I apologize, here is the complete configuration
Code:
/interface bridgeadd name=bridge-trunk vlan-filtering=yes/interface ethernetset [ find default-name=ether1 ] comment="ISP1 - TIM FWA"set [ find default-name=ether2 ] comment="ISP2 - SKY DSL"set [ find default-name=ether3 ] comment="VLAN_10 - Office"set [ find default-name=ether4 ] comment="VLAN_10 - Office"set [ find default-name=ether5 ] comment="VLAN_20 - VoIP"set [ find default-name=ether6 ] comment="VLAN_30 - Security"set [ find default-name=ether7 ] comment="VLAN_40 - Guest"set [ find default-name=ether8 ] comment="VLAN_50 - IoT"set [ find default-name=ether9 ] comment="VLAN_99 - Management"set [ find default-name=ether10 ] comment=TRUNKset [ find default-name=sfp-sfpplus1 ] disabled=yes/interface vlanadd interface=bridge-trunk name="vlan10 - Office" vlan-id=10add interface=bridge-trunk name="vlan20 - VoIP" vlan-id=20add interface=bridge-trunk name="vlan30 - IoT" vlan-id=30add interface=bridge-trunk name="vlan40 - Guest" vlan-id=40add interface=bridge-trunk name="vlan50 - Security" vlan-id=50add interface=bridge-trunk name="vlan83 - WAN DATA TIM FWA" vlan-id=83add interface=bridge-trunk name="vlan84 - WAN VoIP TIM FWA" vlan-id=84add interface=bridge-trunk name="vlan99 - Management" vlan-id=99/interface pppoe-clientadd disabled=no interface=ether2 name=pppoe-out1 user=aliceadsl/interface listadd name=WANadd name=LAN/ip dhcp-client optionadd code=26 name="option 26 - MTU"/ip pooladd name=dhcp_pool1 ranges=192.168.1.100-192.168.1.199add name=dhcp_pool2 ranges=192.168.2.100-192.168.2.199add name=dhcp_pool3 ranges=192.168.3.100-192.168.3.199add name=dhcp_pool4 ranges=192.168.4.100-192.168.4.199add name=dhcp_pool5 ranges=192.168.5.100-192.168.5.199add name=dhcp_pool6 ranges=192.168.99.100-192.168.99.199/ip dhcp-serveradd address-pool=dhcp_pool1 interface="vlan10 - Office" lease-time=1h name=dhcp1add address-pool=dhcp_pool2 interface="vlan20 - VoIP" lease-time=10m name=dhcp2add address-pool=dhcp_pool3 interface="vlan30 - IoT" lease-time=1h name=dhcp3add address-pool=dhcp_pool4 interface="vlan40 - Guest" lease-time=1h name=dhcp4add address-pool=dhcp_pool5 interface="vlan50 - Security" lease-time=1h name=dhcp5add address-pool=dhcp_pool6 interface="vlan99 - Management" lease-time=1h name=dhcp6/queue treeadd name="1. total-download" parent=bridge-trunk priority=1add name="1. total-upload" packet-mark=UPLOAD parent=pppoe-out1 priority=1add limit-at=1M max-limit=1M name="2. VOIP-DW" packet-mark=SIP_packet,RTP_packet parent="1. total-download" priority=2add limit-at=1M max-limit=1M name="2. VOIP-UP" packet-mark=SIP_packet,RTP_packet parent="1. total-upload" priority=2add limit-at=2M max-limit=10M name="7. TOTALE-GUEST-DW" packet-mark=guest_dw_packet parent="1. total-download" priority=7add limit-at=500k max-limit=2M name="7. GUEST-UP" packet-mark=guest-up-packet parent="1. total-upload" priority=7add name="6. Other_trafic-dw" packet-mark=DOWNLOAD parent="1. total-download" priority=6add name="6. Other-trafic-UP" packet-mark=UPLOAD parent="1. total-upload" priority=6add name="4. INTERVLAN-DW" packet-mark=INTERVLAN-packet-DW parent="1. total-download" priority=4add name="4. INTERVLAN-UP" packet-mark=INTERVLAN-packet-UP parent="1. total-upload" priority=4/queue typeadd kind=pcq name=down-pcq pcq-classifier=dst-address pcq-rate=2Madd kind=pcq name=up-pcq pcq-rate=1M/queue treeadd name="8. GUEST-PCQ-DOWN" parent="7. TOTALE-GUEST-DW" queue=down-pcqadd name="8. GUEST-PCQ-UP" parent="7. GUEST-UP" queue=up-pcq/routing tableadd disabled=no fib name=vlan10/30/99-tableadd disabled=no fib name=vlan20-tableadd disabled=no fib name=vlan40/50-table/interface bridge portadd bridge=bridge-trunk interface=ether3 pvid=10add bridge=bridge-trunk interface=ether4 pvid=10add bridge=bridge-trunk interface=ether5 pvid=20add bridge=bridge-trunk interface=ether6 pvid=30add bridge=bridge-trunk interface=ether7 pvid=40add bridge=bridge-trunk interface=ether8 pvid=50add bridge=bridge-trunk interface=ether9 pvid=99add bridge=bridge-trunk interface=ether10 pvid=10add bridge=bridge-trunk interface=ether1 pvid=83add bridge=bridge-trunk interface=vxlan1 pvid=40/interface bridge vlanadd bridge=bridge-trunk tagged=bridge-trunk,ether10 untagged=ether3,ether4 vlan-ids=10add bridge=bridge-trunk tagged=bridge-trunk,ether10 untagged=ether5 vlan-ids=20add bridge=bridge-trunk tagged=bridge-trunk,ether10 untagged=ether6 vlan-ids=30add bridge=bridge-trunk tagged=bridge-trunk,ether10 untagged=ether7, vlan-ids=40add bridge=bridge-trunk tagged=bridge-trunk,ether10 untagged=ether8 vlan-ids=50add bridge=bridge-trunk tagged=bridge-trunk,ether10 untagged=ether9 vlan-ids=99add bridge=bridge-trunk tagged=bridge-trunk,ether1 vlan-ids=83add bridge=bridge-trunk tagged=bridge-trunk,ether1 vlan-ids=84add bridge=bridge-trunk comment="AGGIUNGERE ETHER2 COME UNTAGGED E ANCHE NEL BRIDGE PORT CON PVID 1" tagged=bridge-trunk vlan-ids=1/interface list memberadd interface=pppoe-out1 list=WANadd interface="vlan10 - Office" list=LANadd interface="vlan20 - VoIP" list=LANadd interface="vlan30 - IoT" list=LANadd interface="vlan40 - Guest" list=LANadd interface="vlan50 - Security" list=LANadd interface="vlan99 - Management" list=LANadd interface="vlan83 - WAN DATA TIM FWA" list=WANadd interface="vlan84 - WAN VoIP TIM FWA" list=WANadd interface=ether2 list=WAN/ip addressadd address=192.168.1.1/24 interface="vlan10 - Office" network=192.168.1.0add address=192.168.2.1/24 interface="vlan20 - VoIP" network=192.168.2.0add address=192.168.3.1/24 interface="vlan30 - IoT" network=192.168.3.0add address=192.168.4.1/24 interface="vlan40 - Guest" network=192.168.4.0add address=192.168.5.1/24 interface="vlan50 - Security" network=192.168.5.0add address=192.168.99.1/24 interface="vlan99 - Management" network=192.168.99.0add address=192.168.10.10/24 interface=ether2 network=192.168.10.0/ip dhcp-clientadd dhcp-options="hostname,clientid,option 26 - MTU" interface="vlan83 - WAN DATA TIM FWA" script="#-----------------------------------------\ ----------\r\ \n# UPDATE-RECURSIVE-ROUTE-FROM-DHCP-CLIENT BY foisfabio.it\r\ \n# \r\ \n# Script: Dhcp-client-update-recursive-route\r\ \n#\r\ \n# Description: This simple script arises from the need to update a recursive route at each renewal of the DHCP-client lease.\r\ \n# ------------>This is a Vodafone FWA connection that releases public IP in DHCP.\r\ \n#------------->It was not possible to simply flag \"add default route\" as the customer uses recursive routes and Load balance pcc.\r\ \n#------------->The dhcp is running on the \"vlan83 - WAN DATA TIM FWA\" interface and the route is commented like this: \"static-FWA\"\ \r\ \n\r\ \n# Version: 1.1\r\ \n# RouterOS v.7.12\r\ \n# Created: 02/01/2024\r\ \n# Updated: 11/01/2024\r\ \n# Author: Fois Fabio\r\ \n# Editor: Fois Fabio\r\ \n# Website: https://foisfabio.it\r\ \n# Email: consulenza@foisfabio.it\r\ \n\r\ \n\r\ \n{\r\ \n:local interface \"vlan83 - WAN DATA TIM FWA\" \r\ \n:local GWtim [/ip dhcp-client/ get [find where interface=\$interface] value-name=gateway]\r\ \n:put \$GWtim\r\ \n/ip route set [find comment=\"static-FWA\"] gateway=\$GWtim\r\ \n}\r\ \n"add add-default-route=no dhcp-options="hostname,clientid,option 26 - MTU" interface="vlan84 - WAN VoIP TIM FWA" script="#--------------------\ -------------------------------\r\ \n# UPDATE-RECURSIVE-ROUTE-FROM-DHCP-CLIENT BY foisfabio.it\r\ \n# \r\ \n# Script: Dhcp-client-update-recursive-route\r\ \n#\r\ \n# Description: This simple script arises from the need to update a recursive route at each renewal of the DHCP-client lease.\r\ \n# ------------>This is a Vodafone FWA connection that releases public IP in DHCP.\r\ \n#------------->It was not possible to simply flag \"add default route\" as the customer uses recursive routes and Load balance pcc.\r\ \n#------------->The dhcp is running on the \"vlan83 - WAN DATA TIM FWA\" interface and the route is commented like this: \"static-FWA\"\ \r\ \n\r\ \n# Version: 1.1\r\ \n# RouterOS v.7.12\r\ \n# Created: 02/01/2024\r\ \n# Updated: 11/01/2024\r\ \n# Author: Fois Fabio\r\ \n# Editor: Fois Fabio\r\ \n# Website: https://foisfabio.it\r\ \n# Email: consulenza@foisfabio.it\r\ \n\r\ \n\r\ \n{\r\ \n:local interface \"vlan84 - WAN VoIP TIM FWA\" \r\ \n:local GWtim [/ip dhcp-client/ get [find where interface=\$interface] value-name=gateway]\r\ \n:put \$GWtim\r\ \n/ip route set [find comment=\"default-route-VOIP\"] gateway=\$GWtim\r\ \n}\r\ \n" use-peer-ntp=no/ip dhcp-server networkadd address=192.168.1.0/24 dns-server=208.67.222.222 domain=WORKGROUP gateway=192.168.1.1 netmask=24add address=192.168.2.0/24 dns-server=208.67.222.222 domain=VOIPGROUP gateway=192.168.2.1 netmask=24add address=192.168.3.0/24 dns-server=208.67.222.222 domain=iOT.group gateway=192.168.3.1 netmask=24add address=192.168.4.0/24 dns-server=208.67.222.222 domain=GUESTGROUP gateway=192.168.4.1 netmask=24add address=192.168.5.0/24 gateway=192.168.5.1add address=192.168.99.0/24 dns-server=208.67.222.222 gateway=192.168.99.1/ip dnsset allow-remote-requests=yes servers=208.67.222.222,208.67.220.220/ip firewall address-listadd address=10.166.32.0/23 list=WHITE-LISTadd address=172.25.1.0/24 list=WHITE-LISTadd address=192.168.99.0/24 list=WHITE-LISTadd address=inserire.ip list=BLACK-LISTadd address=192.168.1.0/24 list=all-LANadd address=192.168.2.0/24 list=all-LANadd address=192.168.3.0/24 list=all-LANadd address=192.168.4.0/24 list=all-LANadd address=192.168.5.0/24 list=all-LANadd address=192.168.99.0/24 list=all-LANadd address=172.25.1.0/24 list=VPNadd address=1.2.3.4 list=all-Public-IPadd address=192.168.4.0/24 list=GUESTadd address=192.168.10.10 comment="DMZ SKYDSL" list=all-Public-IPadd address=192.168.1.0/24 list=LAN-group1/2add address=192.168.3.0/24 list=LAN-group1/2add address=192.168.99.0/24 list=LAN-group1/2add address=192.168.4.0/24 list=LAN-group2/1add address=192.168.5.0/24 list=LAN-group2/1add address=192.168.2.0/24 list=VOIPadd address=1.1.1.1 list=DNS-RECURSIVEadd address=8.8.4.4 list=DNS-RECURSIVEadd address=192.168.0.0/22 list=LAN_OFFICEadd address=192.168.5.0/24 list=LAN_OFFICE/ip firewall filteradd action=accept chain=input comment="Accept established, related" connection-state=established,relatedadd action=drop chain=input comment="Drop invalid, untracked" connection-state=invalid,untracked connection-type=""add action=accept chain=input comment="Accept icmp" protocol=icmpadd action=accept chain=input comment="Accept Winbox" dst-port=8291,80,22 protocol=tcp src-address-list=WHITE-LISTadd action=drop chain=input dst-port=8291,80,22 protocol=tcp src-address-list=!WHITE-LISTadd action=accept chain=input comment="Allow IPsec NAT" dst-port=4500 in-interface-list=WAN protocol=udpadd action=accept chain=input comment="Allow IKE" dst-port=500 in-interface-list=WAN protocol=udpadd action=accept chain=input comment="Allow L2TP" dst-port=1701 in-interface-list=WAN protocol=udpadd action=drop chain=input comment="Drop all not coming from LAN" disabled=yes in-interface-list=!LANadd action=drop chain=forward comment="VPN only to router" connection-nat-state="" dst-address=!192.168.99.1 src-address=172.25.1.0/24add action=drop chain=forward comment="Drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes \ in-interface-list=WANadd action=drop chain=forward comment=drop_GUEST dst-address-list=LAN_OFFICE src-address-list=GUESTadd action=drop chain=forward dst-address-list=GUEST src-address-list=LAN_OFFICEadd action=accept chain=input dst-port=443 protocol=tcp src-address-list=GUESTadd action=tarpit chain=input protocol=tcp src-address-list=GUESTadd action=accept chain=input dst-port=53 protocol=udp src-address-list=GUESTadd action=drop chain=input protocol=udp src-address-list=GUEST/ip firewall mangleadd action=mark-routing chain=prerouting comment=mark-routing-LAN1--->LAN2 dst-address-list=!all-LAN new-routing-mark=vlan10/30/99-table \ passthrough=yes src-address-list=LAN-group1/2add action=mark-routing chain=prerouting comment=mark-routing-LAN2--->LAN1 dst-address-list=!all-LAN new-routing-mark=vlan40/50-table \ passthrough=yes src-address-list=LAN-group2/1add action=mark-routing chain=prerouting comment=mark-routing-VOIP dst-address-list=!all-LAN new-routing-mark=vlan20-table passthrough=yes \ src-address-list=VOIPadd action=mark-connection chain=forward comment=mark-DOWNLOAD in-interface-list=WAN new-connection-mark=download passthrough=yesadd action=mark-packet chain=forward connection-mark=download new-packet-mark=DOWNLOAD passthrough=yesadd action=mark-connection chain=forward comment=mark-UPLOAD new-connection-mark=upload out-interface-list=WAN passthrough=yesadd action=mark-packet chain=forward connection-mark=upload new-packet-mark=UPLOAD passthrough=yesadd action=mark-connection chain=forward comment=mark-VOIP dst-port=5060-5070 new-connection-mark="SIP_signaling conn" passthrough=yes \ protocol=udpadd action=mark-packet chain=forward connection-mark="SIP_signaling conn" new-packet-mark=SIP_packet passthrough=noadd action=mark-connection chain=forward dst-port=5004-5020 new-connection-mark=RTP_conn passthrough=yes protocol=udpadd action=mark-packet chain=forward connection-mark=RTP_conn new-packet-mark=RTP_packet passthrough=noadd action=mark-packet chain=forward comment=mark-packet-INTERVLAN-DW dst-address-list=LAN_OFFICE in-interface=bridge-trunk new-packet-mark=\ INTERVLAN-packet-DW passthrough=noadd action=mark-packet chain=forward comment=mark-packet-INTERVLAN-UP new-packet-mark=INTERVLAN-packet-UP out-interface=bridge-trunk \ passthrough=no src-address-list=LAN_OFFICEadd action=mark-connection chain=forward comment=mark-DOWNLOAD-GUEST in-interface="vlan40 - Guest" new-connection-mark=guest-down-conn \ out-interface-list=WAN passthrough=yesadd action=mark-packet chain=forward connection-mark=guest-down-conn connection-state="" new-packet-mark=guest-down-packet passthrough=noadd action=mark-connection chain=forward comment=mark-UPLOAD-GUEST in-interface-list=WAN new-connection-mark=guest-up-conn out-interface=\ "vlan40 - Guest" passthrough=yesadd action=mark-packet chain=forward connection-mark=guest-up-conn connection-state="" new-packet-mark=guest-up-packet passthrough=no/ip firewall natadd action=masquerade chain=srcnat comment="Masquerade WAN1" out-interface="vlan83 - WAN DATA TIM FWA" src-address-list=all-LANadd action=masquerade chain=srcnat comment="Masquerade WAN2" out-interface=pppoe-out1 src-address-list=all-LANadd action=masquerade chain=srcnat comment="Masquerade VPN" src-address-list=VPNadd action=dst-nat chain=dstnat comment="Forzatura DNS" dst-address-list=DNS-RECURSIVE dst-port=53 protocol=udp to-addresses=208.67.222.222add action=dst-nat chain=dstnat comment="Port forwarding DVR" dst-address-list=all-Public-IP dst-port=8000 protocol=tcp to-addresses=\ 192.168.1.242/ip firewall rawadd action=drop chain=prerouting comment=Drop_BLACK-LIST in-interface-list=WAN src-address-list=BLACK-LISTadd action=drop chain=prerouting comment=DROP_DNS dst-port=53 in-interface-list=WAN protocol=udp/ip routeadd disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=main suppress-hw-offload=noadd comment=static-SKYDSL disabled=no distance=1 dst-address=1.1.1.1/32 gateway=192.168.10.1 pref-src="" routing-table=main scope=30 \ suppress-hw-offload=no target-scope=10add comment=static-FWA disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.44.1 pref-src="" routing-table=main scope=30 \ suppress-hw-offload=no target-scope=10add check-gateway=ping comment=DEFAULT-ROUTE-BACKUP-MAIN disabled=no distance=22 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" \ routing-table=main scope=30 suppress-hw-offload=no target-scope=31add check-gateway=ping comment=DEFAULT-ROUTE-PRIMARY-MAIN disabled=no distance=21 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" \ routing-table=main scope=30 suppress-hw-offload=no target-scope=31add check-gateway=ping comment=default-route-MAIN-vlan10/30/99 disabled=no distance=21 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" \ routing-table=vlan10/30/99-table scope=30 suppress-hw-offload=no target-scope=31add check-gateway=ping comment=default-route-BACKUP-vlan10/30/99 disabled=no distance=22 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" \ routing-table=vlan10/30/99-table scope=30 suppress-hw-offload=no target-scope=31add comment=default-route-VOIP disabled=no distance=20 dst-address=0.0.0.0/0 gateway=1.2.3.4 pref-src="" routing-table=vlan20-table scope=30 \ suppress-hw-offload=no target-scope=31add check-gateway=ping comment=default-route-MAIN-vlan40/50 disabled=no distance=21 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" \ routing-table=vlan40/50-table scope=30 suppress-hw-offload=no target-scope=31add check-gateway=ping comment=default-route-BACKUP-vlan40/50 disabled=no distance=22 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" \ routing-table=vlan40/50-table scope=30 suppress-hw-offload=no target-scope=31/ip serviceset telnet disabled=yesset ftp disabled=yesset ssh disabled=yesset api disabled=yesset winbox address=192.168.99.0/24,172.25.1.0/24,10.166.32.0/23set api-ssl disabled=yesStatistics: Posted by abbio90 — Sun Jan 14, 2024 5:40 pm