Use code quotes to shorten up the view on the config. ( black square with white brackets inside )
1) ONE BRIDGE -- ah okay using fact it has two chips..........
2) USE THIS REF: viewtopic.php?t=143620
3) Dont see any wireguard settings??
4. All one needs to on bridge itself is adjust name if so desired and turn on bridge vlan filtering as a last step........... remove bit in orange.
/interface bridge
add frame-types=admit-only-vlan-tagged name=BRIDGE-VLAN-SW1 vlan-filtering=yes
add frame-types=admit-only-vlan-tagged name=BRIDGE-VLAN-SW2 vlan-filtering=yes[/i]
5. Why two management ports 3,4 why not take ether4 and make it an OFF BRIDGE access???
If the bridge gets hosed somehow, both will be fubared, much better to have alternate emerg access, (which is also useful for any major config changes actually)
6. /interface bridge port
add bridge=BRIDGE-VLAN-SW1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
add bridge=BRIDGE-VLAN-SW1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=99 { unless removed for offbridge access }
add bridge=BRIDGE-VLAN-SW1 interface=ether5
add bridge=BRIDGE-VLAN-SW2 interface=ether6
add bridge=BRIDGE-VLAN-SW2 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE-VLAN-SW2 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10
7. /interface bridge vlan
add bridge=BRIDGE-VLAN-SW2 tagged=BRIDGE-VLAN-SW2,ether7,ether10 vlan-ids=10,20,30,40,50,60,70,80,90,100,200,255
add bridge=BRIDGE-VLAN-SW2 tagged=BRIDGE-VLAN-SW2,ether6,ether7,ether10 vlan-ids=99
add bridge=BRIDGE-VLAN-SW1 tagged=BRIDGE-VLAN-SW1,ether5 untagged=ether3,ether4 vlan-ids=99
8. /interface list member ( ether3,4 entries were bogus, forgot to add mgmt to LAN list as well )
add interface=PPPoE-AlgarTelecom list=WAN
add interface=ether2 list=WAN
add interface=VLAN10-TrustedNetwork list=LAN
add interface=VLAN20-FamilyNetwork list=LAN
add interface=VLAN30-LegacyNetwork list=LAN
add interface=VLAN40-GuestsNetwork list=LAN
add interface=VLAN50-IoTNetwork list=LAN
add interface=VLAN60-StreamingNetwork list=LAN
add interface=VLAN70-PrintersNetwork list=LAN
add interface=VLAN80-VoIPNetwork list=LAN
add interface=VLAN90-SecurityNetwork list=LAN
add interface=VLAN99-ManagementNetwork list=LAN
add interface=VLAN100-ServersNetwork list=LAN
add interface=VLAN200-WireguardNetwork list=LAN
add interface=VLAN255-DemilitarizedNetworkNetwork list=LAN
add interface=futureWireguard list=LAN
add interface=VLAN99-ManagementNetwork list=Management
9. Firewall rules are bloated IMHO, KISS is what I recommend and organized clear rules ( keeping chains together etc....) are easy to troubleshoot, and modify later.
Why are you port knocking, removed, USE WG.
/ip firewall address-list { based on fixed static DHCP leases mostly }
add address=10.0.99.X/32 list=Authorized comment="admin wired connection"
add address=10.0.99.Y/32 list=Authorized comment="admin wifi connection"
add address=10.0.10.Z/32 list=Authorized comment="admin on trusted network"
add address=10.0.2.A/32 list=Authorized comment='admin remote laptop wireguard"
add address=10.0.2.B/32 list=Authorized comment='admin remote smartphone wireguard"
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP " protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=15427 protocol=udp { future wireguard![:-)]( "Smile")
}
add action=accept chain=input comment="allow admin access" src-address-list=Authorized
add action=accept chain=input comment="DNS & NTP services for LAN" dst-port=53,123 protocol=udp in-interface=list=LAN
add action=accept chain=input comment="DNS services for LAN" dst-port=53 protocol=tcp in-interface=list=LAN
add action=drop chain=input comment="Drop all else" { put this as last rule so dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=accept chain=forward comment="admin vlan access" in-interface-list=Management out-interface-list=LAN
add action=drop chain=forward comment="drop all else"
Remove all other blocking rules for now, raw, etc, ............. could add some back later.
1) ONE BRIDGE -- ah okay using fact it has two chips..........
2) USE THIS REF: viewtopic.php?t=143620
3) Dont see any wireguard settings??
4. All one needs to on bridge itself is adjust name if so desired and turn on bridge vlan filtering as a last step........... remove bit in orange.
/interface bridge
add frame-types=admit-only-vlan-tagged name=BRIDGE-VLAN-SW1 vlan-filtering=yes
add frame-types=admit-only-vlan-tagged name=BRIDGE-VLAN-SW2 vlan-filtering=yes[/i]
5. Why two management ports 3,4 why not take ether4 and make it an OFF BRIDGE access???
If the bridge gets hosed somehow, both will be fubared, much better to have alternate emerg access, (which is also useful for any major config changes actually)
6. /interface bridge port
add bridge=BRIDGE-VLAN-SW1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
add bridge=BRIDGE-VLAN-SW1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=99 { unless removed for offbridge access }
add bridge=BRIDGE-VLAN-SW1 interface=ether5
add bridge=BRIDGE-VLAN-SW2 interface=ether6
add bridge=BRIDGE-VLAN-SW2 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE-VLAN-SW2 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10
7. /interface bridge vlan
add bridge=BRIDGE-VLAN-SW2 tagged=BRIDGE-VLAN-SW2,ether7,ether10 vlan-ids=10,20,30,40,50,60,70,80,90,100,200,255
add bridge=BRIDGE-VLAN-SW2 tagged=BRIDGE-VLAN-SW2,ether6,ether7,ether10 vlan-ids=99
add bridge=BRIDGE-VLAN-SW1 tagged=BRIDGE-VLAN-SW1,ether5 untagged=ether3,ether4 vlan-ids=99
8. /interface list member ( ether3,4 entries were bogus, forgot to add mgmt to LAN list as well )
add interface=PPPoE-AlgarTelecom list=WAN
add interface=ether2 list=WAN
add interface=VLAN10-TrustedNetwork list=LAN
add interface=VLAN20-FamilyNetwork list=LAN
add interface=VLAN30-LegacyNetwork list=LAN
add interface=VLAN40-GuestsNetwork list=LAN
add interface=VLAN50-IoTNetwork list=LAN
add interface=VLAN60-StreamingNetwork list=LAN
add interface=VLAN70-PrintersNetwork list=LAN
add interface=VLAN80-VoIPNetwork list=LAN
add interface=VLAN90-SecurityNetwork list=LAN
add interface=VLAN99-ManagementNetwork list=LAN
add interface=VLAN100-ServersNetwork list=LAN
add interface=VLAN200-WireguardNetwork list=LAN
add interface=VLAN255-DemilitarizedNetworkNetwork list=LAN
add interface=futureWireguard list=LAN
add interface=VLAN99-ManagementNetwork list=Management
9. Firewall rules are bloated IMHO, KISS is what I recommend and organized clear rules ( keeping chains together etc....) are easy to troubleshoot, and modify later.
Why are you port knocking, removed, USE WG.
/ip firewall address-list { based on fixed static DHCP leases mostly }
add address=10.0.99.X/32 list=Authorized comment="admin wired connection"
add address=10.0.99.Y/32 list=Authorized comment="admin wifi connection"
add address=10.0.10.Z/32 list=Authorized comment="admin on trusted network"
add address=10.0.2.A/32 list=Authorized comment='admin remote laptop wireguard"
add address=10.0.2.B/32 list=Authorized comment='admin remote smartphone wireguard"
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP " protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=15427 protocol=udp { future wireguard
}add action=accept chain=input comment="allow admin access" src-address-list=Authorized
add action=accept chain=input comment="DNS & NTP services for LAN" dst-port=53,123 protocol=udp in-interface=list=LAN
add action=accept chain=input comment="DNS services for LAN" dst-port=53 protocol=tcp in-interface=list=LAN
add action=drop chain=input comment="Drop all else" { put this as last rule so dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=accept chain=forward comment="admin vlan access" in-interface-list=Management out-interface-list=LAN
add action=drop chain=forward comment="drop all else"
Remove all other blocking rules for now, raw, etc, ............. could add some back later.
Statistics: Posted by llamajaja — Wed Apr 03, 2024 8:25 pm