๐Ÿ” Karlo Luiten

T-Mobile thuis (NL) Routeros/Mikrotik-configuratie (met VLANs)

โ€”

by

karlo
in

Ik wilde:

  • IP krijgen van T-Mobile (vlan 300 whoo)
  • VLANs tagged op ether2, switch regelt het dan verder
  • Hairpin nat voor load balancer (10.0.60.16)

TODO:

  • Firewalling

In voorbeeld hieronder is 1.2.3.4 het externe IP



# mar/07/2023 09:55:49 by RouterOS 7.8

# software id = 3QH4-F832

#

# model = RB5009UG+S+

# serial number = HE408G2RAV8

/interface bridge

add ingress-filtering=no name=bridge_lan vlan-filtering=yes

/interface vlan

add interface=bridge_lan name=vlan_gst vlan-id=80

add interface=bridge_lan name=vlan_iot vlan-id=50

add interface=bridge_lan name=vlan_mgt vlan-id=10

add interface=bridge_lan name=vlan_srv vlan-id=40

add interface=ether1 name=vlan_tmobile vlan-id=300

add interface=bridge_lan name=vlan_tst vlan-id=60

/interface list

add name=wan

add name=lan

add name=lan-vlans

add include=lan,lan-vlans name=lan-ifs-and-vlans

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/ip pool

add name=ipp_tst ranges=10.0.60.50-10.0.60.250

add name=ipp_srv ranges=10.0.40.50-10.0.40.250

add name=ipp_mgt ranges=10.0.0.50-10.0.0.250

add name=ipp_iot ranges=10.0.50.50-10.0.50.250

add name=ipp_gst ranges=10.0.80.50-10.0.80.250

/ip dhcp-server

add address-pool=ipp_gst interface=vlan_gst lease-time=12h name=dhcpd_gst

add address-pool=ipp_tst interface=vlan_tst lease-time=1d name=dhcpd_tst

add address-pool=ipp_iot interface=vlan_iot lease-time=1d name=dhcpd_iot

add address-pool=ipp_mgt interface=vlan_mgt lease-time=5m name=dhcpd_mgt

add address-pool=ipp_srv interface=vlan_srv lease-time=30m name=dhcpd_srv

/interface bridge port

add bridge=bridge_lan interface=ether2 pvid=10

add bridge=bridge_lan interface=ether3 pvid=10

add bridge=bridge_lan interface=ether4 pvid=10

/ip neighbor discovery-settings

set discover-interface-list=lan-ifs-and-vlans

/interface bridge vlan

add bridge=bridge_lan tagged=bridge_lan,ether2 vlan-ids=80

add bridge=bridge_lan tagged=bridge_lan,ether2 vlan-ids=40

add bridge=bridge_lan tagged=bridge_lan,ether2 vlan-ids=50

add bridge=bridge_lan tagged=bridge_lan,ether2 vlan-ids=60

add bridge=bridge_lan tagged=bridge_lan,ether2 vlan-ids=10

/interface list member

add interface=vlan_tmobile list=wan

add interface=ether2 list=lan

add interface=ether3 list=lan

add interface=ether4 list=lan

add interface=ether5 list=lan

add interface=ether6 list=lan

add interface=ether7 list=lan

add interface=ether8 list=lan

add interface=vlan_gst list=lan-vlans

add interface=vlan_iot list=lan-vlans

add interface=vlan_mgt list=lan-vlans

add interface=vlan_srv list=lan-vlans

add interface=vlan_tst list=lan-vlans

/ip address

add address=10.0.0.2/24 interface=vlan_mgt network=10.0.0.0

add address=10.0.40.1/24 interface=vlan_srv network=10.0.40.0

add address=10.0.50.1/24 interface=vlan_iot network=10.0.50.0

add address=10.0.60.1/24 interface=vlan_tst network=10.0.60.0

add address=10.0.80.1/24 interface=vlan_gst network=10.0.80.0

add address=10.2.0.2/30 interface=*11 network=10.2.0.0

/ip dhcp-client

add interface=vlan_tmobile use-peer-dns=no use-peer-ntp=no

/ip dhcp-server lease

add address=10.0.60.188 client-id=1:54:2a:1b:66:c9:6e mac-address=54:2A:1B:66:C9:6E server=dhcpd_tst

add address=10.0.80.248 client-id=1:8a:69:83:e0:c3:7d mac-address=8A:69:83:E0:C3:7D server=dhcpd_gst

/ip dhcp-server network

add address=10.0.0.0/24 gateway=10.0.0.2 netmask=24

add address=10.0.40.0/24 gateway=10.0.40.1 netmask=24

add address=10.0.50.0/24 gateway=10.0.50.1 netmask=24

add address=10.0.60.0/24 gateway=10.0.60.1 netmask=24

add address=10.0.80.0/24 gateway=10.0.80.1 netmask=24

/ip dns

set servers=208.67.222.222,208.67.220.220

/ip firewall filter

add action=accept chain=input comment="Estab OK" connection-state=established,related

add action=accept chain=input comment="Ping in" protocol=icmp

add action=accept chain=input comment="Lan is OK" in-interface-list=lan-ifs-and-vlans

add action=accept chain=input comment="Lan is OK" in-interface-list=lan-ifs-and-vlans

add action=drop chain=input log-prefix=INBLOCK

add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=related hw-offload=yes

add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established hw-offload=yes

add action=accept chain=forward comment="Accept established,related,untracked" connection-state=established,related,untracked

add action=accept chain=forward comment="OK: Trust to wan" in-interface=vlan_tst out-interface-list=wan

add action=accept chain=forward comment="OK: Internet trusted" in-interface=vlan_tst out-interface=vlan_tmobile

add action=accept chain=forward comment="OK: Loadbalancer" dst-address=10.0.60.16 dst-port=80,443 in-interface=vlan_tmobile protocol=tcp

add action=accept chain=forward comment="OK: Loadbalancer" dst-address=10.0.60.16 in-interface-list=lan

add action=accept chain=forward comment="OK: Tor" dst-address=10.0.60.33 dst-port=9001,9030,4001,5100 in-interface=vlan_tmobile protocol=tcp

add action=accept chain=forward comment="OK: Tor" dst-address=10.0.60.33 dst-port=1024-65535 in-interface=vlan_tmobile protocol=tcp

add action=accept chain=forward comment="OK: Plex" dst-address=10.0.60.38 dst-port=32400 in-interface=vlan_tmobile protocol=tcp

add action=accept chain=forward comment="OK: Internet servers" in-interface=vlan_srv

add action=accept chain=forward comment="OK: Internet guest (HTTP)" dst-port=80,443 in-interface=vlan_gst log=yes log-prefix=GSTHTTP protocol=tcp

add action=accept chain=forward comment="OK: Internet guest (DNS)" dst-port=53 in-interface=vlan_gst protocol=udp

add action=accept chain=forward comment="BAD accept all" disabled=yes log=yes log-prefix=fixmeeee

add action=drop chain=forward comment="Drop invalid" connection-state=invalid in-interface=vlan_tmobile log-prefix=invalid

add action=drop chain=forward comment="Drop all bottom" in-interface=vlan_tmobile log=yes log-prefix=droplul

add action=accept chain=output comment="Estab+rel OK" connection-state=established,related

add action=accept chain=output comment="Out OK NTP" dst-port=123 protocol=udp

add action=accept chain=output comment="Out OK DNS" dst-port=53 protocol=udp

add action=accept chain=output comment=Proton dst-address=77.247.178.180

add action=accept chain=output comment=Fixout log=yes log-prefix=FixOut

add action=drop chain=output comment=Dropout disabled=yes log=yes log-prefix=Dropout

/ip firewall nat

add action=masquerade chain=srcnat comment="NAT TMOB" out-interface=vlan_tmobile

add action=dst-nat chain=dstnat comment=plex dst-port=31672 in-interface=vlan_tmobile protocol=tcp to-addresses=10.0.60.38 to-ports=32400

add action=dst-nat chain=dstnat comment=Tor1 dst-port=9001 in-interface=vlan_tmobile protocol=tcp to-addresses=10.0.60.33

add action=dst-nat chain=dstnat comment=Tor2 dst-port=9030 in-interface=vlan_tmobile protocol=tcp to-addresses=10.0.60.33

add action=dst-nat chain=dstnat comment=LB-HTTP dst-port=80 in-interface=vlan_tmobile protocol=tcp to-addresses=10.0.60.16

add action=dst-nat chain=dstnat comment=LB-HTTP dst-port=443 in-interface=vlan_tmobile protocol=tcp to-addresses=10.0.60.16

add action=dst-nat chain=dstnat comment="Hairpin Binnen naar buiten" dst-address=1.2.3.4 dst-port=80,443 protocol=tcp to-addresses=10.0.60.16

add action=masquerade chain=srcnat comment="Hairpin binnen" dst-address=10.0.60.16 out-interface=vlan_tst src-address=10.0.0.0/8

# no interface

add action=masquerade chain=srcnat out-interface=*11 src-address=10.0.80.0/24


/system clock

set time-zone-name=Europe/Amsterdam

/system identity

set name=gw02

/system ntp client

set enabled=yes

/system ntp client servers

add address=1.nl.pool.ntp.org

add address=2.nl.pool.ntp.org

add address=3.nl.pool.ntp.org

add address=158.101.221.122

/tool mac-server mac-winbox

set allowed-interface-list=lan