Il router è un RB4011iGS+5HacQ2HnD (OS 7.11) e il risultato che vorrei ottenere è un insieme di porte (Da ETH1 a ETH5 più WIFI) che sono la mia rete casalinga considerabile sicura, una che è la porta WAN da collegare all'ONT openfiber (Linea postecasa ultraveloce), una rete WIFI per gli ospiti, e le altre porte che sono destinate a connessioni che passano o terminano in aree esterne e che quindi vorrei isolare.
Ho verificato la configurazione sul router attuale e viene instaurata una connessione PPPOE untagged, mentre la documentazione (modem libero) del provider dice di taggarla con VLAN 835.
Quindi prima di determinare se non navigo perchè vuole o non vuole il tag, mi servirebbe capire se con la conf ci sono quasi o meno.
Come base ho preso una configurazione che ho trovato su un forum e adattata un pò...
- Codice: Seleziona tutto
#######################################
# System setup
#######################################
# name the device being configured
/system identity set name=DigiRouter
/system clock set time-zone-name=Europe/Rome
#######################################
# VLAN Overview
#######################################
# 10 = TRUSTED (ether1-ether5 + wlan1-wlan2)
# 20 = DOORBELL (ether7)
# 30 = WALLBOX (ether8)
# 40 = GARAGE (ether9)
# 50 = SISTER (ether10) (Ponte WIFI)
# 60 = GUEST (wlan3-wlan4)
# 835 = WAN (ether6) (ONT OpenFiber)
#######################################
# WIFI Setup
#######################################
# Trusted SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="mypassword"
/interface wireless set [ find default-name=wlan1 ] ssid=DigiMaster frequency=auto mode=ap-bridge disabled=no
/interface wireless set [ find default-name=wlan2 ] ssid=DigiMaster frequency=auto mode=ap-bridge disabled=no
# Guest SSID
/interface wireless security-profiles add name=guest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="mypassword"
/interface wireless add name=wlan3 ssid=DigiGuest master-interface=wlan1 security-profile=guest disabled=no
/interface wireless add name=wlan4 ssid=DigiGuest master-interface=wlan2 security-profile=guest disabled=no
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# TRUSTED VLAN
add bridge=BR1 interface=ether1 pvid=10
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 pvid=10
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=wlan2 pvid=10
# DOORBELL VLAN
add bridge=BR1 interface=ether7 pvid=20
# WALLBOX VLAN
add bridge=BR1 interface=ether8 pvid=30
# WALLBOX VLAN
add bridge=BR1 interface=ether9 pvid=40
# SISTER VLAN
add bridge=BR1 interface=ether10 pvid=60
# GUEST VLAN
add bridge=BR1 interface=wlan3 pvid=60
add bridge=BR1 interface=wlan4 pvid=60
# WAN VLAN (ONT OpenFiber)
add bridge=BR1 interface=ether6 pvid=835
# egress behavior, handled automatically
# L3 switching so Bridge must be a tagged member
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether1,ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether7 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether8 vlan-ids=30
add bridge=BR1 tagged=BR1 untagged=ether9 vlan-ids=40
add bridge=BR1 tagged=BR1 untagged=ether10 vlan-ids=50
add bridge=BR1 tagged=BR1 untagged=wlan3,wlan4 vlan-ids=60
add bridge=BR1 tagged=BR1,ether6 vlan-ids=835
#######################################
# IP Addressing & Routing
#######################################
# DNS server, set to cache for LAN
# i use OpenDNS
/ip dns set allow-remote-requests=yes servers="208.67.222.222,208.67.220.220"
#######################################
# IP Services
#######################################
# TRUSTED VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=TRUSTED_VLAN vlan-id=10
/ip address add interface=TRUSTED_VLAN address=10.10.0.1/24
/ip pool add name=TRUSTED_POOL ranges=10.10.0.101-10.10.0.254
/ip dhcp-server add address-pool=TRUSTED_POOL interface=TRUSTED_VLAN name=TRUSTED_DHCP disabled=no
/ip dhcp-server network add address=10.10.0.0/16 dns-server=10.10.0.1 gateway=10.10.0.1
# DOORBELL VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=DOORBELL_VLAN vlan-id=20
/ip address add interface=DOORBELL_VLAN address=10.20.0.1/24
/ip pool add name=DOORBELL_POOL ranges=10.20.0.101-10.20.0.254
/ip dhcp-server add address-pool=DOORBELL_POOL interface=DOORBELL_VLAN name=DOORBELL_DHCP disabled=no
/ip dhcp-server network add address=10.20.0.0/16 dns-server=10.20.0.1 gateway=10.20.0.1
# WALLBOX VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=WALLBOX_VLAN vlan-id=30
/ip address add interface=WALLBOX_VLAN address=10.30.0.1/24
/ip pool add name=WALLBOX_POOL ranges=10.30.0.101-10.30.0.254
/ip dhcp-server add address-pool=WALLBOX_POOL interface=WALLBOX_VLAN name=WALLBOX_DHCP disabled=no
/ip dhcp-server network add address=10.30.0.0/16 dns-server=10.30.0.1 gateway=10.30.0.1
# GARAGE VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GARAGE_VLAN vlan-id=40
/ip address add interface=GARAGE_VLAN address=10.40.0.1/24
/ip pool add name=GARAGE_POOL ranges=10.40.0.101-10.40.0.254
/ip dhcp-server add address-pool=GARAGE_POOL interface=GARAGE_VLAN name=GARAGE_DHCP disabled=no
/ip dhcp-server network add address=10.40.0.0/16 dns-server=10.40.0.1 gateway=10.40.0.1
# SISTER VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=SISTER_VLAN vlan-id=50
/ip address add interface=SISTER_VLAN address=10.50.0.1/24
/ip pool add name=SISTER_POOL ranges=10.50.0.101-10.50.0.254
/ip dhcp-server add address-pool=SISTER_POOL interface=SISTER_VLAN name=SISTER_DHCP disabled=no
/ip dhcp-server network add address=10.50.0.0/16 dns-server=10.50.0.1 gateway=10.50.0.1
# GUEST VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GUEST_VLAN vlan-id=60
/ip address add interface=GUEST_VLAN address=10.60.0.1/24
/ip pool add name=GUEST_POOL ranges=10.60.0.101-10.60.0.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=10.60.0.0/16 dns-server=10.60.0.1 gateway=10.60.0.1
# WAN VLAN interface creation, PPPOE
/interface vlan add interface=BR1 name=WAN_VLAN vlan-id=835
/interface pppoe-client add add-default-route=yes disabled=no interface=WAN_VLAN name=WAN_PPPOE use-peer-dns=no user=openfiber password=openfiber
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=TRUSTED
/interface list add name=UNTRUSTED
/interface list member
add interface=WAN_PPPOE list=WAN
add interface=TRUSTED_VLAN list=TRUSTED
add interface=DOORBELL_VLAN list=UNTRUSTED
add interface=WALLBOX_VLAN list=UNTRUSTED
add interface=GARAGE_VLAN list=UNTRUSTED
add interface=SISTER_VLAN list=UNTRUSTED
add interface=GUEST_VLAN list=UNTRUSTED
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface=TRUSTED_VLAN comment="Allow TRUSTED_VLAN"
add chain=input action=accept in-interface=DOORBELL_VLAN comment="Allow DOORBELL_VLAN"
add chain=input action=accept in-interface=WALLBOX_VLAN comment="Allow WALLBOX_VLAN"
add chain=input action=accept in-interface=GARAGE_VLAN comment="Allow GARAGE_VLAN"
add chain=input action=accept in-interface=SISTER_VLAN comment="Allow SISTER_VLAN"
add chain=input action=accept in-interface=GUEST_VLAN comment="Allow GUEST_VLAN"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface=TRUSTED_VLAN out-interface=WAN_PPPOE comment="TRUSTED_VLAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface=DOORBELL_VLAN out-interface=WAN_PPPOE comment="DOORBELL_VLAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface=WALLBOX_VLAN out-interface=WAN_PPPOE comment="WALLBOX_VLAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface=GARAGE_VLAN out-interface=WAN_PPPOE comment="GARAGE_VLAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface=SISTER_VLAN out-interface=WAN_PPPOE comment="SISTER_VLAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface=GUEST_VLAN out-interface=WAN_PPPOE comment="GUEST_VLAN Internet Access only"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface=WAN_PPPOE comment="Default masquerade"
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether10]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan4]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from TRUSTED_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=TRUSTED
/tool mac-server mac-winbox set allowed-interface-list=TRUSTED
/tool mac-server set allowed-interface-list=TRUSTED
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
Un grazie anticipato a chi saprà aiutarmi.