1 Main issue - you didnt turn on VLAN filtering yet.
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
2. I gather all your bridge ports save ether8 are trunk ports going to smart devices and thus would make some minor modifications.
/interface bridge port
add bridge=BR1 interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether4 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether6 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether7 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether8 pvid=99 ingress-filtering=yes frame-types=admit-priority-and-untagged
Personally I would do something slightly different. I would ensure that the vlan99 that you send down every port save 8, gets to where my PC is located (and with a small smart switch at my desk) could be a cheap hex or a 5 port netgear, or TPLink etc, run vlan99 untagged on the switch as well as any other vlan I r egularly tapped into or wanted access to etc... In that way you can alway reach the router from the management vlan at your desk.
At port 8 I would add another address to the router 192.168.55.1/24 and assign it too ether8, AFTER removing ether8 from the bridge.
I would add ether8 to the management list etc.. In this way you have off bridge emergency access at the router, when something happens to the bridge and vlan configuration. Hiccups while working on the router do happen from time to time, and being able to know (peace of mind), you have an alternate way of accessing and configuring the router separate from the vlans and bridge is well worth it.
(3). Tad more efficient on /interface bridge vlans as you only need two entries.
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=10,20,30,40,50,80,210
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 untagged=ether8 vlan-ids=99
(4) Dont understand your list creation entries after the dotted line ???
/interface list
add name=WAN
add name=VLAN
add name=MGMT
add name=CC_ACCESS
............................................................................
add include=WAN name=STAFF_ACCESS
add include=WAN name=DEV_SANDBOX_ACCESS
add include=WAN name=GUESTS_1_ACCESS
add include=WAN name=GUESTS_2_ACCESS
add include=WAN name=VIDEO_ACCESS
add include=WAN name=CR_ACCESS
What I dont understand is the purpose of including WAN in the rest of the names??
Perhaps when I get to firewall rules it will make sense.
(5) Okay so all VLANs are part of list VLAN (instead of using LAN name).
HERE IS the weird part, you created names above your dont use ???????????????
I see you have ONE only STAFF ACCESS!! but then the list above should simply be...........
add name=STAFF_ACCESS
(6) add action=accept chain=input comment="Allow VLAN icmp" in-interface-list=\
VLAN protocol=icmp
Not clear why you limite ICMP to just the vlans, there is no harm in leaving this as is, per the default rule?? Usually better in most cases and also helps in troubleshooting issues. LIke with wireguard.
I would remove the bits in orange.
(7) add action=accept chain=input comment="Allow VLAN NTP" dst-port=123 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS & NTP" dst-port=53,123 \
in-interface-list=VLAN protocol=udp
By one addition in the second rule you can remove the first rule.........
(8) I do not understand why you have this port 67 rule.
Are you sure you need to have this here, usually not required 99% of the time.
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 \
in-interface-list=VLAN protocol=udp
(9) Forward Chain rules. One does NOT need to state connection=new, its redundant.
I don't particularly like OPEN ended rules such as sometimes consequences are not fully understood.
add action=accept chain=forward comment="MGMT-ALL routing" in-interface-list=MGMT out-interface-list=VLAN
ON this rule by adding the in-interface-list=VLAN, mgmt has access to all vlans. Isnt that what you desired??
(10) Then you have weird rules such as the below. What the heck??
add action=accept chain=forward comment="DEV_SANDBOX routing" \
connection-state=new in-interface=DEV_SANDBOX_VLAN out-interface-list=\
DEV_SANDBOX_ACCESS
Ahh I get it now, you wanted to create individual interface lists for each vlan to access the WAN......... This is a silly twisted and confusing way that can be accomplished in a much simpler fashion.
EITHER you want all vlans to reach the internet and do this.......
add action=accept chain=forward comment="internet access" in-interface-list=VLAN out-interface-list=WAN
OR you want most of the vlans to have internet and some not. SO create a CLEARER interface list name called INTERNET
then assign vlans accordingly in interface list members.
add interface name=INTERNET
add interface NAME=INTERNET
etc.
So the rule would be
add action=accept chain=forward comment="internet access" in-interface-list=INTERNET out-interface-list=WAN
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
2. I gather all your bridge ports save ether8 are trunk ports going to smart devices and thus would make some minor modifications.
/interface bridge port
add bridge=BR1 interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether4 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether6 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether7 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether8 pvid=99 ingress-filtering=yes frame-types=admit-priority-and-untagged
Personally I would do something slightly different. I would ensure that the vlan99 that you send down every port save 8, gets to where my PC is located (and with a small smart switch at my desk) could be a cheap hex or a 5 port netgear, or TPLink etc, run vlan99 untagged on the switch as well as any other vlan I r egularly tapped into or wanted access to etc... In that way you can alway reach the router from the management vlan at your desk.
At port 8 I would add another address to the router 192.168.55.1/24 and assign it too ether8, AFTER removing ether8 from the bridge.
I would add ether8 to the management list etc.. In this way you have off bridge emergency access at the router, when something happens to the bridge and vlan configuration. Hiccups while working on the router do happen from time to time, and being able to know (peace of mind), you have an alternate way of accessing and configuring the router separate from the vlans and bridge is well worth it.
(3). Tad more efficient on /interface bridge vlans as you only need two entries.
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=10,20,30,40,50,80,210
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 untagged=ether8 vlan-ids=99
(4) Dont understand your list creation entries after the dotted line ???
/interface list
add name=WAN
add name=VLAN
add name=MGMT
add name=CC_ACCESS
............................................................................
add include=WAN name=STAFF_ACCESS
add include=WAN name=DEV_SANDBOX_ACCESS
add include=WAN name=GUESTS_1_ACCESS
add include=WAN name=GUESTS_2_ACCESS
add include=WAN name=VIDEO_ACCESS
add include=WAN name=CR_ACCESS
What I dont understand is the purpose of including WAN in the rest of the names??
Perhaps when I get to firewall rules it will make sense.
(5) Okay so all VLANs are part of list VLAN (instead of using LAN name).
HERE IS the weird part, you created names above your dont use ???????????????
I see you have ONE only STAFF ACCESS!! but then the list above should simply be...........
add name=STAFF_ACCESS
(6) add action=accept chain=input comment="Allow VLAN icmp" in-interface-list=\
VLAN protocol=icmp
Not clear why you limite ICMP to just the vlans, there is no harm in leaving this as is, per the default rule?? Usually better in most cases and also helps in troubleshooting issues. LIke with wireguard.
I would remove the bits in orange.
(7) add action=accept chain=input comment="Allow VLAN NTP" dst-port=123 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS & NTP" dst-port=53,123 \
in-interface-list=VLAN protocol=udp
By one addition in the second rule you can remove the first rule.........
(8) I do not understand why you have this port 67 rule.
Are you sure you need to have this here, usually not required 99% of the time.
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 \
in-interface-list=VLAN protocol=udp
(9) Forward Chain rules. One does NOT need to state connection=new, its redundant.
I don't particularly like OPEN ended rules such as sometimes consequences are not fully understood.
add action=accept chain=forward comment="MGMT-ALL routing" in-interface-list=MGMT out-interface-list=VLAN
ON this rule by adding the in-interface-list=VLAN, mgmt has access to all vlans. Isnt that what you desired??
(10) Then you have weird rules such as the below. What the heck??
add action=accept chain=forward comment="DEV_SANDBOX routing" \
connection-state=new in-interface=DEV_SANDBOX_VLAN out-interface-list=\
DEV_SANDBOX_ACCESS
Ahh I get it now, you wanted to create individual interface lists for each vlan to access the WAN......... This is a silly twisted and confusing way that can be accomplished in a much simpler fashion.
EITHER you want all vlans to reach the internet and do this.......
add action=accept chain=forward comment="internet access" in-interface-list=VLAN out-interface-list=WAN
OR you want most of the vlans to have internet and some not. SO create a CLEARER interface list name called INTERNET
then assign vlans accordingly in interface list members.
add interface name=INTERNET
add interface NAME=INTERNET
etc.
So the rule would be
add action=accept chain=forward comment="internet access" in-interface-list=INTERNET out-interface-list=WAN
Statistics: Posted by Mesquite — Sun Feb 25, 2024 2:44 pm