I reset my HaP AC2 and started to set it up from scratch, implementing my LAN with the VLAN feature. Before I go ahead and set up other fancy stuff on it, like load balancing and PBR, I'd like you to take a look at my setup and tell me if you see anything wrong with it, or if it can be improved. Thanks
Here is my configuration:
Code: Select all
# 2024-04-27 14:18:27 by RouterOS 7.14.3
# software id = 5Z4J-31GG
#
# model = RBD52G-5HacD2HnD
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] comment="My PC" name=ether2-access10
set [ find default-name=ether3 ] name=ether3-access10
set [ find default-name=ether4 ] comment=Server name=ether4-access20
set [ find default-name=ether5 ] name=ether5-access30
/interface vlan
add interface=bridge1 name=vlan10-main vlan-id=10
add interface=bridge1 name=vlan20-server vlan-id=20
add interface=bridge1 name=vlan30-guest vlan-id=30
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=ap-2.4 \
supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=motog \
supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=ap-5 \
supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=ap-2.4-guest \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=france disabled=no \
frequency=2437 name=wlan1-WAN2 security-profile=motog ssid="moto g" \
wps-mode=disabled
set [ find default-name=wlan2 ] country=france disabled=no mode=ap-bridge \
security-profile=ap-5 ssid=mik5 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:xx:xx:xx \
master-interface=wlan1-WAN2 multicast-buffering=disabled name=wlan3 \
security-profile=ap-2.4 ssid=mik2 vlan-id=10 wds-cost-range=0 \
wds-default-cost=1 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:xx:xx:xx \
master-interface=wlan1-WAN2 multicast-buffering=disabled name=wlan4-guest \
security-profile=ap-2.4-guest ssid=guest vlan-id=30 wds-cost-range=0 \
wds-default-cost=1 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=172.16.10.100-172.16.10.254
add name=dhcp_pool2 ranges=172.16.20.100-172.16.20.254
add name=dhcp_pool3 ranges=172.16.30.100-172.16.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan10-main name=dhcp-vlan10
add address-pool=dhcp_pool2 interface=vlan20-server name=dhcp-vlan20
add address-pool=dhcp_pool3 interface=vlan30-guest name=dhcp-vlan30
/queue simple
add burst-limit=7M/10M burst-threshold=7M/10M burst-time=10s/10s max-limit=\
5M/8M name=GUEST-Subnet target=172.16.30.0/24
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2-access10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3-access10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4-access20 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether5-access30 pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan2 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan4-guest pvid=30
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2-access10 vlan-ids=10
add bridge=bridge1 untagged=ether3-access10 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether4-access20 vlan-ids=20
add bridge=bridge1 tagged=bridge1 untagged=ether5-access30 vlan-ids=30
add bridge=bridge1 untagged=wlan2 vlan-ids=10
add bridge=bridge1 untagged=wlan3 vlan-ids=10
add bridge=bridge1 untagged=wlan4-guest vlan-ids=30
/interface list member
add interface=ether1-WAN1 list=WAN
add interface=wlan1-WAN2 list=WAN
add interface=vlan10-main list=LAN
add interface=vlan20-server list=LAN
add interface=vlan30-guest list=LAN
/ip address
add address=172.16.10.1/24 interface=vlan10-main network=172.16.10.0
add address=172.16.20.1/24 interface=vlan20-server network=172.16.20.0
add address=172.16.30.1/24 interface=vlan30-guest network=172.16.30.0
/ip dhcp-client
add interface=ether1-WAN1 use-peer-dns=no
add interface=wlan1-WAN2 use-peer-dns=no
/ip dhcp-server lease
add address=172.16.10.100 client-id=1:44:8a:5b:c9:fb:7c comment=My-PC \
mac-address=44:8A:5B:C9:xx:xx server=dhcp-vlan10
add address=172.16.20.10 client-id=\
ff:cb:39:a:c7:0:2:0:0:ab:11:bf:f9:6a:1b:df:2:97:92 comment=Server \
mac-address=20:CF:30:17:39:2F server=dhcp-vlan20
add address=172.16.10.11 client-id=1:0:26:ab:39:f3:44 comment=Printer \
mac-address=00:26:AB:39:F3:44 server=dhcp-vlan10
add address=172.16.30.3 client-id=1:78:ab:bb:4d:24:33 comment=SmartTV \
mac-address=78:AB:BB:4D:24:33 server=dhcp-vlan30
add address=172.16.10.12 client-id=1:0:c:29:3a:86:fd comment=GNS3 \
mac-address=00:0C:29:3A:86:FD server=dhcp-vlan10
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.10.1 gateway=172.16.20.1
add address=172.16.30.0/24 dns-server=172.16.10.1 gateway=172.16.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=vlan10-main \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp
add action=reject chain=input in-interface-list=LAN log=yes log-prefix=\
rej_LAN reject-with=icmp-admin-prohibited
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface=vlan10-main out-interface-list=\
LAN
add action=accept chain=forward comment="Accept Plex" dst-address=\
172.16.20.10 dst-port=32400 protocol=tcp src-address=172.16.30.3
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
"allow dst-nat from both WAN and LAN (including port forwarding)" \
connection-nat-state=dstnat
add action=reject chain=forward in-interface-list=LAN reject-with=\
icmp-admin-prohibited
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=!172.16.10.1 dst-port=53 log=yes \
protocol=udp src-address=!172.16.10.1 to-addresses=172.16.10.1 to-ports=\
53
add action=dst-nat chain=dstnat dst-address=!172.16.10.1 dst-port=53 log=yes \
protocol=tcp src-address=!172.16.10.1 to-addresses=172.16.10.1 to-ports=\
53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=miky
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=\
"/interface wireless set wlan2 disabled=(![get wlan2 disabled])"
/system scheduler
add interval=30s name=DNSscript on-event="# set variables\r\
\n:local primaryDNS \"172.16.20.10\";\r\
\n:local fallbackDNS \"1.1.1.1,8.8.8.8\";\r\
\n:local currentDNS;\r\
\n:set \$currentDNS [/ip dns get servers];\r\
\n#:log warning \"What I got is: \$currentDNS\"\r\
\n#:log warning \"What I want to see is: \$primaryDNS\"\r\
\n:do {\r\
\n:put [resolve google.com server=\$primaryDNS];\r\
\nif (\$currentDNS!=\$primaryDNS) do={\r\
\n:log warning \"DNS Failover: Switching to primaryDNS\";\r\
\n/ip dns set servers \$primaryDNS\r\
\n} else={}\r\
\n} on-error={ :set \$currentDNS [/ip dns get servers];\r\
\nif (\$currentDNS!=\$fallbackDNS) do={\r\
\n:log error \"DNS Failover: Switching to FallbackDNS\";\r\
\n/ip dns set servers \$fallbackDNS;\r\
\n} else={:log info \"Using Failover DNS, Primary Unavailable\"}\r\
\n}\r\
\n#try to reach google through the primaryDNS\r\
\n#if it works and we are on a different DNS, set the DNS server to the pr\
imaryDNS\r\
\n#if it works and we are already on the primaryDNS, do nothing\r\
\n#if we can't reach google and we aren't already on our FallbackDNS, swit\
ch to fallback\r\
\n#if we can't reach google through primaryDNS and we are on the fallback,\
\_log that primaryDNS is unavailable" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-04-26 start-time=14:52:29
/tool mac-server
set allowed-interface-list=none