I'm new to the mikrotik world, i would ask you to validate my config,
i've got an hAP mini RB931-2ND
The wanted topology is:
the hAP configureded as station that connect to my other AP with also a virtual AP to connect to with mobile devices.
After that i would to connect the three ethernet port on the board like below:
1 --> Server MGMT (proxmox)
2 --> Server VM connectivity usage
3 --> Nas
Have i Properly configured the bridge?
Is rigth to put the port toghether inside the bridge?
Is rigth to assign the IP to the bridge and not to specific interface? i'm asking this because previously i've configured the ethernet port inside the LAN "interface list"
and when i was using it in a firewall rule that rule don't apply until i've added also the bridge to that list, i found it strange because the packets were arriving from the ethernet3 towards the dns configured on the board
Thank you in advance
Code: Select all
# dec/07/2023 19:07:58 by RouterOS 6.49.10
# software id = JX4B-KKVB
#
# model = RB931-2nD
# serial number = B7B10CA2CA30
/interface bridge
add admin-mac=48:8F:5A:4C:5B:76 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=italy disabled=no distance=indoors frequency=auto installation=\
indoor mode=station-pseudobridge name="Wireless - WAN" ssid=Test \
wireless-protocol=802.11 wps-mode=disabled
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:4C:5B:79 \
master-interface="Wireless - WAN" multicast-buffering=disabled name=\
"Wireless - LAN" ssid=PEPPE wds-cost-range=0 wds-default-cost=0 wps-mode=\
disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=Peppe unicast-ciphers=\
tkip,aes-ccm wpa-pre-shared-key="#####" wpa2-pre-shared-key=\
"#####"
/ip pool
add name=CLIENT-LAN ranges=192.168.88.2-192.168.88.127
add name=SERVER-LAN ranges=192.168.100.2-192.168.100.127 #defined but not used
/ip dhcp-server
add address-pool=CLIENT-LAN disabled=no interface=bridge name=CLIENT-LAN
/system logging action
add memory-stop-on-full=yes name=Firewall target=memory
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (Wireless - WAN) is not slave
add action=drop chain=input dst-port=68 in-interface="!Wireless - WAN" \
ip-protocol=udp mac-protocol=ip
/interface bridge port
add bridge=bridge interface="Wireless - LAN"+
add bridge=bridge interface=ether3
# i know there is missing one port here
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface="Wireless - WAN" list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface="Wireless - LAN" list=LAN
add interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip dhcp-client
add disabled=no interface="Wireless - WAN"
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.125 name=my.nas.local
/ip firewall filter
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=LAN \
log=yes protocol=tcp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=LAN \
log=yes protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system logging
set 0 topics=info,!firewall
add action=Firewall prefix=FW: topics=firewall
/system package update
set channel=upgrade
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface="Wireless - LAN"