(1) WTH(alibut) is this?? ( vlanID is not part of your vlan list AND where is the identified port ???)
add bridge=BR0_LAN tagged=BR0_LAN vlan-ids=1 ?????
(2) Your /interface bridge vlan rules are wrong they do not match /interface bridge ports. In addition your sfp plus TRUNK port has a pvid assigned in /interface bridge ports.
In that case if true it would be a HYBRID ports. Assuming this was an error seeing its a trunk port on all /interface bridge vlan settings including for vlan-id=200.
Fixed:
/interface bridge port
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether3 pvid=100
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether4 pvid=200
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether5 pvid=10
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether6 pvid=10
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether7 pvid=300
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether8 pvid=10
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=sfp-sfpplus1_trunk
/interface bridge vlan
add bridge=BR0_LAN tagged=BR0_LAN,sfp-sfpplus1_trunk untagged=ether5,ether6,ether8 vlan-ids=10
add bridge=BR0_LAN tagged=BR0_LAN,sfp-sfpplus1_trunk untagged=ether3 vlan-ids=100
add bridge=BR0_LAN tagged=BR0_LAN,sfp-sfpplus1_trunk untagged=ether4 vlan-ids=200
add bridge=BR0_LAN tagged=BR0_LAN,sfp-sfpplus1_trunk untagged=ether7 vlan-ids=300
(3) The Bridge has no need to be identified on the interface settings, and in reality only one list entry is needed ( either VLAN or LAN ) but not both in your case.
Thus remove Bridge entry here and fixed:
/interface list member
add interface=ether2_WAN2 list=WAN
add interface=VLAN10_SERVICES list=LAN
add interface=VLAN100_CLIENTS list=LAN
add interface=VLAN200_MGMT list=LAN
add interface=VLAN300_LEGACY list=LAN
add interface=wireguard1_mgmt list=LAN
add interface=VLAN200_MGMT list=MGMT
add interface=wireguard1_mgmt list=MGMT
(4) Remove persistent keep alive setting on allowed IPs. Clearly this router is the Server Peer for handshake so it does not apply.
(5) Complete the dhcp server-network settings
/ip dhcp-server network
add address=10.0.100.0/24 dns-server=10.0.100.1 gateway=10.0.100.1
add address=10.0.200.0/24 dns-server=10.0.200.1 gateway=10.0.200.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
(6) It would appear you have to WANS, but only one setup at the moment????????? Please explain.
(7) FIREWALL RULES fixed... ( of real note missing fastrack rule ?? )
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
{admin rules}
add action=accept chain=input comment="Wireguard handshake" dst-port=63321 protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=MGMT
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="drop all else" { add this rule as the last rule entered, so you dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++
{default rules to keep}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{admin rules}
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access to all subnets" in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward comment="allow NAT" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="drop all else"
(8) Addition:
/ip neighbor discovery-settings
set discover-interface-list=MGMT
(9) Addition:
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
add bridge=BR0_LAN tagged=BR0_LAN vlan-ids=1 ?????
(2) Your /interface bridge vlan rules are wrong they do not match /interface bridge ports. In addition your sfp plus TRUNK port has a pvid assigned in /interface bridge ports.
In that case if true it would be a HYBRID ports. Assuming this was an error seeing its a trunk port on all /interface bridge vlan settings including for vlan-id=200.
Fixed:
/interface bridge port
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether3 pvid=100
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether4 pvid=200
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether5 pvid=10
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether6 pvid=10
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether7 pvid=300
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether8 pvid=10
add bridge=BR0_LAN ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=sfp-sfpplus1_trunk
/interface bridge vlan
add bridge=BR0_LAN tagged=BR0_LAN,sfp-sfpplus1_trunk untagged=ether5,ether6,ether8 vlan-ids=10
add bridge=BR0_LAN tagged=BR0_LAN,sfp-sfpplus1_trunk untagged=ether3 vlan-ids=100
add bridge=BR0_LAN tagged=BR0_LAN,sfp-sfpplus1_trunk untagged=ether4 vlan-ids=200
add bridge=BR0_LAN tagged=BR0_LAN,sfp-sfpplus1_trunk untagged=ether7 vlan-ids=300
(3) The Bridge has no need to be identified on the interface settings, and in reality only one list entry is needed ( either VLAN or LAN ) but not both in your case.
Thus remove Bridge entry here and fixed:
/interface list member
add interface=ether2_WAN2 list=WAN
add interface=VLAN10_SERVICES list=LAN
add interface=VLAN100_CLIENTS list=LAN
add interface=VLAN200_MGMT list=LAN
add interface=VLAN300_LEGACY list=LAN
add interface=wireguard1_mgmt list=LAN
add interface=VLAN200_MGMT list=MGMT
add interface=wireguard1_mgmt list=MGMT
(4) Remove persistent keep alive setting on allowed IPs. Clearly this router is the Server Peer for handshake so it does not apply.
(5) Complete the dhcp server-network settings
/ip dhcp-server network
add address=10.0.100.0/24 dns-server=10.0.100.1 gateway=10.0.100.1
add address=10.0.200.0/24 dns-server=10.0.200.1 gateway=10.0.200.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
(6) It would appear you have to WANS, but only one setup at the moment????????? Please explain.
(7) FIREWALL RULES fixed... ( of real note missing fastrack rule ?? )
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
{admin rules}
add action=accept chain=input comment="Wireguard handshake" dst-port=63321 protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=MGMT
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="drop all else" { add this rule as the last rule entered, so you dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++
{default rules to keep}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{admin rules}
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access to all subnets" in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward comment="allow NAT" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="drop all else"
(8) Addition:
/ip neighbor discovery-settings
set discover-interface-list=MGMT
(9) Addition:
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Statistics: Posted by anav — Mon Jun 03, 2024 3:45 pm