Új hozzászólás Aktív témák

• #21082 gF senior tag flexes922 #21077

  Új Válasz 2023-12-22 10:35:44 #21082

  Új hozzászólás

  Összes hozzászólása itt Válaszok az összes hozzászólására itt Válaszok erre a hozzászólásra

  Privát üzenet küldése

  

  gF

  senior tag

  válasz flexes922 #21077 üzenetére

  Én így inulnék el egy üres configon. Gondolom az Eth1 lesz WAN portod.
  Ezek csak alap tűzfal szabályok, de csak rajtad múlik, hogy melyik VLAN-nak mit engedsz meg.

  /interface bridge
add admin-mac=BR_MAC_AD auto-mac=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan_main vlan-id=10
add interface=bridge name=vlan_guest vlan-id=20
add interface=bridge name=vlan_iot vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=VLAN
/interface wireless security-profiles
add authentication-types=wpa2-psk mode=dynamic-keys name=main  supplicant-identity=MikroTik wpa2-pre-shared-key=MAIN_PW
add authentication-types=wpa2-psk mode=dynamic-keys name=guest supplicant-identity=MikroTik wpa2-pre-shared-key=GUEST_PW
add authentication-types=wpa2-psk mode=dynamic-keys name=iot supplicant-identity=MikroTik wpa2-pre-shared-key=IOT_PW
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country=hungary disabled=no mode=ap-bridge radio-name=nyaralunk security-profile=main ssid=MAIN_SSID wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=WLAN1_MAC_AD master-interface=wlan1 multicast-buffering=disabled name=wlan1_guest security-profile=guest ssid=GUEST_SSID wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=WLAN1_MAC_AD master-interface=wlan1 multicast-buffering=disabled name=wlan1_iot security-profile=iot ssid=IOT_SSID wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country=hungary disabled=no mode=ap-bridge radio-name=MAIN_SSID security-profile=main ssid=MAIN_SSID wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=WLAN2_MAC_AD master-interface=wlan2 multicast-buffering=disabled name=wlan2_guest security-profile=guest ssid=GUEST_SSID wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=pool_main ranges=192.168.10.100-192.168.10.199
add name=pool_guest ranges=192.168.20.100-192.168.20.199
add name=pool_iot ranges=192.168.30.100-192.168.30.199
/ip dhcp-server
add address-pool=pool_main interface=vlan_main lease-time=1d name=dhcp_main
add address-pool=pool_guest interface=vlan_guest lease-time=1d name=dhcp_guest
add address-pool=pool_iot interface=vlan_iot lease-time=1d name=dhcp_iot
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan1_guest pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan1_iot pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan2_guest pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether5 vlan-ids=30
/interface list member
add interface=ether1 list=WAN
add interface=vlan_main list=LAN
add interface=vlan_guest list=VLAN
add interface=vlan_iot list=VLAN
/ip address
add address=192.168.10.1/24 interface=vlan_main network=192.168.10.0
add address=192.168.20.1/24 interface=vlan_guest network=192.168.20.0
add address=192.168.30.1/24 interface=vlan_iot network=192.168.30.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="Accept VLANs" in-interface-list=VLAN
add action=drop chain=input comment="Drop everything else all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="Accept LAN to WAN" connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Accept VLANs to WAN" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24
set ssh address=192.168.10.0/24
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system note
set show-at-login=no

Új hozzászólás Aktív témák