beantwoord

Mikrotik RB450g configureren met Telfort

  • 15 november 2018
  • 126 reacties
  • 3966 keer bekeken


Toon het eerste bericht

126 reacties

Reputatie 1
Oke, ik had nog even tijd hierbij de config. Voor opmerkingen, vragen, aanvullingen..

feb/04/2019 00:47:20 by RouterOS 6.43.8
model Mikrotik = RB750Gr3 (Hex)
Internet en IPTV routed mode dus met tv apps voor o.a Netflix

Telfort glasvezel IPTV/Internet, geen telefonie (nieuw glasvezelmodem met 1 utp uitgang)
GS105E zit op ether 5, daar zit de tweede IPTV kastje op
lan network=192.168.2.0/ bridge=ip 192.168.2.3
Onderstaande config werkt nu twee dagen en bevat waarschijnlijk nog wel foutjes, maar het werkt bij mij.


/interface bridge
add admin-mac=B8:69:XX:XX:EC:1A arp=proxy-arp auto-mac=no comment=defconf \
igmp-snooping=yes name=bridge

add admin-mac=DE:AD:XX:XX:EF:00 auto-mac=no comment="Gespoofde Vlan4 interface\ (Deze bridge komt dan in de plaats van vlan4)
\_via deze bridge omdat er 2 verschillende mac's gebruikt moeten worden bi\ (Overal waar je vlan4 invuld, vul je bridge-naam in,
j de dhcp-client" igmp-snooping=yes name=bridge-NewMac_Vlan4 (behalve bij vlan4 gekoppeld aan ether1)

-------------------------------------------------------------------------------------------------------------
Change MAC address of VLAN interface

Let's suppose you already have working VLAN setup, and just want to change MAC address of the VLAN interface.
We'll use bridge for making this possible!
code:

/interface bridge add name=bridge1 disabled=no
/interface bridge port add bridge=bridge1 disabled=no interface=vlan1
/interface bridge set bridge1 admin-mac=ZELF EEN MAC-adres KIEZEN auto-mac=no
---------------------------------------------------------------------------------------------------------------


add name=bridge-Wifi
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
set [ find default-name=ether5 ] name=ether5-Trunkport (Trunkpoort naam nog aanpassen naar ether5)

/interface l2tp-server
add comment="L2TP interface voor verbinding van buiten naar Mikrotik via VPN" \
name=l2tp-in1 user=xxx

/interface vlan
add interface=bridge-Wifi name=xxxxx vlan-id=50
add interface=bridge-Wifi name=xxxxxxx vlan-id=54
add interface=bridge-Wifi name="xxxxxx \
use-service-tag=yes vlan-id=1

add comment="vlan4_IPTV connectie met ether1" interface=ether1-Wan name=vlan4 \
vlan-id=4
add comment="vlan34_Internet connectie met ether1" interface=ether1-Wan name=\
vlan34 vlan-id=34

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip dhcp-server option
add code=60 name="option60-vendorclass value" value="'IPTV_RG'"
add code=28 name="option28-broadcast value" value="'192.168.2.255'"
/ip dhcp-server option sets
add name=IPTV options="option60-vendorclass value,option28-broadcast value"

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip pool
add name="default-dhcp alleen voor IPTV" ranges=\
192.168.2.242,192.168.2.250,192.168.2.251
add name=DHCPVlan50_Wifi_AP1_Smartphones ranges=10.10.50.10-10.10.50.19
add name="DHCPWifiVlan1(172) Untagged (AP524G)" ranges=\
172.16.0.25-172.16.0.37,172.16.0.10
add name=DHCP_L2PTvpnTool ranges=192.168.99.95-192.168.99.97
add name=DHCPVlan54_Wifi_AP2_Guests ranges=10.10.54.10-10.10.54.16

/ip dhcp-server
add address-pool="default-dhcp alleen voor IPTV" disabled=no interface=bridge \
name=defconf
add address-pool=DHCPVlan50_Wifi_AP1_Smartphones disabled=no interface=\
DHCPVlan50_Wifi_AP1_Smartphones name=DHCPVlan50_Wifi_AP1_Smartphones
add address-pool="DHCPWifiVlan1(172) Untagged (AP524G)" disabled=no \
interface=bridge-Wifi name=\
"DHCP_LinksysWifiVlan(172) Untagged Audio/TV (AP524G)"
add address-pool=DHCPVlan54_Wifi_AP2_Guests disabled=no interface=\
DHCPVlan54_Wifi_AP2_Guests name=DHCPVlan54_Wifi_AP2_Guests

/ppp profile (niet van belang voor iptv)
set *FFFFFFFE bridge=bridge dns-server=8.8.8.8 local-address=192.168.2.3 \
remote-address=DHCP_L2PTvpnTool

/routing bgp instance
set default disabled=yes

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge-Wifi comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5-Trunkport
add bridge=bridge-NewMac_Vlan4 interface=vlan4

Admin: MAC-adressen deels afgeschermd
Reputatie 8
Weet niet of je bezwaar hebt om de volledige MAC-adressen te delen? Maar je hebt (bij mijn reactie nu) in ieder geval nog 30 minuten om de eerder vrij bovenaan in je reactie genoemde MAC-adressen gedeeltelijk met XX in te vullen.

Dat het met zo'n Microtik een makkelijke set-up kan ik niet zeggen.
Reputatie 1
Weet niet of je bezwaar hebt om de volledige MAC-adressen te delen? Maar je hebt (bij mijn reactie nu) in ieder geval nog 30 minuten om de eerder vrij bovenaan in je reactie genoemde MAC-adressen gedeeltelijk met XX in te vullen.

Dat het met zo'n Microtik een makkelijke set-up kan ik niet zeggen.



Ik was al naar bed!!
Misschien kan een admin wat XX zetten in de bovenstaande macs.
Reputatie 1
Badge
Oke, ik had nog even tijd hierbij de config. Voor opmerkingen, vragen, aanvullingen..

Zou je je volledige MT config nog eens willen delen, door alle testen aan deze kant, weet ik niet
meer wat jou config nu precies meer was.

Alvast bedankt
Reputatie 1

Oke, ik had nog even tijd hierbij de config. Voor opmerkingen, vragen, aanvullingen..
Zou je je volledige MT config nog eens willen delen, door alle testen aan deze kant, weet ik niet
meer wat jou config nu precies meer was.

Alvast bedankt



Dit is de volledige config, op wat address lists na.
Je kan de verschillende onderdelen via de terminal copy/paste doen in een lege config.

Ik zie nu dat het onderste deel niet mee geplakt is, hierbij nogmaals:

feb/04/2019 00:47:20 by RouterOS 6.43.8
model = RB750Gr3 (Hex)
Internet en IPTV routed mode dus met tv apps voor o.a Netflix

Telfort glasvezel (nieuw glasvezelmodem met 1 utp uitgang)
GS105E zit op ether 5, daar zit de tweede IPTV kastje op
lan network=192.168.2.0/ bridge=ip 192.168.2.3
Onderstaande config werkt nu twee dagen en bevat waarschijnlijk nog wel foutjes, maar het werkt bij mij.

/interface bridge
add admin-mac=B8:69:F4:6C:XX:XX arp=proxy-arp auto-mac=no comment=defconf \
igmp-snooping=yes name=bridge

add admin-mac=DE:AD:00:XX:XX:00 auto-mac=no comment="Gespoofde Vlan4 interface\
\_via deze bridge omdat er 2 verschillende mac's gebruikt moeten worden bi\
j de dhcp-client" igmp-snooping=yes name=bridge-NewMac_Vlan4

------------------------------------------------------------------------------------------------------------- Uitleg---
Change MAC address of VLAN interface

Let's suppose you already have working VLAN setup, and just want to change MAC address of the VLAN interface.
We'll use bridge for making this possible!
code:

/interface bridge add name=bridge1 disabled=no
/interface bridge port add bridge=bridge1 disabled=no interface=vlan1
/interface bridge set bridge1 admin-mac=ZELF EEN MAC-adres KIEZEN auto-mac=no
---------------------------------------------------------------------------------------------------------------


add name=bridge-Wifi
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
set [ find default-name=ether5 ] name=ether5-Trunkport (Trunkpoort naam nog aanpassen naar ether5)

/interface l2tp-server
add comment="L2TP interface voor verbinding van buiten naar Mikrotik via VPN" \
name=l2tp-in1 user=xxx

/interface vlan
add interface=bridge-Wifi name=xxxxx vlan-id=50
add interface=bridge-Wifi name=xxxxxxx vlan-id=54
add interface=bridge-Wifi name="xxxxxx \
use-service-tag=yes vlan-id=1

add comment="vlan4_IPTV connectie met ether1" interface=ether1-Wan name=vlan4 \
vlan-id=4
add comment="vlan34_Internet connectie met ether1" interface=ether1-Wan name=\
vlan34 vlan-id=34

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip dhcp-server option
add code=60 name="option60-vendorclass value" value="'IPTV_RG'"
add code=28 name="option28-broadcast value" value="'192.168.2.255'"
/ip dhcp-server option sets
add name=IPTV options="option60-vendorclass value,option28-broadcast value"

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip pool
add name="default-dhcp alleen voor IPTV" ranges=\
192.168.2.242,192.168.2.250,192.168.2.251
add name=DHCPVlan50_Wifi_AP1_Smartphones ranges=10.10.50.10-10.10.50.19
add name="DHCPWifiVlan1(172) Untagged (AP524G)" ranges=\
172.16.0.25-172.16.0.37,172.16.0.10
add name=DHCP_L2PTvpnTool ranges=192.168.99.95-192.168.99.97
add name=DHCPVlan54_Wifi_AP2_Guests ranges=10.10.54.10-10.10.54.16

/ip dhcp-server
add address-pool="default-dhcp alleen voor IPTV" disabled=no interface=bridge \
name=defconf
add address-pool=DHCPVlan50_Wifi_AP1_Smartphones disabled=no interface=\
DHCPVlan50_Wifi_AP1_Smartphones name=DHCPVlan50_Wifi_AP1_Smartphones
add address-pool="DHCPWifiVlan1(172) Untagged (AP524G)" disabled=no \
interface=bridge-Wifi name=\
"DHCP_LinksysWifiVlan(172) Untagged Audio/TV (AP524G)"
add address-pool=DHCPVlan54_Wifi_AP2_Guests disabled=no interface=\
DHCPVlan54_Wifi_AP2_Guests name=DHCPVlan54_Wifi_AP2_Guests

/ppp profile (niet van belang voor iptv)
set *FFFFFFFE bridge=bridge dns-server=8.8.8.8 local-address=192.168.2.3 \
remote-address=DHCP_L2PTvpnTool

/routing bgp instance
set default disabled=yes

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge-Wifi comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5-Trunkport
add bridge=bridge-NewMac_Vlan4 interface=vlan4
add bridge=bridge-Wifi interface=DHCPVlan50_Wifi_AP1_Smartphones pvid=50
add bridge=bridge-Wifi interface="DHCPVlan_Wifi_AP5 (Audio/TV) 172"
add bridge=bridge-Wifi interface=DHCPVlan54_Wifi_AP2_Guests pvid=54

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface l2tp-server server niet van belang voor iptv)
set enabled=yes ipsec-secret=xxxxxxxx use-ipsec=required

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan34 list=WAN
add interface=bridge-NewMac_Vlan4 list=WAN

/ip address
add address=192.168.2.3/24 comment=defconf interface=bridge network=\ (ip op de bridge)
192.168.2.0
add address=172.16.0.3/16 interface=ether3 network=172.16.0.0
add address=10.0.0.3/8 interface=ether4 network=10.0.0.0
add address=10.10.50.3/24 interface=DHCPVlan50_Wifi_AP1_Smartphones network=\
10.10.50.0
add address=10.10.54.3/24 interface=DHCPVlan54_Wifi_AP2_Guests network=\
10.10.54.0
add address=10.142.141.74 disabled=yes interface=vlan4 network=10.142.141.0
add address=192.168.2.149 disabled=yes interface=vlan4 network=255.255.255.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=vlan34
add add-default-route=special-classless comment=\
"Add Default Route; Special Classless kiezen" default-route-distance=210 \
dhcp-options=option60-vendorclass,hostname,clientid disabled=no \
interface=bridge-NewMac_Vlan4 use-peer-dns=no use-peer-ntp=no (Hier dus o.a de bridge-naam ipv vlan4)

/ip dhcp-server lease
add address=172.16.0.30 client-id=1:c4:12:f5:xx:xx:ed comment=\
"Dlink DSP-215 wifi stopcontact woonkamer rechts" mac-address=\
C4:12:F5:D8:B0:ED server=\
"DHCP_LinksysWifiVlan(172) Untagged Audio/TV (AP524G)"
add address=172.16.0.32 client-id=1:54:b8🅰75:xx:xx comment=\
"Dlink DSP-215 Wifi Stopcontact computerkamer" mac-address=\
54:B8:0A:75:xx:xx server=\
"DHCP_LinksysWifiVlan(172) Untagged Audio/TV (AP524G)"
add address=192.168.2.250 comment=IPTV_beneden dhcp-option-set=IPTV \ static ip
lease-time=2d2h mac-address=00:02:9B:E9:xx:xx server=defconf
add address=192.168.2.251 client-id=1:0:2:9b:e9:xx:xx comment=IPTV_boven \ static ip
dhcp-option-set=IPTV lease-time=2d2h mac-address=00:02:9B:E9:xx:xx \
server=defconf use-src-mac=yes

/ip dhcp-server network
add address=10.10.50.0/24 dns-server=8.8.8.8 gateway=10.10.50.3 netmask=24
add address=10.10.54.0/24 dns-server=8.8.8.8 gateway=10.10.54.3 netmask=24
add address=172.16.0.0/16 dns-server=192.168.2.11,192.168.2.14 gateway=\
172.16.0.3 netmask=16
add address=192.168.2.0/24 comment=defconf dns-server=\
192.168.2.11,192.168.2.14 gateway=192.168.2.3 netmask=24

/ip dns
set allow-remote-requests=yes servers=192.168.2.11,192.168.2.14
/ip dns static
add address=192.168.2.3 name=router.lan

/ip firewall address-list
add address=72.55.172.157 list=BlockedOutgoingIPs
add address=93.93.53.194 list=BlockedOutgoingIPs
add address=192.168.2.3 comment="Router toevoegen aan 3_Netwerken10_172_192" \
list type="3"_Netwerken10_172_192
add address=10.10.54.0/24 list=Wifi-Guest-Network

/ip firewall filter
add action=accept chain=input comment="Allow IMGP voor IPTV " log=yes \
log-prefix=IGMP_IPTV protocol=igmp
add action=accept chain=input comment="Allow voor IPTV Input UDP" log=yes \
log-prefix=udp_input protocol=udp
add action=accept chain=forward comment="Allow UDP forwaed voor IPTV " \
log=yes log-prefix=forward_3 protocol=udp
add action=accept chain=input comment="Firewall Rule Allow L2TP VPN" \
protocol=ipsec-esp
add action=accept chain=input comment="Firewall Rule Allow L2TP VPN" \
dst-port=500 protocol=udp
add action=accept chain=input comment="Firewall Rule Allow L2TP VPN" \
dst-port=1701 protocol=udp
add action=accept chain=input comment="Firewall Rule Allow L2TP VPN" \
dst-port=4500 protocol=udp
add action=accept chain=forward comment="Firewall Rule Allow L2TP VPN" \
src-address=192.168.99.0/24
add action=accept chain=forward comment=\
"Firewall Rule Allow L2TP VPN-------SSH Werkt nog niet!!!!" disabled=\
yes dst-port=22 log=yes log-prefix=SSH out-interface=l2tp-in1 protocol=\
tcp src-address=192.168.99.0/24
add action=accept chain=input comment=\
"Allow l2PT toegang tot Web winbox voor 192.168.95/97" dst-port=81 log=\
yes protocol=tcp src-address=192.168.99.0/24
add action=accept chain=input comment=\
"Allow l2PT toegang tot Winbox voor 192.168.95/97" dst-port=8291 \
protocol=tcp src-address=192.168.99.0/24
add action=drop chain=input comment="Blokkeer dns requests from Internet" \
dst-port=53 in-interface=vlan34 log=yes protocol=udp
add action=drop chain=input comment="Drop connections van IncomingIPs" \
src-address-list=BlockedIncomingIPs
add action=drop chain=forward comment=\
"Drop connections naar OutgoingIPs en tevens geen LAN netwerk." \
src-address-list=BlockedOutgoingIPs
add action=drop chain=forward comment="Drop connection van BlockedInternetLoka\
lePC, wel LAN network. (geen out-interface instellen, anders heb je geen I\
NTERNET meer op alle Pc's." src-address-list=BlockedInternetLokalePC
add action=drop chain=forward comment="Block Wifi-guests to Lan" \
dst-address-list type="3"_Netwerken10_172_192 log=yes log-prefix=WifiGuests_drop \
src-address-list=Wifi-Guest-Network
add action=reject chain=forward comment="Block Wifi-guests to Lan" \
dst-address=192.168.2.3 log=yes log-prefix=WifiGuests_drop out-interface=\
bridge reject-with=icmp-net-prohibited src-address=10.10.54.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked " connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=input_16
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix=input_18
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=input_23
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=drop_24

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Nat nodig voor IPTV" disabled=yes \
dst-address=213.75.112.0/21 out-interface=bridge-NewMac_Vlan4
add action=masquerade chain=srcnat comment="Nodig voor IPTV" disabled=yes (staat uit)
add action=masquerade chain=srcnat comment="Nodig voor IPTV" disabled=yes \
out-interface=bridge-NewMac_Vlan4
add action=dst-nat chain=dstnat comment=\ (staat uit)
"Port 90 vanaf Internet naar 172.16.0.29 port 80 FI8907W cam" \
dst-address-type=local dst-port=90 protocol=tcp to-addresses=172.16.0.29 \
to-ports=80
add action=dst-nat chain=dstnat comment="Port 89 vanaf Internet naar 192.168.2\
.199 port 5001 (https) SurveillanceStation" dst-address-type=local \
dst-port=3661 protocol=tcp to-addresses=192.168.2.199 to-ports=3631
add action=dst-nat chain=dstnat comment="Port 443 open voor ActiveSycn Exchan\
ge 2010 en TS Gateway (zitten op dezelfde server (192.168.2.12)" \
dst-address-type=local dst-port=443 protocol=tcp to-addresses=\
192.168.2.12 to-ports=443
add action=dst-nat chain=dstnat comment="Port 80 open voor ActiveSync Exchange\
\_2010 (bij winbox webconfig port80 problemen)" dst-address-type=local \
dst-port=80 protocol=tcp to-addresses=192.168.2.12 to-ports=80
add action=dst-nat chain=dstnat comment="Port 587 open voor ActiveSync Exchang\
e 2010 (bij winbox webconfig port80 problemen)" dst-address-type=local \
dst-port=587 protocol=tcp to-addresses=192.168.2.12 to-ports=587
add action=dst-nat chain=dstnat comment="Port open voor SMTP verkeer naar mail\
server (Dst. Address is voor alle NAT rules ingesteld bij Extra Address T\
ype = local)" dst-address-type=local dst-port=25 protocol=tcp \
to-addresses=192.168.2.12 to-ports=25

/ip service
set www address=192.168.2.0/24,192.168.99.0/24 port=81
set ssh address=192.168.2.0/24,172.16.0.0/16,192.168.99.0/24
set winbox address=192.168.2.0/24,172.16.0.0/16,192.168.99.0/24

/ppp secret
add name=xxxxx password=xxxxxxx profile=default-encryption service=l2tp

/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=213.75.160.0/19,217.166.0.0/16,10.220.192.0/20 \ welke echt noodzakelijk zijn????
interface=bridge-NewMac_Vlan4 upstream=yes
add interface=bridge

/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Hex
/system logging
add topics=firewall
add topics=ipsec
add action=auth topics=account
add action=auth topics=critical
add topics=igmp-proxy
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Reputatie 1
Badge
dit stukje komt me wat onduidelijk over:

add admin-mac=DE:AD:00:XX:XX:00 auto-mac=no comment="Gespoofde Vlan4 interface\ (Deze bridge komt dan in de plaats van vlan4)
\_via deze bridge omdat er 2 verschillende mac's gebruikt moeten worden bi\ (Overal waar je vlan4 invuld, vul je bridge-naam in,
j de dhcp-client" igmp-snooping=yes name=bridge-NewMac_Vlan4 (behalve bij vlan4 gekoppeld aan ether1)

en dit stukje is hulptekst?
------------------------------------------------------------------------------------------------------------
Change MAC address of VLAN interface

Let's suppose you already have working VLAN setup, and just want to change MAC address of the VLAN interface.
We'll use bridge for making this possible!
code:

/interface bridge add name=bridge1 disabled=no
/interface bridge port add bridge=bridge1 disabled=no interface=vlan1
/interface bridge set bridge1 admin-mac=ZELF EEN MAC-adres KIEZEN auto-mac=no
---------------------------------------------------------------------------------------------------------------
Reputatie 1
dit stukje komt me wat onduidelijk over:

add admin-mac=DE:AD:00:XX:XX:00 auto-mac=no comment="Gespoofde Vlan4 interface\ (Deze bridge komt dan in de plaats van vlan4)
\_via deze bridge omdat er 2 verschillende mac's gebruikt moeten worden bi\ (Overal waar je vlan4 invuld, vul je bridge-naam in,
j de dhcp-client" igmp-snooping=yes name=bridge-NewMac_Vlan4 (behalve bij vlan4 gekoppeld aan ether1)

en dit stukje is hulptekst?
------------------------------------------------------------------------------------------------------------
Change MAC address of VLAN interface

Let's suppose you already have working VLAN setup, and just want to change MAC address of the VLAN interface.
We'll use bridge for making this possible!
code:

/interface bridge add name=bridge1 disabled=no
/interface bridge port add bridge=bridge1 disabled=no interface=vlan1
/interface bridge set bridge1 admin-mac=ZELF EEN MAC-adres KIEZEN auto-mac=no
---------------------------------------------------------------------------------------------------------------



1ste vraag ja

add admin-mac=DE:AD:00:XX:XX:00 auto-mac=no comment="Gespoofde Vlan4 interface\
\_via deze bridge omdat er 2 verschillende mac's gebruikt moeten worden bi\
j de dhcp-client" igmp-snooping=yes name=bridge-NewMac_Vlan4

info (Deze bridge komt dan in de plaats van vlan4)
(Overal waar je vlan4 invuld, vul je bridge-naam in,
(behalve bij vlan4 gekoppeld aan ether1)
Reputatie 1
Badge
ik heb jou config erin geplakt via de terminal, maar werken ho maar.
mis ook de dhcp instellingen voor het LAN volgens mij, deze staat ook niet in jou config?

Nog maar weer eens de zaak van de grond af opbouwen, gelukkig nog wat backups op de MTR staan,
al met al wel een hele exercitie.
Maar het is nog steeds een stijgende leercurve 🙂
Reputatie 1
ik heb jou config erin geplakt via de terminal, maar werken ho maar.
mis ook de dhcp instellingen voor het LAN volgens mij, deze staat ook niet in jou config?

Nog maar weer eens de zaak van de grond af opbouwen, gelukkig nog wat backups op de MTR staan,
al met al wel een hele exercitie.
Maar het is nog steeds een stijgende leercurve :-)


Ik gebruik alleen dhcp adressen voor de iptvkastjes, mijn andere vaste devices hebben een vast ipadres

/ip pool
add name="default-dhcp alleen voor IPTV" ranges=\
192.168.2.242,192.168.2.250,192.168.2.251

/ip dhcp-server
add address-pool="default-dhcp alleen voor IPTV" disabled=no interface=bridge \
name=defconf

Je kan het beste aleen een paar onderdelen plakken zoals igmp-proxy, de rest moet je erin hebben staan. En met een default config beginnen, omdat plakken alleen toevoegd.

Post anders je huidige config, kan ik meekijken
Reputatie 1
Badge
Zal binnenkort even mijn config hier neerzetten, moet hier nog steeds switchen tussen de MT2011, die nu actief is en werkt samen met de Expereria Box. Dus testen is iedere keer de zaak hier platleggen v.w.b. internet :-)

Ga nu weer jou config er stap voor stap erin zetten en dan kijken of e.e.a werkt, zal dan ook de config hier neerzetten.
Dus beginnen met een default config en geen lege config??
Reputatie 1
Zal binnenkort even mijn config hier neerzetten, moet hier nog steeds switchen tussen de MT2011, die nu actief is en werkt samen met de Expereria Box. Dus testen is iedere keer de zaak hier platleggen v.w.b. internet :-)

Ga nu weer jou config er stap voor stap erin zetten en dan kijken of e.e.a werkt, zal dan ook de config hier neerzetten.
Dus beginnen met een default config en geen lege config??

Ik ben begonnen met een default config ivm de firewall rules.
Dan ether1 uit de bridge halen
Reputatie 1
Badge
ether 1 staat bij mij in de default config niet in de bridge
Reputatie 1
ether 1 staat bij mij in de default config niet in de bridge

Welke routeros versie gebruik je?
Vanaf 6.42 ofzo werkt routeros niet meer met masterports maar met bridges

Ik gebruik v6.43.8
Reputatie 1
Badge
Ik gebruik dezelfde versie
Reputatie 1
Badge
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
Reputatie 1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1


Welke gebruik je als wan poort?
Daarop vlan4 en 34 zetten en die poort mag dan niet in de bridge.
Reputatie 1
Badge
ether 1 als wan en idd daarop de vlan 4 en 34

Ben nu zover:

/interface bridge
add admin-mac=4C:5E:0C:00:ED:B8 arp=proxy-arp auto-mac=no comment=defconf igmp-snooping=yes name=bridge
add admin-mac=DE:AD:00:BE:EF:00 auto-mac=no comment="Gespoofde Vlan4 interface" igmp-snooping=yes name=bridge-NewMac_Vlan4
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge
ssid=MikroTik-00EDD0 wireless-protocol=802.11
/interface vlan
add comment="vlan4_IPTV connectie met ether1" interface=ether1-Wan name=vlan4 vlan-id=4
add comment="vlan34_Internet connectie met ether1" interface=ether1-Wan name=vlan34 vlan-id=34
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge-NewMac_Vlan4 interface=vlan4
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan34 list=WAN
add interface=bridge-NewMac_Vlan4 list=WAN
Reputatie 1
Badge
IP adresses alle behalve die op ether 3? deze is van jou wifi?
Reputatie 1
ether 1 als wan en idd daarop de vlan 4 en 34

Ben nu zover:

/interface bridge
add admin-mac=4C:5E:0C:00:ED:B8 arp=proxy-arp auto-mac=no comment=defconf igmp-snooping=yes name=bridge
add admin-mac=DE:AD:00:BE:EF:00 auto-mac=no comment="Gespoofde Vlan4 interface" igmp-snooping=yes name=bridge-NewMac_Vlan4
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge
ssid=MikroTik-00EDD0 wireless-protocol=802.11
/interface vlan
add comment="vlan4_IPTV connectie met ether1" interface=ether1-Wan name=vlan4 vlan-id=4
add comment="vlan34_Internet connectie met ether1" interface=ether1-Wan name=vlan34 vlan-id=34
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge-NewMac_Vlan4 interface=vlan4
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan34 list=WAN
add interface=bridge-NewMac_Vlan4 list=WAN


Ziet er zo te zien goed uit.
Nu aan de bridge een ip toekennen
Reputatie 1
Badge
staan erop:

/ip address
add address=192.168.2.3/24 comment=defconf interface=bridge network=192.168.2.
add address=192.168.3.3/24 disabled=yes interface=vlan4 network=192.168.3.0
add address=10.0.0.3/8 interface=ether4 network=10.0.0.0
add address=10.142.141.74 disabled=yes interface=vlan4 network=10.142.141.0
add address=192.168.2.149 disabled=yes interface=vlan4 network=255.255.255.0
Reputatie 1
Badge
/ip dhcp-server network
add address=10.10.50.0/24 dns-server=8.8.8.8 gateway=10.10.50.3 netmask=24
add address=10.10.54.0/24 dns-server=8.8.8.8 gateway=10.10.54.3 netmask=24
add address=172.16.0.0/16 dns-server=192.168.2.11,192.168.2.14 gateway=\
172.16.0.3 netmask=16
add address=192.168.2.0/24 comment=defconf dns-server=\
192.168.2.11,192.168.2.14 gateway=192.168.2.3 netmask=24

/ip dns
set allow-remote-requests=yes servers=192.168.2.11,192.168.2.14
/ip dns static
add address=192.168.2.3 name=router.lan

Wat zijn dat voor DNS adressen?, eigen dns server denk ik zo te zien, voorlopig zet ik deze op 8.8.8.8 en 8.8.4.4,
als de zaak werkt de Pihole weer als DNS server 🙂
Reputatie 1
staan erop:

/ip address
add address=192.168.2.3/24 comment=defconf interface=bridge network=192.168.2.
add address=192.168.3.3/24 disabled=yes interface=vlan4 network=192.168.3.0
add address=10.0.0.3/8 interface=ether4 network=10.0.0.0
add address=10.142.141.74 disabled=yes interface=vlan4 network=10.142.141.0
add address=192.168.2.149 disabled=yes interface=vlan4 network=255.255.255.0


het moet zijn 192.168.2.0
Vlan4 mag geen ip-range hebben, oh staat uit zie ik
Onderste twee regels kunnen weg, staan toch uit
Reputatie 1
/ip dhcp-server network
add address=10.10.50.0/24 dns-server=8.8.8.8 gateway=10.10.50.3 netmask=24
add address=10.10.54.0/24 dns-server=8.8.8.8 gateway=10.10.54.3 netmask=24
add address=172.16.0.0/16 dns-server=192.168.2.11,192.168.2.14 gateway=\
172.16.0.3 netmask=16
add address=192.168.2.0/24 comment=defconf dns-server=\
192.168.2.11,192.168.2.14 gateway=192.168.2.3 netmask=24

/ip dns
set allow-remote-requests=yes servers=192.168.2.11,192.168.2.14
/ip dns static
add address=192.168.2.3 name=router.lan

Wat zijn dat voor DNS adressen?, eigen dns server denk ik zo te zien, voorlopig zet ik deze op 8.8.8.8 en 8.8.4.4,
als de zaak werkt de Pihole weer als DNS server :-)


Die 10.10.x.x zijn wifi dhcp adressen
11 en 14 eigen dns
Reputatie 1
Badge
Nu dan even de complete config zoals deze er nu in staat:

/interface bridge
add admin-mac=4C:5E:0C:00:ED:B8 arp=proxy-arp auto-mac=no comment=defconf igmp-snooping=yes name=bridge
add admin-mac=DE:AD:00:BE:EF:00 auto-mac=no comment="Gespoofde Vlan4 interface" igmp-snooping=yes name=\
bridge-NewMac_Vlan4
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors \
frequency=auto mode=ap-bridge ssid=MikroTik-00EDD0 wireless-protocol=802.11
/interface vlan
add comment="vlan4_IPTV connectie met ether1" interface=ether1-Wan name=vlan4 vlan-id=4
add comment="vlan34_Internet connectie met ether1" interface=ether1-Wan name=vlan34 vlan-id=34
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip dhcp-server option
add code=60 name="option60-vendorclass value" value="'IPTV_RG'"
add code=28 name="option28-broadcast value" value="'192.168.2.255'"
/ip dhcp-server option sets
add name=IPTV options="option60-vendorclass value,option28-broadcast value"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name="default-dhcp voor PC" ranges=192.168.2.10,192.168.2.240
/ip dhcp-server
add address-pool="default-dhcp voor PC" disabled=no interface=bridge name=defconf
/routing bgp instance
set default disabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge-NewMac_Vlan4 interface=vlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan34 list=WAN
add interface=bridge-NewMac_Vlan4 list=WAN
/ip address
add address=192.168.2.3/24 comment=defconf interface=bridge network=192.168.2.0
add address=192.168.3.3/24 disabled=yes interface=vlan4 network=192.168.3.0
add address=10.0.0.3/8 interface=ether4 network=10.0.0.0
add address=10.142.141.74 disabled=yes interface=vlan4 network=10.142.141.0
add address=192.168.2.149 disabled=yes interface=vlan4 network=255.255.255.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1-Wan
add dhcp-options=hostname,clientid disabled=no interface=vlan34
add add-default-route=special-classless comment="Add Default Route; Special Classless kiezen" \
default-route-distance=210 dhcp-options=option60-vendorclass,hostname,clientid disabled=no interface=\
bridge-NewMac_Vlan4 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.10.50.0/24 dns-server=8.8.8.8 gateway=10.10.50.3 netmask=24
add address=10.10.54.0/24 dns-server=8.8.8.8 gateway=10.10.54.3 netmask=24
add address=172.16.0.0/16 dns-server=192.168.2.11,192.168.2.14 gateway=172.16.0.3 netmask=16
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.11,192.168.2.14 gateway=192.168.2.3 netmask=\
24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.3 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow IMGP voor IPTV " log=yes log-prefix=IGMP_IPTV protocol=igmp
add action=accept chain=input comment="Allow voor IPTV Input UDP" log=yes log-prefix=udp_input protocol=udp
add action=accept chain=forward comment="Allow UDP forwaed voor IPTV " log=yes log-prefix=forward_3 protocol=\
udp
add action=accept chain=input comment="defconf: accept established,related,untracked " connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=\
input_16
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes \
log-prefix=input_18
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=\
input_23
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=drop_24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Nat nodig voor IPTV" disabled=yes dst-address=213.75.112.0/21 \
out-interface=bridge-NewMac_Vlan4
add action=masquerade chain=srcnat comment="Nodig voor IPTV" disabled=yes out-interface=bridge-NewMac_Vlan4
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=213.75.160.0/19,217.166.0.0/16,10.220.192.0/20 interface=bridge-NewMac_Vlan4 \
upstream=yes
add interface=bridge
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=CRS125
/system logging
add topics=firewall
add topics=ipsec
add topics=igmp-proxy
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Nu dus even testen of deze config het doet.......
Reputatie 1
Badge

staan erop:

/ip address
add address=192.168.2.3/24 comment=defconf interface=bridge network=192.168.2.
add address=192.168.3.3/24 disabled=yes interface=vlan4 network=192.168.3.0
add address=10.0.0.3/8 interface=ether4 network=10.0.0.0
add address=10.142.141.74 disabled=yes interface=vlan4 network=10.142.141.0
add address=192.168.2.149 disabled=yes interface=vlan4 network=255.255.255.0
het moet zijn 192.168.2.0
Vlan4 mag geen ip-range hebben, oh staat uit zie ik
Onderste twee regels kunnen weg, staan toch uit



ja, die 0 was een copy/paste foutje, stond wel goed 🙂

Reageer