Ik wilde:
- IP krijgen van T-Mobile (vlan 300 whoo)
- VLANs tagged op ether2, switch regelt het dan verder
- Hairpin nat voor load balancer (10.0.60.16)
TODO:
- Firewalling
In voorbeeld hieronder is 1.2.3.4 het externe IP
# mar/07/2023 09:55:49 by RouterOS 7.8
# software id = 3QH4-F832
#
# model = RB5009UG+S+
# serial number = HE408G2RAV8
/interface bridge
add ingress-filtering=no name=bridge_lan vlan-filtering=yes
/interface vlan
add interface=bridge_lan name=vlan_gst vlan-id=80
add interface=bridge_lan name=vlan_iot vlan-id=50
add interface=bridge_lan name=vlan_mgt vlan-id=10
add interface=bridge_lan name=vlan_srv vlan-id=40
add interface=ether1 name=vlan_tmobile vlan-id=300
add interface=bridge_lan name=vlan_tst vlan-id=60
/interface list
add name=wan
add name=lan
add name=lan-vlans
add include=lan,lan-vlans name=lan-ifs-and-vlans
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=ipp_tst ranges=10.0.60.50-10.0.60.250
add name=ipp_srv ranges=10.0.40.50-10.0.40.250
add name=ipp_mgt ranges=10.0.0.50-10.0.0.250
add name=ipp_iot ranges=10.0.50.50-10.0.50.250
add name=ipp_gst ranges=10.0.80.50-10.0.80.250
/ip dhcp-server
add address-pool=ipp_gst interface=vlan_gst lease-time=12h name=dhcpd_gst
add address-pool=ipp_tst interface=vlan_tst lease-time=1d name=dhcpd_tst
add address-pool=ipp_iot interface=vlan_iot lease-time=1d name=dhcpd_iot
add address-pool=ipp_mgt interface=vlan_mgt lease-time=5m name=dhcpd_mgt
add address-pool=ipp_srv interface=vlan_srv lease-time=30m name=dhcpd_srv
/interface bridge port
add bridge=bridge_lan interface=ether2 pvid=10
add bridge=bridge_lan interface=ether3 pvid=10
add bridge=bridge_lan interface=ether4 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=lan-ifs-and-vlans
/interface bridge vlan
add bridge=bridge_lan tagged=bridge_lan,ether2 vlan-ids=80
add bridge=bridge_lan tagged=bridge_lan,ether2 vlan-ids=40
add bridge=bridge_lan tagged=bridge_lan,ether2 vlan-ids=50
add bridge=bridge_lan tagged=bridge_lan,ether2 vlan-ids=60
add bridge=bridge_lan tagged=bridge_lan,ether2 vlan-ids=10
/interface list member
add interface=vlan_tmobile list=wan
add interface=ether2 list=lan
add interface=ether3 list=lan
add interface=ether4 list=lan
add interface=ether5 list=lan
add interface=ether6 list=lan
add interface=ether7 list=lan
add interface=ether8 list=lan
add interface=vlan_gst list=lan-vlans
add interface=vlan_iot list=lan-vlans
add interface=vlan_mgt list=lan-vlans
add interface=vlan_srv list=lan-vlans
add interface=vlan_tst list=lan-vlans
/ip address
add address=10.0.0.2/24 interface=vlan_mgt network=10.0.0.0
add address=10.0.40.1/24 interface=vlan_srv network=10.0.40.0
add address=10.0.50.1/24 interface=vlan_iot network=10.0.50.0
add address=10.0.60.1/24 interface=vlan_tst network=10.0.60.0
add address=10.0.80.1/24 interface=vlan_gst network=10.0.80.0
add address=10.2.0.2/30 interface=*11 network=10.2.0.0
/ip dhcp-client
add interface=vlan_tmobile use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.60.188 client-id=1:54:2a:1b:66:c9:6e mac-address=54:2A:1B:66:C9:6E server=dhcpd_tst
add address=10.0.80.248 client-id=1:8a:69:83:e0:c3:7d mac-address=8A:69:83:E0:C3:7D server=dhcpd_gst
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.2 netmask=24
add address=10.0.40.0/24 gateway=10.0.40.1 netmask=24
add address=10.0.50.0/24 gateway=10.0.50.1 netmask=24
add address=10.0.60.0/24 gateway=10.0.60.1 netmask=24
add address=10.0.80.0/24 gateway=10.0.80.1 netmask=24
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=input comment="Estab OK" connection-state=established,related
add action=accept chain=input comment="Ping in" protocol=icmp
add action=accept chain=input comment="Lan is OK" in-interface-list=lan-ifs-and-vlans
add action=accept chain=input comment="Lan is OK" in-interface-list=lan-ifs-and-vlans
add action=drop chain=input log-prefix=INBLOCK
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=related hw-offload=yes
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established hw-offload=yes
add action=accept chain=forward comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="OK: Trust to wan" in-interface=vlan_tst out-interface-list=wan
add action=accept chain=forward comment="OK: Internet trusted" in-interface=vlan_tst out-interface=vlan_tmobile
add action=accept chain=forward comment="OK: Loadbalancer" dst-address=10.0.60.16 dst-port=80,443 in-interface=vlan_tmobile protocol=tcp
add action=accept chain=forward comment="OK: Loadbalancer" dst-address=10.0.60.16 in-interface-list=lan
add action=accept chain=forward comment="OK: Tor" dst-address=10.0.60.33 dst-port=9001,9030,4001,5100 in-interface=vlan_tmobile protocol=tcp
add action=accept chain=forward comment="OK: Tor" dst-address=10.0.60.33 dst-port=1024-65535 in-interface=vlan_tmobile protocol=tcp
add action=accept chain=forward comment="OK: Plex" dst-address=10.0.60.38 dst-port=32400 in-interface=vlan_tmobile protocol=tcp
add action=accept chain=forward comment="OK: Internet servers" in-interface=vlan_srv
add action=accept chain=forward comment="OK: Internet guest (HTTP)" dst-port=80,443 in-interface=vlan_gst log=yes log-prefix=GSTHTTP protocol=tcp
add action=accept chain=forward comment="OK: Internet guest (DNS)" dst-port=53 in-interface=vlan_gst protocol=udp
add action=accept chain=forward comment="BAD accept all" disabled=yes log=yes log-prefix=fixmeeee
add action=drop chain=forward comment="Drop invalid" connection-state=invalid in-interface=vlan_tmobile log-prefix=invalid
add action=drop chain=forward comment="Drop all bottom" in-interface=vlan_tmobile log=yes log-prefix=droplul
add action=accept chain=output comment="Estab+rel OK" connection-state=established,related
add action=accept chain=output comment="Out OK NTP" dst-port=123 protocol=udp
add action=accept chain=output comment="Out OK DNS" dst-port=53 protocol=udp
add action=accept chain=output comment=Proton dst-address=77.247.178.180
add action=accept chain=output comment=Fixout log=yes log-prefix=FixOut
add action=drop chain=output comment=Dropout disabled=yes log=yes log-prefix=Dropout
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT TMOB" out-interface=vlan_tmobile
add action=dst-nat chain=dstnat comment=plex dst-port=31672 in-interface=vlan_tmobile protocol=tcp to-addresses=10.0.60.38 to-ports=32400
add action=dst-nat chain=dstnat comment=Tor1 dst-port=9001 in-interface=vlan_tmobile protocol=tcp to-addresses=10.0.60.33
add action=dst-nat chain=dstnat comment=Tor2 dst-port=9030 in-interface=vlan_tmobile protocol=tcp to-addresses=10.0.60.33
add action=dst-nat chain=dstnat comment=LB-HTTP dst-port=80 in-interface=vlan_tmobile protocol=tcp to-addresses=10.0.60.16
add action=dst-nat chain=dstnat comment=LB-HTTP dst-port=443 in-interface=vlan_tmobile protocol=tcp to-addresses=10.0.60.16
add action=dst-nat chain=dstnat comment="Hairpin Binnen naar buiten" dst-address=1.2.3.4 dst-port=80,443 protocol=tcp to-addresses=10.0.60.16
add action=masquerade chain=srcnat comment="Hairpin binnen" dst-address=10.0.60.16 out-interface=vlan_tst src-address=10.0.0.0/8
# no interface
add action=masquerade chain=srcnat out-interface=*11 src-address=10.0.80.0/24
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=gw02
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.nl.pool.ntp.org
add address=2.nl.pool.ntp.org
add address=3.nl.pool.ntp.org
add address=158.101.221.122
/tool mac-server mac-winbox
set allowed-interface-list=lan