Going back to first principles........... Dont mix apples and oranges, when you vlans, do all vlans, no bridge dhcp etc.
As per the article --> viewtopic.php?t=143620
ADD:
/interface vlan
add comment=HoM interface=BR1 name=VL10-HoM vlan-id=10
/interface list members
add interface=VL10-HoM list=LAN
[Ip pool and dhcp-server network need not change]
/ip address
add address=10.10.0.1/24 interface=VL10-Hom network=10.10.0.0
/ip dhcp-server
UNABLE due to some errors on the config........
1. There is no reference to the LAN subnet attributed to the bridge on the dhcp-server..... The closest seems to be this...
add address-pool=VL100-POOL comment="10.10.0.0 - Moved to Bridge to keep UNIFI\
\_Controller, APs and Swittches happy" interface=BR1 lease-time=1d name=\
LAN-DHCP
But you already have an address pool for the LAN entity??
add comment=LAN name=LAN-POOL ranges=10.0.0.100-10.0.0.254
BUT, there is no vlan100 interface that I can see on your interface vlan list ??
2. Looking at the vlan interface list you have created 6 VLANS but you have 9 pools ( 10 but not counting ether5 pool which you actually dont need if its just emerg access anyway )
The xtra pools are
VL100 (INFRA) for the non--existant vlan (replacing LAN pool ?)
VL1010 (MGMT) again for a non-existant vlan
3. Your /interface bridge ports, reference vlan1000, a non-existing vlan ????
4. Your /interface bridge vlans, reference vlan100, a non-existant vlan??
5. Typically for future work the neighbours discovery is aimed at the trusted subnet or subnets, which is/are usually assigned to a management interface.
Thus the interface identified here is usually more narrow in scope for a more refined/complex config. The key being all smart devices being managed, should get their IP address from a trusted subnet.
6. SECURITY ISSUE ---> one should never provide direct external access to configuration ports........ asking to get hacked. Also source port makes no sense.
/add action=accept chain=input comment="Allow Winbox & SSH" dst-port=8291,22 \
protocol=tcp src-port=8291,22
If needing external access the router one should VPN in to the router and then access the config from the internal side.
Thus the rule should have something to prevent external access:
add action=accept chain=input comment="Allow Winbox & SSH" dst-port=8291,22 \
protocol=tcp source address-list=AUTHORIZED or at least in-interface-list=MANAGEMENT ( where admin accesses from trusted subnets ).
Personally I would change from default ports be it wireguard or winbox!!!!
So the firewall address rule would look something like:
/ip firewall address-list { from static dhcp leases }
add address=admin1-IP list=Authorized comment=admin desktop local (work subnet)
add address=admin2-IP list=Authorized comment=admin laptop local
add address=admin3-IP list=Authorized comment=admin desktop/laptop local (mngmt network)
add address=admin4-IP list=Authorized comment=admin ipad/smarthphone
add address=10.1.1.5 list=Authorized comment=admin ether5 access
As per the article --> viewtopic.php?t=143620
ADD:
/interface vlan
add comment=HoM interface=BR1 name=VL10-HoM vlan-id=10
/interface list members
add interface=VL10-HoM list=LAN
[Ip pool and dhcp-server network need not change]
/ip address
add address=10.10.0.1/24 interface=VL10-Hom network=10.10.0.0
/ip dhcp-server
UNABLE due to some errors on the config........
1. There is no reference to the LAN subnet attributed to the bridge on the dhcp-server..... The closest seems to be this...
add address-pool=VL100-POOL comment="10.10.0.0 - Moved to Bridge to keep UNIFI\
\_Controller, APs and Swittches happy" interface=BR1 lease-time=1d name=\
LAN-DHCP
But you already have an address pool for the LAN entity??
add comment=LAN name=LAN-POOL ranges=10.0.0.100-10.0.0.254
BUT, there is no vlan100 interface that I can see on your interface vlan list ??
2. Looking at the vlan interface list you have created 6 VLANS but you have 9 pools ( 10 but not counting ether5 pool which you actually dont need if its just emerg access anyway )
The xtra pools are
VL100 (INFRA) for the non--existant vlan (replacing LAN pool ?)
VL1010 (MGMT) again for a non-existant vlan
3. Your /interface bridge ports, reference vlan1000, a non-existing vlan ????
4. Your /interface bridge vlans, reference vlan100, a non-existant vlan??
5. Typically for future work the neighbours discovery is aimed at the trusted subnet or subnets, which is/are usually assigned to a management interface.
Thus the interface identified here is usually more narrow in scope for a more refined/complex config. The key being all smart devices being managed, should get their IP address from a trusted subnet.
6. SECURITY ISSUE ---> one should never provide direct external access to configuration ports........ asking to get hacked. Also source port makes no sense.
/add action=accept chain=input comment="Allow Winbox & SSH" dst-port=8291,22 \
protocol=tcp src-port=8291,22
If needing external access the router one should VPN in to the router and then access the config from the internal side.
Thus the rule should have something to prevent external access:
add action=accept chain=input comment="Allow Winbox & SSH" dst-port=8291,22 \
protocol=tcp source address-list=AUTHORIZED or at least in-interface-list=MANAGEMENT ( where admin accesses from trusted subnets ).
Personally I would change from default ports be it wireguard or winbox!!!!
So the firewall address rule would look something like:
/ip firewall address-list { from static dhcp leases }
add address=admin1-IP list=Authorized comment=admin desktop local (work subnet)
add address=admin2-IP list=Authorized comment=admin laptop local
add address=admin3-IP list=Authorized comment=admin desktop/laptop local (mngmt network)
add address=admin4-IP list=Authorized comment=admin ipad/smarthphone
add address=10.1.1.5 list=Authorized comment=admin ether5 access
Statistics: Posted by anav — Sat Jan 20, 2024 5:50 pm