I want to add an IoT vlan that would not be able to access my main trusted devices network, except for perhaps a raspberry pi or docker instance running on my NAS. I also want a seperate guest vlan which would only have internet access and no access to devices on my main network. How would i go about confguring this?
Here is my config file:
Code: Select all
add admin-mac=[sanitized] auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Canada .hide-ssid=no .manager="(unknown)" .mode=ap .ssid=[sanitized] disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] configuration.country=Canada .mode=ap .ssid=[sanitized] disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk
add configuration.hide-ssid=yes .mode=ap .ssid=[sanitized]-work mac-address=[sanitized] master-interface=wifi2 name=wifi3 \
security.authentication-types=wpa2-psk,wpa3-psk
/interface vlan
add interface=wifi3 name=guest_vlan10 vlan-id=10
add interface=ether1 name=vlan40 vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.2.16
add name=dhcp_pool2 ranges=10.0.1.2-10.0.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=guest_vlan10 name=guestdhcp
/ip smb users
set [ find default=yes ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan40 max-mru=1500 max-mtu=1500 name=pppoe-out1 profile=default-encryption user=\
[sanitized]
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wifi2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment="configured for [sanitized] which requires vlan 40 tag for internet" interface=vlan40 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=[sanitized] name=ovpn-server1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.1/24 interface=guest_vlan10 network=10.10.10.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.232 client-id=[sanitized] mac-address=[sanitized] server=defconf
add address=192.168.88.207 client-id=[sanitized] mac-address=[sanitized] server=defconf
add address=192.168.88.233 comment="sony bravia" mac-address=[sanitized] server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip smb shares
set [ find default=yes ] directory=/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/Toronto
/system leds
set 0 interface=*1 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 leds=poe-led type=poe-out
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN