Quantcast
Channel: MikroTik
Viewing all articles
Browse latest Browse all 18748

General • Problem with bridge vlan

$
0
0
Hello,

I am trying to configure bridge vlan on my mikrotik RB5009 router since a while now and I'm stuck with it.
Here is what I want to do :
I have a RB5009 router and a managed switch.
WAN come to Eth1 with a bridge for WAN.
All interfaces except Eth1 and Eth8 (my "backup" port) are in a "lan bridge".
I want to create vlan10, 20, 100, 200.
Interface 2 to 5 can communicate with vlan 10, interfaces 6&7 to vlan 20, 100 and 200.
The SFP+ port can transport all vlans.

I'm stucking at this step, I have a server with fixed address on 192.168.20.250, I can ping it with the router when the IP is on a physical interface but not anymore when I attribute the IP on the vlan 20.

I have tried many think but I'm stucking on this step.
I would like to have your help, so here is my configuration if you see some mistakes.
/interface bridge
add frame-types=admit-only-vlan-tagged name=br-lan port-cost-mode=short \
vlan-filtering=yes
add admin-mac=98:42:65:15:93:60 auto-mac=no name=br-wan port-cost-mode=short

/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=sfp-sfpplus1 ] comment=LAN-SFP

/interface vlan
add interface=br-lan name=vlan10 vlan-id=10
add interface=br-lan name=vlan20 vlan-id=20
add interface=br-lan name=vlan100 vlan-id=100
add interface=br-lan name=vlan200 vlan-id=200
add comment="Internet ONT" interface=ether1 loop-protect-disable-time=0s \
loop-protect-send-interval=1s name=vlan832-internet vlan-id=832

/interface list
add name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes \
log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 \
out-interface=vlan832-internet passthrough=yes
add action=set-priority chain=output dst-port=547 ip-protocol=udp \
mac-protocol=ipv6 new-priority=6 out-interface=vlan832-internet

/interface bridge port
add bridge=br-lan frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 \
internal-path-cost=10 path-cost=10
add bridge=br-wan comment=WAN interface=vlan832-internet internal-path-cost=\
10 path-cost=10
add bridge=br-lan frame-types=admit-only-vlan-tagged interface=ether2 pvid=10
add bridge=br-lan frame-types=admit-only-vlan-tagged interface=ether3 pvid=10
add bridge=br-lan frame-types=admit-only-vlan-tagged interface=ether4 pvid=10
add bridge=br-lan frame-types=admit-only-vlan-tagged interface=ether5 pvid=10
add bridge=br-lan frame-types=admit-only-vlan-tagged interface=ether6 pvid=20
add bridge=br-lan frame-types=admit-only-vlan-tagged interface=ether7 pvid=20

/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=ether8 list=LAN
add interface=br-lan list=LAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan100 list=LAN
add interface=vlan200 list=LAN

/ip address
add address=192.168.1.254/24 comment=LAN-DEFAULT disabled=yes interface=\
br-lan network=192.168.1.0
add address=192.168.88.1/24 interface=ether8 network=192.168.88.0
add address=192.168.10.254/24 comment=LAN interface=vlan10 network=\
192.168.10.0
add address=192.168.20.254/24 comment=SERVEUR interface=vlan20 network=\
192.168.20.0
add address=192.168.100.254/24 comment=DMZ interface=vlan100 network=\
192.168.100.0
add address=192.168.200.254/24 comment=MGMT interface=vlan200 network=\
192.168.200.0

/ip firewall address-list
add address=192.168.1.0/24 list=support
add address=192.168.88.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" disabled=yes \
list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes \
list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes \
list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" disabled=yes list=bogons
add address=192.168.20.0/24 list=support
add address=192.168.30.0/24 list=support
add address=192.168.200.0/24 list=support
add address=192.168.100.0/24 list=support
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=masquerade chain=srcnat out-interface=br-wan to-addresses=0.0.0.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
Thanks a lot !

Statistics: Posted by Probz — Sat Jan 20, 2024 10:01 pm



Viewing all articles
Browse latest Browse all 18748

Latest Images

Trending Articles



Latest Images