Problém je že u ETH2 mi pořád bliká ve Statusu volby: Edge port, Learning a Forwording.
A řekl bych že to není úplně v pořádku.
Kód: Vybrat vše
# mar/09/2022 22:58:18 by RouterOS 7.1.3
# software id = LUHJ-J593
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = 92F208CA06F6
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=XXXXXXXX \
name="2.4 ghz"
/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
country="czech republic" disabled=no frequency=auto hide-ssid=yes \
installation=indoor mode=ap-bridge name=wlan1-RDan radio-name="RDan 2,4G" \
ssid=RDan wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce \
country="czech republic" disabled=no frequency=auto hide-ssid=yes \
installation=indoor mode=ap-bridge name=wlan2-RDan radio-name="RDan 5G" \
ssid=RDan wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=ether1 name="vlan 848 - VDSL" vlan-id=848
add interface=bridge name="vlan2 - RDan host" vlan-id=2
add interface=bridge name="vlan3 - Pavsax" vlan-id=3
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
Host vlan-id=2 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
Pavsax vlan-id=3 vlan-mode=use-tag
/interface pppoe-client
add add-default-route=yes disabled=no interface="vlan 848 - VDSL" name=\
"Vodafone VDSL" user=vf
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=RDan
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=Host
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=Pavsax
/caps-man configuration
add channel="2.4 ghz" country="czech republic" datapath=Host distance=indoors \
hide-ssid=yes keepalive-frames=enabled mode=ap multicast-helper=default \
name=Host security=Host ssid=RDanH
add channel="2.4 ghz" country="czech republic" datapath=Pavsax distance=\
indoors keepalive-frames=enabled mode=ap multicast-helper=default name=\
Pavsax security=Pavsax ssid=tst
/interface ethernet switch port
set 1 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=fallback
set 2 vlan-mode=fallback
set 5 vlan-mode=fallback
/interface list
add name=WAN
add name=LAN
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes interface-list=LAN \
local-forwarding=yes name=RDan
/caps-man configuration
add channel="2.4 ghz" country="czech republic" datapath=RDan distance=indoors \
hide-ssid=yes keepalive-frames=enabled mode=ap multicast-helper=default \
name=RDan security=RDan ssid=RDan
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
name=RDanH supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
name=Pavsax supplicant-identity=MikroTik
/interface wireless
add hide-ssid=yes mac-address=CE:2D:E0:EB:8F:15 master-interface=wlan2-RDan \
name=wlan3-Host security-profile=RDanH ssid=RDanH vlan-id=2 vlan-mode=\
use-tag wps-mode=disabled
add hide-ssid=yes mac-address=CE:2D:E0:EB:8F:17 master-interface=wlan2-RDan \
name=wlan6-Pavsax security-profile=Pavsax ssid=tst vlan-id=3 vlan-mode=\
use-tag wps-mode=disabled
/ip pool
add name=dhcp-RDan ranges=10.111.111.100-10.111.111.250
add name="dhcp-RDan host" ranges=10.111.222.100-10.111.222.250
/ip dhcp-server
add address-pool=dhcp-RDan interface=bridge lease-time=1h name=dhcp-RDan
add address-pool="dhcp-RDan host" interface="vlan2 - RDan host" lease-time=1h \
name="dhcp-Host vlan2"
/port
set 0 name=serial0
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/interface bridge filter
# wlan3-Host not ready
# in/out-bridge-port matcher not possible when interface (wlan3-Host) is not slave
add action=drop chain=forward in-interface=wlan3-Host
# wlan3-Host not ready
# in/out-bridge-port matcher not possible when interface (wlan3-Host) is not slave
add action=drop chain=forward out-interface=wlan3-Host
# no interface
add action=drop chain=forward in-interface=*A
# no interface
add action=drop chain=forward out-interface=*A
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan2-RDan
add bridge=bridge interface=wlan1-RDan
add bridge=bridge interface=wlan3-Host
add bridge=bridge interface=ether2
add bridge=bridge interface=wlan6-Pavsax
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes forward=no
/interface detect-internet
set detect-interface-list=WAN
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether3 switch=switch1 vlan-id=2
add independent-learning=no ports=switch1-cpu,ether2,ether3 switch=switch1 \
vlan-id=3
/interface list member
add interface=bridge list=LAN
add interface="Vodafone VDSL" list=WAN
add interface=ether1 list=WAN
/interface wireless cap
set bridge=bridge discovery-interfaces=bridge interfaces=wlan1-RDan
/ip address
add address=10.111.111.1/24 interface=bridge network=10.111.111.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
add address=10.111.222.1/24 interface="vlan2 - RDan host" network=\
10.111.222.0
/ip dhcp-client
add default-route-distance=2 interface="vlan3 - Pavsax" use-peer-dns=no \
use-peer-ntp=no
/ip dhcp-server lease
xxx
/ip dhcp-server network
add address=10.111.111.0/24 dns-server=10.111.111.1 domain=rdan gateway=\
10.111.111.1 netmask=24 ntp-server=217.31.202.100
add address=10.111.222.0/24 dns-server=10.111.222.1 domain=rdan gateway=\
10.111.222.1 netmask=24 ntp-server=217.31.202.100
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.google/dns-query \
verify-doh-cert=yes
/ip dns static
xxx
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain="add action=accept chain=forward connect\
ion-state=established,related,untracked" connection-state=\
established,related hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface="Vodafone VDSL" type=external
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="MikroTik Router"
/system logging
add topics=upnp
/system ntp client
set enabled=yes
/system ntp client servers
add address=217.31.202.100
/system routerboard settings
set cpu-frequency=auto
/tool graphing interface
add
Doplňující nepovinné otázky:
- Jsou vlany nastaveny správně v souladu s tím že to řeší interně switch chip a né bridge?
- Je firewall správně? Je použitej ten z Quick Set, protože tomu zatím ani zamák nerozumím
- Jak udělám abych se dostal do sítě na ETH2(vlan3) ale aby se mi tam neroutoval provoz? V Routes se dynamicky vytvoří dst: 0.0.0.0/0 gtw: 192.168.0.1 dist: 2; dst: 192.168.0.0/24 gtw: vlan3 dist: 0.
Přijde mi že by to mělo jít ale něco to blokuje, že by Firewall? A není chyba že je ETH2 v Bridge?
Děkuji moc za rady, s pozdravem RDan...