="default VLAN" ranges=192.168.88.10-192.168.88.254

7. Minor point, probably user preference.
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com

I too use doh but via adguard I put two adguard servers under SERVERS not static area.
(general reason for these entries reason for these is so that the initial DNS query can find the DOH server).

8. YOUR DDOS config is a waste of time, your router cannot handle ddos in the least so dont pretend it can and clutter up your config.

9. TikTok why not use address ranges , not that I think its particularly useful to attempt to block
147.160.176.1-147.160.191.254 list=tiktok for example.
130.44.212.1-130.44.215.254 list=tiktok
139.177.224.1-139.177.227.254 list=tiktok


(10) This firewall address is no longer relevant, suspect you should replace with a .99 address.
add address=192.168.88.254 list=allowed_to_router

11. It would seem you dont quite understand input chain rules.
add action=accept chain=input dst-port=8291 log=yes log-prefix=Winbox \
protocol=tcp src-address-list=allowed_to_router
add action=accept chain=input dst-port=8844 protocol=tcp src-address-list=\
allowed_to_router
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN log=yes log-prefix=\
"defconf: drop all not coming from LAN"


You seem to want to delineate who has access to the router in the first two rules ---. All Good!
Then in the third rule you ipso facto give all LAN users complete access.

12. In the forward chain, more nonsense!
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access only!" \
connection-state=new disabled=yes in-interface-list=VLAN \
out-interface-list=WAN


The first rule says let everyone on the LAN interface list access the internet.
The second rule says let everyone on the VLAN interface list access the internet.

I see that it is disabled but if its not valid then remove it............

13. OKAY NOW IM PISSED, you dont even have an organized firewall as suddenly I am hitting more input chain rules as I go down the order.
Going to stop here as I dont look at disorganized rulesets............ normally means the OP has no clue on how to setup the firewall rules and will have many duplicates.

SUGGEST CLEAN UP before I look at them in any further detail.

14. You may want to have maybe two or three raw rules, the rest is junk. ICMP stuff is way over the top, an accept rule on input chain is all one really needs.
 
User4011
newbie
Topic Author
Posts: 38
Joined: Tue Jun 29, 2021 12:36 am

Re: Disconnected from LAN port and All other connections loose IP!

Wed Mar 29, 2023 4:32 am

Yeah. Haven't fully removed the security blanket default 192.168.88.1. It will go.
I've improved the situation quite a bit, I think. Removed an interface and dedicating it to a SAFE ACCESS or break glass access method to the router.

I'm a little confused by my Interface-list=LAN with member bridge doesn't exactly work properly. I point to an issue in my rules (most notably DNS input rules) where using the LAN in-interface list produced zero hits, but if I change the in-interface list to VLAN, then I start to get results.

I started logging MANY rules to see what's working. CPUs finally showing slight signs of life (RB4011 rocks).

I've had Winbox Safemode lock several times where I've had to hijack/unlock Safemode.

Yeah, the Country Block list. Pretty unwieldy and a bit old, but gets quite a few hits.
# mar/28/2023 20:26:00 by RouterOS 7.8
# software id = L2GF-7Z2L
#
# model = RB4011iGS+
# serial number = ****
/interface bridge
add admin-mac=+++++ auto-mac=no comment=defconf name=bridge \
    protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-WAN
set [ find default-name=ether2 ] comment=LAN name=ether2-access
set [ find default-name=sfp-sfpplus1 ] loop-protect=on speed=1Gbps
/interface vlan
add comment="VLAN for Mgmt" interface=bridge name=MGMT vlan-id=99
add comment=Hypervisor interface=bridge name=VLAN10 vlan-id=10
add comment=Servers interface=bridge name=VLAN20 vlan-id=20
add comment=Data interface=bridge name=VLAN30 vlan-id=30
add comment=Work interface=bridge name=VLAN50 vlan-id=50
add comment="Untrusted LAN" interface=bridge name=VLAN60 vlan-id=60
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Work
add name=VLAN
add name=Winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=vpn
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add disabled=yes exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add disabled=yes enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip pool
add name="default VLAN" ranges=192.168.88.10-192.168.88.254
add name=VLAN50 ranges=192.168.50.100-192.168.50.150
add name=VLAN60 ranges=192.168.60.100-192.168.60.150
add name=MGMT ranges=192.168.99.20-192.168.99.100
add name=VLAN30 ranges=192.168.30.100-192.168.30.150
add name=VLAN10 ranges=192.168.10.100-192.168.10.150
add name=VLAN20 ranges=192.168.20.100-192.168.20.150
/ip dhcp-server
add address-pool="default VLAN" disabled=yes interface=bridge name=defconf
add address-pool=VLAN50 interface=VLAN50 name=VLAN50
add address-pool=VLAN60 interface=VLAN60 name=VLAN60
add address-pool=MGMT interface=MGMT name=MGMT
add address-pool=VLAN30 interface=VLAN30 name=VLAN30
add address-pool=VLAN10 interface=VLAN10 name=VLAN10
add address-pool=VLAN20 interface=VLAN20 name=VLAN20
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add disabled=yes name=PS4 target=VLAN50,VLAN50
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=99
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=sfp-sfpplus1
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether8
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="VLAN 99" tagged=bridge,sfp-sfpplus1,ether8 \
    untagged=ether9 vlan-ids=99
add bridge=bridge comment="VLAN 50" tagged=bridge,sfp-sfpplus1,ether8 \
    vlan-ids=50
add bridge=bridge comment="VLAN 60" tagged=bridge,sfp-sfpplus1,ether8 \
    vlan-ids=60
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 untagged=ether7,ether3 \
    vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=VLAN50 list=VLAN
add interface=VLAN60 list=VLAN
add interface=VLAN30 list=VLAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add interface=bridge list=Winbox
add interface=MGMT list=Winbox
add interface=VLAN30 list=Winbox
add interface=ether2-access list=Winbox
add interface=MGMT list=VLAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.99.1/24 comment=MGMT interface=MGMT network=192.168.99.0
add address=192.168.50.1/24 comment=WORK interface=VLAN50 network=\
    192.168.50.0
add address=192.168.60.1/24 comment="Untrusted LAN" interface=VLAN60 network=\
    192.168.60.0
add address=192.168.30.1/24 comment=Data interface=VLAN30 network=\
    192.168.30.0
add address=192.168.10.1/24 comment=Hyper interface=VLAN10 network=\
    192.168.10.0
add address=192.168.20.1/24 comment=Servers interface=VLAN20 network=\
    192.168.20.0
add address=192.168.5.1/24 interface=ether2-access network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1-WAN use-peer-dns=no
/ip dhcp-server lease
add address=192.168.30.103 client-id=1:74:d8:3e:8b:f4:89 mac-address=\
    74:D8:3E:8B:F4:89 server=VLAN30
add address=192.168.30.109 client-id=1:9c:3d:cf:c:8f:c0 mac-address=\
    9C:3D:CF:0C:8F:C0 server=VLAN30
add address=192.168.50.100 client-id=1:d8:bb:c1:7a:37:81 mac-address=\
    D8:BB:C1:7A:37:81 server=VLAN50
add address=192.168.88.254 client-id=1:0:2b:67:c9:3f:7 mac-address=\
    00:2B:67:C9:3F:07 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=Hyper gateway=192.168.10.1
add address=192.168.20.0/24 comment=Server gateway=192.168.20.1
add address=192.168.30.0/24 comment=Data gateway=192.168.30.1
add address=192.168.50.0/24 comment=Work gateway=192.168.50.1
add address=192.168.60.0/24 comment="Untrusted LAN" gateway=192.168.60.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.99.0/24 comment=MGMT gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6 to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=1.0.1.0/24 comment=CHINA list=CountryIPBlocks
    CountryIPBlocks
add address=195.245.70.0/23 comment="IRAN (ISLAMIC REPUBLIC OF)" list=\
    CountryIPBlocks
add address=196.3.91.0/24 comment="IRAN (ISLAMIC REPUBLIC OF)" list=\
    CountryIPBlocks
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_src_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.99.0/24 list=MGMT_address
add address=192.168.99.2-192.168.99.254 list=allowed_to_router
add address=192.168.50.1-192.168.50.254 list=WORK
add address=192.168.60.1-192.168.60.254 list=VLAN60
add address=192.168.30.1-192.168.30.254 comment="DATA (Lan+Wifi)" list=VLAN30
add address=192.168.88.1-192.168.88.254 list=BRIDGE
add address=192.168.88.1 list="BRIDGE IP"
add address=192.168.99.1 list="BRIDGE MGMT IP"
add address=192.168.99.2 list="ARUBAS SWITCH"
add address=192.168.99.0/24 list="MGMT VLAN"
add address=192.168.30.103 list=allowed_to_router
add address=192.168.20.1-192.168.20.254 list=VLAN20
add address=192.168.10.1-192.168.88.10.254 list=VLAN10
add address=192.168.88.0/24 list=MGMT_address
add address=192.168.10.0/24 list=LAN
add address=192.168.20.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.50.0/24 list=LAN
add address=192.168.60.0.24 list=LAN
add address=192.168.88.0/24 list=LAN
add address=192.168.99.0/24 list=LAN
add address=192.168.88.254 list=allowed_to_router
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=bad_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=bad_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=bad_ipv4
add address=192.168.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.168.2.1-192.168.255.255 comment="defconf: RFC6890" list=\
    bad_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=bad_ipv4
add address=10.0.0.0/8 list=unexpected-src-address-hitting-ISP
add address=127.0.0.0/8 list=unexpected-src-address-hitting-ISP
add address=169.254.0.0/16 list=unexpected-src-address-hitting-ISP
add address=172.16.0.0/12 list=unexpected-src-address-hitting-ISP
add address=192.0.0.0/24 list=unexpected-src-address-hitting-ISP
add address=192.0.2.0/24 list=unexpected-src-address-hitting-ISP
add address=192.88.99.0/24 list=unexpected-src-address-hitting-ISP
add address=192.168.0.0/16 list=unexpected-src-address-hitting-ISP
add address=198.18.0.0/15 list=unexpected-src-address-hitting-ISP
add address=198.51.100.0/24 list=unexpected-src-address-hitting-ISP
add address=203.0.113.0/24 list=unexpected-src-address-hitting-ISP
add address=233.252.0.0/24 list=unexpected-src-address-hitting-ISP
add address=240.0.0.0/5 list=unexpected-src-address-hitting-ISP
add address=248.0.0.0/6 list=unexpected-src-address-hitting-ISP
add address=252.0.0.0/7 list=unexpected-src-address-hitting-ISP
add address=254.0.0.0/8 list=unexpected-src-address-hitting-ISP
add address=216.220.80.193 list=unexpected-src-address-hitting-ISP
add address=192.168.10.0/24 list=expected-address-from-LAN
add address=192.168.20.0/24 list=expected-address-from-LAN
add address=192.168.30.0/24 list=expected-address-from-LAN
add address=192.168.50.0/24 list=expected-address-from-LAN
add address=192.168.60.0/24 list=expected-address-from-LAN
add address=192.168.88.0/24 list=expected-address-from-LAN
add address=192.168.99.0/24 list=expected-address-from-LAN
add comment="Current network" list=expected-address-from-LAN
add address=224.0.0.0/4 comment=Multicast list=expected-address-from-LAN
add address=255.255.255.255 comment=Local list=expected-address-from-LAN
add address=216.220.80.193 comment="WAN IP" list=\
    expected-dst-address-to-my-ISP
add address=192.168.50.0/24 list=VLAN50
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid for input chain" \
    connection-state=invalid log=yes log-prefix=\
    "defconf: drop invalid input chain"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN,RADUIS,User manager..)" \
    dst-address=127.0.0.1
add action=accept chain=input dst-port=8291,8844 in-interface=!ether1-WAN \
    log=yes log-prefix=Winbox protocol=tcp src-address-list=allowed_to_router
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=\
    53,123 in-interface-list=VLAN log=yes log-prefix="Allow UDP DNS" \
    protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
    in-interface-list=VLAN log=yes log-prefix="TCP DNS for VLANS" protocol=\
    tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access only!" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
    dst-address-list=VLAN20 dst-port=8006 protocol=tcp src-address-list=\
    VLAN30
add action=accept chain=forward comment="Aruba Switch Admin page" \
    dst-address-list="ARUBAS SWITCH" dst-port=4343 log=yes log-prefix=\
    "Aruba Web Interface" protocol=tcp src-address-list=allowed_to_router
add action=accept chain=forward comment="Proxmox FileServer Admin" \
    dst-address=192.168.20.50 dst-port=9090 log=yes log-prefix=\
    "To Proxmox File Server" protocol=tcp src-address-list=allowed_to_router
add action=accept chain=forward comment="VLAN30 to ProxMox ssh by IP" \
    dst-address-list=VLAN20 dst-port=22 protocol=tcp src-address-list=VLAN30
add action=reject chain=forward in-interface-list=LAN log=yes log-prefix=\
    "ICMP prohibited" reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop All Else"
add action=drop chain=forward disabled=yes dst-address-list=!WORK \
    src-address-list=WORK
add action=accept chain=input comment="Testing DNS rule with IP addresses" \
    disabled=yes dst-address=192.168.50.1 dst-port=53,123 protocol=udp \
    src-address=192.168.50.100
add action=accept chain=input comment=\
    "IP addresses that are allowed to access the router" log=yes log-prefix=\
    Winbox src-address-list=allowed_to_router
add action=accept chain=input comment="EMERGENCY WINBOX ACCESS - ETH2" \
    in-interface=ether2-access src-address=192.168.5.55
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
    disabled=yes dst-address-list=VLAN20 dst-port=8006 protocol=tcp \
    src-address-list=BRIDGE
add action=accept chain=forward disabled=yes dst-address-list=\
    "BRIDGE MGMT IP" dst-port=8443 protocol=tcp src-address-list=VLAN30
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    disabled=yes dst-address-list=not_in_internet
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    disabled=yes log=yes log-prefix="defconf: drop bad forward IPs" \
    src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" disabled=yes \
    dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=\
    !Public_from_LAN out-interface=!bridge
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" disabled=yes \
    in-interface=ether1-WAN log=yes log-prefix=\
    "Drop incoming from internet which is not public IP" src-address-list=\
    not_in_internet
add action=drop chain=forward comment=\
    "defconf: drop invalid for forward chain" connection-state=invalid \
    disabled=yes log=yes log-prefix="drop invalid for forward chain"
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN log=yes \
    log-prefix=!NAT
add action=reject chain=input comment="useful for tracking LAN issues" \
    in-interface-list=VLAN log=yes log-prefix="icmp prohibited" reject-with=\
    icmp-admin-prohibited
add action=drop chain=input comment="Drop All Else" log=yes log-prefix=\
    "Drop All Else"
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    src-address-list=unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    src-address-list=unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    src-address-list=unexpected-src-address-hitting-ISP
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent fi\
    rewall to quickly disable RAW filtering without disabling all RAW rules" \
    disabled=yes log=yes log-prefix="RAW FILTER DISABLED!!"
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    log=yes log-prefix="Incoming WAN invalid src addy" src-address-list=\
    unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
    "drop non-legit dst-addresses hitting WAN side" dst-address-list=\
    !expected-dst-address-to-my-ISP in-interface-list=WAN log=yes log-prefix=\
    "Incoming WAN invalid dst addy"
add action=drop chain=prerouting log=yes log-prefix=\
    "CountryBlockIP - China Iran" src-address-list=CountryIPBlocks
add action=drop chain=prerouting comment=\
    "drop non-legit traffic coming from LAN" in-interface-list=LAN log=yes \
    log-prefix="non-legit FROM LAN" src-address-list=\
    !expected-address-from-LAN
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=bad_ipv4
add action=drop chain=prerouting comment="Non-LAN IP coming from LAN" \
    in-interface-list=LAN log=yes log-prefix="Non-LAN ip coming from LAN" \
    src-address-list=!LAN
/ip ipsec identity
add auth-method=digital-signature certificate="Home server2" comment=\
    "Home client2" disabled=yes generate-policy=port-strict match-by=\
    certificate mode-config=vpn peer=vpn policy-template-group=vpn \
    remote-certificate="Home client2"
add auth-method=digital-signature certificate="Home server" comment=\
    "Home client1" disabled=yes generate-policy=port-strict match-by=\
    certificate mode-config=vpn peer=vpn policy-template-group=vpn \
    remote-certificate="Home client1"
/ip ipsec mode-config
add address-pool=*D name=vpn
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=20022
set www-ssl address=\
    192.168.30.103/32,192.168.88.254/32,192.168.88.0/24,192.168.99.0/24 \
    certificate=https-cert disabled=no port=8844 tls-version=only-1.2
set api disabled=yes
set winbox address=\
    192.168.88.0/24,192.168.99.0/24,192.168.30.103/32,192.168.5.0/24
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ip traffic-flow
set interfaces=VLAN50
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=fe02::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: allow established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=drop chain=input disabled=yes in-interface=ether1-WAN log=yes \
    log-prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input disabled=yes
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accepts icmpv6 after raw" \
    in-interface=!ether1-WAN protocol=icmpv6
add action=drop chain=forward disabled=yes log-prefix=IPV6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB4011
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Winbox
/tool mac-server ping
set enabled=no
RB4011_032823.rsc
You do not have the required permissions to view the files attached to this post.
Last edited by User4011 on Wed Mar 29, 2023 7:12 pm, edited 1 time in total.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Disconnected from LAN port and All other connections loose IP!

Wed Mar 29, 2023 5:49 pm

Do we really need SO MANY lines of code? Could you please edit it and trim a little just for crucial part of configuration?
 
User4011
newbie
Topic Author
Posts: 38
Joined: Tue Jun 29, 2021 12:36 am

Re: Disconnected from LAN port and All other connections loose IP!

Wed Mar 29, 2023 7:14 pm

Yeah. Significant trim. Went from 80s hair band to mohawk. Country block list....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Disconnected from LAN port and All other connections loose IP!

Wed Mar 29, 2023 7:18 pm

Yeah, now I can read this thread again.......... my firefox knew it was bad news the rest of you do not have as smart as a fox as I do........

Seeing as you didnt fix the issues I brought up NO COMMENT this round. Try again.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Disconnected from LAN port and All other connections loose IP!

Thu Mar 30, 2023 4:28 pm

@User4011

Is ompletely useless load 50k lines of firewall rules on config.
At least must be loaded after reboot on dynamic way to not pollute export/backup....

Who is online

Users browsing this forum: baragoon, ccrsxx and 35 guests