Guys, you've been just great! Great community! So happy to be a part of it!
Let's continue.
I've configured now the CRS326 part and i get VLAN accessed in the corret manner.
This is the config (only crs354 and crs326 - no crs112)
Code CRS354
Code CRS326
So, only this part...
Is this VLAN approach good/correct?
Thanks for any help!
korg
Let's continue.
I've configured now the CRS326 part and i get VLAN accessed in the corret manner.
This is the config (only crs354 and crs326 - no crs112)
Code CRS354
Code:
# mar/21/2024 15:58:24 by RouterOS 7.9.1# software id = #/interface bridgeadd ingress-filtering=no name=bridge-main pvid=999 vlan-filtering=yes/interface wireguardadd comment="Wireguard for RW's" listen-port=13299 mtu=1420 name=wireguard1/interface vlanadd interface=bridge-main name=vlan100-corp vlan-id=100add interface=bridge-main name=vlan200-guests vlan-id=200add interface=bridge-main name=vlan300-cameras vlan-id=300add interface=bridge-main name=vlan500-dali vlan-id=500add interface=bridge-main name=vlan600-IoT1 vlan-id=600add interface=bridge-main name=vlan700-POS vlan-id=700add interface=bridge-main name=vlan800-IoT2 vlan-id=800add interface=bridge-main name=vlan999-mgmt vlan-id=999/interface listadd name=LANadd name=Authorizedadd name=WANadd name=mgmt/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp-vlan100 ranges=10.10.100.100-10.10.100.200add name=dhcp-vlan200 ranges=10.20.100.1-10.20.100.250add name=dhcp-vlan300 ranges=10.30.100.100-10.30.100.150add name=dhcp-vlan500 ranges=10.50.100.100-10.50.100.150add name=dhcp-vlan600 ranges=10.60.100.100-10.60.100.150add name=dhcp-vlan700 ranges=10.70.100.100-10.70.100.150add name=dhcp-vlan800 ranges=10.80.100.100-10.80.100.150add name=dhcp-vlan999 ranges=10.99.99.50-10.99.99.200/ip dhcp-serveradd address-pool=dhcp-vlan100 interface=vlan100-corp lease-time=4h name=dhcp-corpadd address-pool=dhcp-vlan200 interface=vlan200-guests name=dhcp-guestsadd address-pool=dhcp-vlan300 interface=vlan300-cameras lease-time=8h30m name=dhcp-camerasadd address-pool=dhcp-vlan500 interface=vlan500-dali lease-time=8h name=dhcp-daliadd address-pool=dhcp-vlan600 interface=vlan600-IoT1 lease-time=8h name=dhcp-IoT1add address-pool=dhcp-vlan700 interface=vlan700-POS lease-time=8h name=dhcp-POSadd address-pool=dhcp-vlan800 interface=vlan800-IoT2 lease-time=8h name=dhcp-IoT2add address-pool=dhcp-vlan999 interface=vlan999-mgmt lease-time=8h name=dhcp-mgmt/portset 0 name=serial0/interface bridge portadd bridge=bridge-main interface=ether4 pvid=200add bridge=bridge-main interface=ether5 pvid=200add bridge=bridge-main comment="AP's-vlan999" interface=ether6 pvid=999add bridge=bridge-main interface=ether7 pvid=999add bridge=bridge-main interface=ether8 pvid=999add bridge=bridge-main comment="Camera's vlan300" interface=ether9 pvid=300add bridge=bridge-main interface=ether10 pvid=300add bridge=bridge-main comment=Dali-vlan500 interface=ether11 pvid=500add bridge=bridge-main interface=ether12 pvid=500add bridge=bridge-main comment=IpT1-vlan600 interface=ether13 pvid=600add bridge=bridge-main interface=ether14 pvid=600add bridge=bridge-main comment=POS interface=ether15 pvid=700add bridge=bridge-main interface=ether16 pvid=700add bridge=bridge-main interface=ether17 pvid=700add bridge=bridge-main comment=IoT2-vlan800 interface=ether18 pvid=800add bridge=bridge-main interface=ether19 pvid=800add bridge=bridge-main comment="Trunk Connection to CRS326" ingress-filtering=no interface=ether20 pvid=999add bridge=bridge-main comment="Trunk Connection to CRS112" ingress-filtering=no interface=ether21 pvid=999add bridge=bridge-main comment="Spare trunk port" interface=ether22add bridge=bridge-main comment="mgmt port" frame-types=admit-only-untagged-and-priority-tagged interface=ether24 pvid=999add bridge=bridge-main interface=ether3 pvid=100add bridge=bridge-main interface=ether2 pvid=100/ip neighbor discovery-settingsset discover-interface-list=all/interface bridge vlanadd bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=100add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=200add bridge=bridge-main tagged=bridge-main untagged=ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=999add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=300add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=500add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=600add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=700add bridge=bridge-main tagged=bridge-main vlan-ids=800/interface list memberadd interface=ether1 list=WANadd interface=vlan100-corp list=LANadd interface=vlan300-cameras list=LANadd interface=vlan200-guests list=LANadd interface=vlan500-dali list=LANadd interface=vlan600-IoT1 list=LANadd interface=vlan700-POS list=LANadd interface=vlan800-IoT2 list=LANadd interface=vlan999-mgmt list=mgmtadd interface=ether22 list=mgmt/interface wireguard peersadd allowed-address=172.16.0.2/32 comment="RW1 - vlan300" interface=wireguard1 public-key=\ "blalbala="add allowed-address=172.16.0.3/32 comment="RW2 - 600" interface=wireguard1 public-key="blalbala+blalbala="add allowed-address=172.16.0.4/32 comment="RW3 - vlan700" interface=wireguard1 public-key=\ "blalbala="add allowed-address=172.16.0.5/32 comment="admin RW - vlan999" interface=wireguard1 public-key=\ "blalbala="/ip addressadd address=10.10.100.254/24 interface=vlan100-corp network=10.10.100.0add address=10.20.100.254/24 interface=vlan200-guests network=10.20.100.0add address=10.30.100.254/24 interface=vlan300-cameras network=10.30.100.0add address=10.50.100.254/24 interface=vlan500-dali network=10.50.100.0add address=10.60.100.254/24 interface=vlan600-IoT1 network=10.60.100.0add address=10.70.100.254/24 interface=vlan700-POS network=10.70.100.0add address=10.80.100.254/24 interface=vlan800-IoT2 network=10.80.100.0add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0add address=192.168.55.5/24 comment="spare mgmt port" interface=ether22 network=192.168.55.0/ip dhcp-clientadd interface=ether1/ip dhcp-server networkadd address=10.10.100.0/24 dns-server=10.10.100.254 gateway=10.10.100.254add address=10.20.100.0/24 dns-server=10.20.100.254 gateway=10.20.100.254add address=10.30.100.0/24 dns-server=10.30.100.254 gateway=10.30.100.254add address=10.50.100.0/24 dns-server=10.50.100.254 gateway=10.50.100.254add address=10.60.100.0/24 dns-server=10.60.100.254 gateway=10.60.100.254add address=10.70.100.0/24 dns-server=10.70.100.254 gateway=10.70.100.254add address=10.80.100.0/24 dns-server=10.80.100.254 gateway=10.80.100.254add address=10.99.99.0/24 dns-server=10.99.99.254 gateway=10.99.99.254/ip dnsset allow-remote-requests=yes servers=8.8.8.8/ip firewall address-listadd address=172.16.0.200 comment="admin RW" list=Authorizedadd address=192.168.55.5 comment="admin via emergence access" list=Authorizedadd address=10.99.99.0/24 comment="allow to mgmt network" list=Authorized/ip firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input connection-state=invalidadd action=accept chain=input protocol=icmpadd action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udpadd action=accept chain=input comment="allow IKE" dst-port=500 protocol=udpadd action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udpadd action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcpadd action=accept chain=input comment="wireguard handshake" dst-port=13299 log=yes log-prefix=wg protocol=udpadd action=accept chain=input comment="admin only access" src-address-list=Authorizedadd action=accept chain=input comment="users to DNS" dst-port=53 in-interface-list=LAN protocol=udpadd action=accept chain=input comment="users to DNS" dst-port=53 in-interface-list=LAN protocol=tcpadd action=drop chain=input comment="Drop all else"add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yesadd action=accept chain=forward connection-state=established,related,new,untrackedadd action=drop chain=forward connection-state=invalidadd action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WANadd action=accept chain=forward comment="admin vlan access" out-interface-list=LAN src-address-list=Authorizedadd action=accept chain=forward comment="User1-RW1 vlan300 access" dst-address=10.30.100.100 in-interface=wireguard1 src-address=\ 172.16.0.2add action=accept chain=forward comment="User2-RW2 vlan600 access" dst-address=10.60.100.100 in-interface=wireguard1 src-address=\ 172.16.0.3add action=accept chain=forward comment="User3-RW3 vlan700 access" dst-address=10.70.100.100 in-interface=wireguard1 src-address=\ 172.16.0.4add action=accept chain=forward comment="User4-RW4 vlan999 access" dst-address=10.99.99.0/24 in-interface=wireguard1 src-address=\ 172.16.0.5add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yesadd action=drop chain=forward comment="Drop all else"/ip firewall natadd action=masquerade chain=srcnat out-interface=ether1/ip routeadd disabled=yes dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main/system noteset show-at-login=noCode CRS326
Code:
# mar/21/2024 15:53:14 by RouterOS 7.9.1# software id = #/interface bridgeadd ingress-filtering=no name=bridge-leaf2-326 pvid=999 vlan-filtering=yes/interface vlanadd interface=bridge-leaf2-326 name=vlan100-corp vlan-id=100add interface=bridge-leaf2-326 name=vlan200-guests vlan-id=200add interface=bridge-leaf2-326 name=vlan300-cameras vlan-id=300add interface=bridge-leaf2-326 name=vlan500-dali vlan-id=500add interface=bridge-leaf2-326 name=vlan600-IoT1 vlan-id=600add interface=bridge-leaf2-326 name=vlan700-POS vlan-id=700add interface=bridge-leaf2-326 name=vlan800-IoT2 vlan-id=800add interface=bridge-leaf2-326 name=vlan999-mgmt vlan-id=999/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/portset 0 name=serial0/interface bridge portadd bridge=bridge-leaf2-326 ingress-filtering=no interface=ether1 pvid=999add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether2 pvid=999add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether3 pvid=999add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether4 pvid=300add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether5 pvid=600add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether6 pvid=700add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether7 pvid=700/interface bridge vlanadd bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=100add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=200add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=300add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=500add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=600add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=700add bridge=bridge-leaf2-326 vlan-ids=999/ip dhcp-clientadd interface=bridge-leaf2-326/system identityset name=Mikrotik-Leaf2-CRS326/system noteset show-at-login=noIs this VLAN approach good/correct?
Thanks for any help!
korg
Statistics: Posted by korg — Thu Mar 21, 2024 6:03 pm