Indice   FAQ  
Iscriviti  Login
Indice RouterOS RouterOS

RB4011iGS+5HacQ2HnD e OpenFiber

Tutto su questo sistema operativo linux based - Configurazioni, dubbi, problematiche &....

RB4011iGS+5HacQ2HnD e OpenFiber

Messaggioda sgobbit » mar 12 set 2023, 21:23

Ciao, per la sua estrema personalizzazione di configurazione ho deciso di passare ad un router mikrotik.

Il router è un RB4011iGS+5HacQ2HnD (OS 7.11) e il risultato che vorrei ottenere è un insieme di porte (Da ETH1 a ETH5 più WIFI) che sono la mia rete casalinga considerabile sicura, una che è la porta WAN da collegare all'ONT openfiber (Linea postecasa ultraveloce), una rete WIFI per gli ospiti, e le altre porte che sono destinate a connessioni che passano o terminano in aree esterne e che quindi vorrei isolare.

Ho verificato la configurazione sul router attuale e viene instaurata una connessione PPPOE untagged, mentre la documentazione (modem libero) del provider dice di taggarla con VLAN 835.
Quindi prima di determinare se non navigo perchè vuole o non vuole il tag, mi servirebbe capire se con la conf ci sono quasi o meno.

Come base ho preso una configurazione che ho trovato su un forum e adattata un pò...

Codice: Seleziona tutto
#######################################
# System setup
#######################################

# name the device being configured
/system identity set name=DigiRouter
/system clock set time-zone-name=Europe/Rome

#######################################
# VLAN Overview
#######################################

# 10  = TRUSTED  (ether1-ether5 + wlan1-wlan2)
# 20  = DOORBELL (ether7)
# 30  = WALLBOX  (ether8)
# 40  = GARAGE   (ether9)
# 50  = SISTER   (ether10) (Ponte WIFI)
# 60  = GUEST    (wlan3-wlan4)
# 835 = WAN      (ether6) (ONT OpenFiber)


#######################################
# WIFI Setup
#######################################

# Trusted SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="mypassword"
/interface wireless set [ find default-name=wlan1 ] ssid=DigiMaster frequency=auto mode=ap-bridge disabled=no
/interface wireless set [ find default-name=wlan2 ] ssid=DigiMaster frequency=auto mode=ap-bridge disabled=no

# Guest SSID
/interface wireless security-profiles add name=guest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="mypassword"
/interface wireless add name=wlan3 ssid=DigiGuest master-interface=wlan1 security-profile=guest disabled=no
/interface wireless add name=wlan4 ssid=DigiGuest master-interface=wlan2 security-profile=guest disabled=no


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# TRUSTED VLAN
add bridge=BR1 interface=ether1 pvid=10
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 pvid=10
add bridge=BR1 interface=wlan1  pvid=10
add bridge=BR1 interface=wlan2  pvid=10

# DOORBELL VLAN
add bridge=BR1 interface=ether7 pvid=20

# WALLBOX VLAN
add bridge=BR1 interface=ether8 pvid=30

# WALLBOX VLAN
add bridge=BR1 interface=ether9 pvid=40

# SISTER VLAN
add bridge=BR1 interface=ether10 pvid=60

# GUEST VLAN
add bridge=BR1 interface=wlan3 pvid=60
add bridge=BR1 interface=wlan4 pvid=60

# WAN VLAN (ONT OpenFiber)
add bridge=BR1 interface=ether6 pvid=835

# egress behavior, handled automatically

# L3 switching so Bridge must be a tagged member
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether1,ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether7 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether8 vlan-ids=30
add bridge=BR1 tagged=BR1 untagged=ether9 vlan-ids=40
add bridge=BR1 tagged=BR1 untagged=ether10 vlan-ids=50
add bridge=BR1 tagged=BR1 untagged=wlan3,wlan4 vlan-ids=60
add bridge=BR1 tagged=BR1,ether6 vlan-ids=835


#######################################
# IP Addressing & Routing
#######################################

# DNS server, set to cache for LAN
# i use OpenDNS
/ip dns set allow-remote-requests=yes servers="208.67.222.222,208.67.220.220"


#######################################
# IP Services
#######################################

# TRUSTED VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=TRUSTED_VLAN vlan-id=10
/ip address add interface=TRUSTED_VLAN address=10.10.0.1/24
/ip pool add name=TRUSTED_POOL ranges=10.10.0.101-10.10.0.254
/ip dhcp-server add address-pool=TRUSTED_POOL interface=TRUSTED_VLAN name=TRUSTED_DHCP disabled=no
/ip dhcp-server network add address=10.10.0.0/16 dns-server=10.10.0.1 gateway=10.10.0.1

# DOORBELL VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=DOORBELL_VLAN vlan-id=20
/ip address add interface=DOORBELL_VLAN address=10.20.0.1/24
/ip pool add name=DOORBELL_POOL ranges=10.20.0.101-10.20.0.254
/ip dhcp-server add address-pool=DOORBELL_POOL interface=DOORBELL_VLAN name=DOORBELL_DHCP disabled=no
/ip dhcp-server network add address=10.20.0.0/16 dns-server=10.20.0.1 gateway=10.20.0.1

# WALLBOX VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=WALLBOX_VLAN vlan-id=30
/ip address add interface=WALLBOX_VLAN address=10.30.0.1/24
/ip pool add name=WALLBOX_POOL ranges=10.30.0.101-10.30.0.254
/ip dhcp-server add address-pool=WALLBOX_POOL interface=WALLBOX_VLAN name=WALLBOX_DHCP disabled=no
/ip dhcp-server network add address=10.30.0.0/16 dns-server=10.30.0.1 gateway=10.30.0.1

# GARAGE VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GARAGE_VLAN vlan-id=40
/ip address add interface=GARAGE_VLAN address=10.40.0.1/24
/ip pool add name=GARAGE_POOL ranges=10.40.0.101-10.40.0.254
/ip dhcp-server add address-pool=GARAGE_POOL interface=GARAGE_VLAN name=GARAGE_DHCP disabled=no
/ip dhcp-server network add address=10.40.0.0/16 dns-server=10.40.0.1 gateway=10.40.0.1

# SISTER VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=SISTER_VLAN vlan-id=50
/ip address add interface=SISTER_VLAN address=10.50.0.1/24
/ip pool add name=SISTER_POOL ranges=10.50.0.101-10.50.0.254
/ip dhcp-server add address-pool=SISTER_POOL interface=SISTER_VLAN name=SISTER_DHCP disabled=no
/ip dhcp-server network add address=10.50.0.0/16 dns-server=10.50.0.1 gateway=10.50.0.1

# GUEST VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GUEST_VLAN vlan-id=60
/ip address add interface=GUEST_VLAN address=10.60.0.1/24
/ip pool add name=GUEST_POOL ranges=10.60.0.101-10.60.0.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=10.60.0.0/16 dns-server=10.60.0.1 gateway=10.60.0.1

# WAN VLAN interface creation, PPPOE
/interface vlan add interface=BR1 name=WAN_VLAN vlan-id=835
/interface pppoe-client add add-default-route=yes disabled=no interface=WAN_VLAN name=WAN_PPPOE use-peer-dns=no user=openfiber password=openfiber


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=TRUSTED
/interface list add name=UNTRUSTED

/interface list member
add interface=WAN_PPPOE         list=WAN
add interface=TRUSTED_VLAN      list=TRUSTED
add interface=DOORBELL_VLAN     list=UNTRUSTED
add interface=WALLBOX_VLAN      list=UNTRUSTED
add interface=GARAGE_VLAN       list=UNTRUSTED
add interface=SISTER_VLAN       list=UNTRUSTED
add interface=GUEST_VLAN        list=UNTRUSTED

# VLAN aware firewall. Order is important.
/ip firewall filter

##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface=TRUSTED_VLAN comment="Allow TRUSTED_VLAN"
add chain=input action=accept in-interface=DOORBELL_VLAN comment="Allow DOORBELL_VLAN"
add chain=input action=accept in-interface=WALLBOX_VLAN comment="Allow WALLBOX_VLAN"
add chain=input action=accept in-interface=GARAGE_VLAN comment="Allow GARAGE_VLAN"
add chain=input action=accept in-interface=SISTER_VLAN comment="Allow SISTER_VLAN"
add chain=input action=accept in-interface=GUEST_VLAN comment="Allow GUEST_VLAN"

add chain=input action=drop comment="Drop"

##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface=TRUSTED_VLAN out-interface=WAN_PPPOE comment="TRUSTED_VLAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface=DOORBELL_VLAN out-interface=WAN_PPPOE comment="DOORBELL_VLAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface=WALLBOX_VLAN out-interface=WAN_PPPOE comment="WALLBOX_VLAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface=GARAGE_VLAN out-interface=WAN_PPPOE comment="GARAGE_VLAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface=SISTER_VLAN out-interface=WAN_PPPOE comment="SISTER_VLAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface=GUEST_VLAN out-interface=WAN_PPPOE comment="GUEST_VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface=WAN_PPPOE comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether10]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan4]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from TRUSTED_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=TRUSTED
/tool mac-server mac-winbox set allowed-interface-list=TRUSTED
/tool mac-server set allowed-interface-list=TRUSTED


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes


Un grazie anticipato a chi saprà aiutarmi.
sgobbit
Mikrotik Curious User
Mikrotik Curious User
 
Messaggi: 1
Iscritto il: gio 17 ago 2023, 21:21
Uso routerOS dalla Versione: v7.x


Torna a RouterOS

Chi c’è in linea

Visitano il forum: fabiomax, Google Adsense [Bot] e 4 ospiti