marco243
02.10.2024 um 16:15:45 Uhr
view273
view0
0
Goto Top

Mikrotik VLAN Clients können nicht kommunizieren "?"

FrageNetzwerkeMikroTik
Hallo Mikrotik-Profis,

von Euch habe ich schon viele Hilfen; Tipps und Tricks bekommen, dafür schon mal vielen Dank!

Jetzt möchte ich mich noch einmal an Euch wenden.

Das Problem:

Nach dem ich drei VLANs eingerichtet habe, Privat10/Gast20/IoT30, bekomme ich meine Kameras, sowie das Backup-Target nicht mehr mit der Synology (DS718+) verbunden.
Die Kameras sowie das BackUp-Target (DS112+) werden gefunden und angezeigt, sobald es um die Authentifizierung geht, komme ich nicht weiter.
Die Geräte sind im Privaten VLAN 10, können angepingt werden und sind über die IP per Browser erreichbar und funktionieren fehlerfrei.

Das VLAN-Setup wurde nach Anleitung/Anweisung von aqui und commodity erstellt.
Die Sache mit den dynamischen Zuweisungen für die Wifi-APs bekomme ich nicht hin, daher bitte nicht wundern, sieht etwas wild aus.
Soweit ich es gelesen und verstanden habe, darf bei Verwendung von VLANs die Bridge keine IP haben.
Jedes VLAN hat eine separate IP und DCHP-Server.
Klappt auch alles super, vom Gast und IoT-Netzt kann man nicht auf die Synos, etc. zugreifen.


Das Setup:
RB5009 (FTTH), ROS 7.16:
=>Router, FTTH, DHCP; CAPsMAN; WireGuard; VLAN 10/20/30; Wifi-AP, FritzBox(DECT), Uplink zu RB5009 Syno)

/interface bridge
add admin-mac=08:xxxxxxxxE auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=\
    "Uplink => RB5009 SYNO (akt. HEXs) | VLAN 10 / 20 / 30 "  
set [ find default-name=ether4 ] comment=\
    "Uplink MT_RITA | 192.168.178.4 | VLAN 10 / 20 / 30 "  
set [ find default-name=ether5 ] comment="Uplink => FritzBox => DECT only"  
set [ find default-name=ether8 ] comment=\
    "Direkt-LAN  zum Schoppen Netztwerkdose 1.1"  
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=\
    1G-baseT-full
/interface wireguard
add comment="F\FCr BrickSpace DS718+|192.168.10.2" listen-port=13231 mtu=1420 \  
    name=wg0
/interface vlan
add interface=bridge name="vlan10 Privat" vlan-id=10  
add interface=bridge name="vlan20 Gast" vlan-id=20  
add interface=bridge name="vlan30 IoT" vlan-id=30  
add interface=sfp-sfpplus1 name=vlan800 vlan-id=800
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 disabled=no interface=vlan800 \
    name=Teutel-FTTH use-peer-dns=yes user=V000782
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add band=2ghz-n disabled=no frequency=2300-7300 name=channel1 width=20mhz
add band=5ghz-ac disabled=no frequency=2300-7300 name=channel2 \
    skip-dfs-channels=disabled width=20/40/80mhz
/interface wifi datapath
add bridge=bridge disabled=yes name=WiFi
add bridge=bridge disabled=no name=Privat
add bridge=bridge disabled=no name=Gast
add bridge=bridge disabled=no name=IoT
/interface wifi security
add authentication-types=wpa-psk disabled=no group-encryption=ccmp name=\
    Privat
add authentication-types=wpa-psk,wpa2-psk disabled=no group-encryption=ccmp \
    name=Gast
add authentication-types=wpa-psk,wpa2-psk disabled=no group-encryption=ccmp \
    name=IoT
/interface wifi configuration
add channel=channel1 channel.band=2ghz-n .skip-dfs-channels=disabled .width=\
    20mhz country="United States" datapath=WiFi datapath.bridge=bridge \  
    .interface-list=all disabled=no mode=ap name=2,4 security=Privat \
    security.authentication-types=wpa-psk .encryption="" ssid="Noxon Access"  
add channel=channel2 channel.band=5ghz-ac .skip-dfs-channels=disabled .width=\
    20/40/80mhz country="United States" datapath=WiFi disabled=no mode=ap \  
    name=5.0 security=Privat security.authentication-types=wpa2-psk ssid=\
    W-Lan
add channel=channel2 channel.band=5ghz-ac .skip-dfs-channels=disabled .width=\
    20/40/80mhz country="United States" datapath=WiFi disabled=no mode=ap \  
    name=5.1 security=Privat security.authentication-types=wpa2-psk ssid=\
    W-Lan
add channel=channel1 channel.band=2ghz-n .skip-dfs-channels=disabled .width=\
    20mhz country="United States" datapath=Gast datapath.bridge=bridge \  
    disabled=no mode=ap name="WiFi 2.4 Gast" security=Gast \  
    security.authentication-types=wpa-psk .encryption="" ssid="WiFi 2.4 Gast"  
add channel=channel2 channel.band=5ghz-n .skip-dfs-channels=disabled .width=\
    20/40/80mhz country="United States" datapath=Gast disabled=no mode=ap \  
    name="WiFi 5.0 Gast" security=Gast security.authentication-types=wpa-psk \  
    .encryption="" ssid="WiFi 5.0 Gast"  
add channel=channel1 channel.band=2ghz-n .skip-dfs-channels=disabled .width=\
    20mhz country="United States" datapath=IoT datapath.bridge=bridge \  
    .client-isolation=yes disabled=no mode=ap name=IoT security=IoT \
    security.authentication-types=wpa-psk .encryption="" ssid=IoT  
/interface wifi
add channel=channel1 channel.band=2ghz-n .frequency=2300-7300 .width=20mhz \
    configuration=2,4 configuration.mode=ap datapath=WiFi disabled=no name=\
    "cap-Audience 2,4" radio-mac=2C:C8:1B:77:D2:D5 security=Privat \  
    security.authentication-types=wpa-psk
add channel.frequency=2300-7300 configuration="WiFi 2.4 Gast" \  
    configuration.mode=ap disabled=no mac-address=2E:C8:1B:77:D2:D5 \
    master-interface="cap-Audience 2,4" name="cap-Audience 2,4 Gast"  
add channel=channel2 channel.frequency=2300-7300 configuration=5.0 \
    configuration.mode=ap datapath=WiFi disabled=no name="cap-Audience 5.0" \  
    radio-mac=2C:C8:1B:77:D2:D7 security=Privat \
    security.authentication-types=wpa-psk,wpa2-psk
add channel=channel2 channel.frequency=2300-7300 configuration=5.1 \
    configuration.mode=ap datapath=WiFi disabled=no name="cap-Audience 5.1" \  
    radio-mac=2C:C8:1B:77:D2:D6 security=Privat \
    security.authentication-types=wpa-psk,wpa2-psk
add channel.frequency=2300-7300 configuration=IoT configuration.mode=ap \
    datapath=IoT disabled=no mac-address=2E:C8:1B:77:D2:D6 master-interface=\
    "cap-Audience 2,4" name="cap-Audience IoT"  
add channel.frequency=2300-7300 configuration="WiFi 5.0 Gast" \  
    configuration.mode=ap datapath=Gast disabled=no mac-address=\
    2E:C8:1B:77:D2:D7 master-interface="cap-Audience 5.0" name=\  
    "cap-Audience Wifi 5.0 Gast"  
add channel=channel1 channel.band=2ghz-n .frequency=2300-7300 .width=20mhz \
    configuration=2,4 configuration.mode=ap datapath=WiFi disabled=no mtu=\
    1500 name="cap-Rita 2,4" radio-mac=78:9A:18:9E:63:AE security=Privat \  
    security.authentication-types=wpa-psk
add channel.frequency=2300-7300 configuration="WiFi 2.4 Gast" \  
    configuration.mode=ap disabled=no mac-address=7A:9A:18:9E:63:AE \
    master-interface="cap-Rita 2,4" name="cap-Rita 2,4 Gast"  
add channel=channel2 channel.frequency=2300-7300 configuration=5.0 \
    configuration.mode=ap datapath=WiFi disabled=no name="cap-Rita 5.0" \  
    radio-mac=78:9A:18:9E:63:AF security=Privat \
    security.authentication-types=wpa-psk,wpa2-psk
add channel.frequency=2300-7300 configuration=IoT configuration.mode=ap \
    disabled=no mac-address=7A:9A:18:9E:63:B0 master-interface="cap-Rita 2,4" \  
    name="cap-Rita IoT"  
add channel.frequency=2300-7300 configuration="WiFi 5.0 Gast" \  
    configuration.mode=ap disabled=no mac-address=7A:9A:18:9E:63:AF \
    master-interface="cap-Rita 5.0" name="cap-Rita Wifi 5.0 Gast"  
add channel.frequency=2300-7300 configuration=2,4 configuration.mode=ap \
    disabled=no name="cap-Schalfzimmer 2,4" radio-mac=78:9A:18:9E:5F:82  
add channel.frequency=2300-7300 configuration="WiFi 2.4 Gast" \  
    configuration.mode=ap datapath=Gast disabled=no mac-address=\
    7A:9A:18:9E:5F:82 master-interface="cap-Schalfzimmer 2,4" name=\  
    "cap-Schalfzimmer 2,4 Gast"  
add channel.frequency=2300-7300 configuration=5.0 configuration.mode=ap \
    disabled=no name="cap-Schlafzimmer 5.0" radio-mac=78:9A:18:9E:5F:83  
add channel.frequency=2300-7300 configuration=IoT configuration.mode=ap \
    disabled=no mac-address=7A:9A:18:9E:5F:84 master-interface=\
    "cap-Schalfzimmer 2,4" name="cap-Schlafzimmer IoT"  
add channel.frequency=2300-7300 configuration="WiFi 5.0 Gast" \  
    configuration.mode=ap disabled=no mac-address=7A:9A:18:9E:5F:83 \
    master-interface="cap-Schlafzimmer 5.0" name=\  
    "cap-Schlafzimmer Wifi 5.0 Gast"  
add channel.frequency=2300-7300 configuration=2,4 configuration.mode=ap \
    disabled=no name="cap-Schoppen 2,4" radio-mac=DC:2C:6E:1B:87:04  
add channel.frequency=2300-7300 configuration="WiFi 2.4 Gast" \  
    configuration.mode=ap disabled=no mac-address=DE:2C:6E:1B:87:04 \
    master-interface="cap-Schoppen 2,4" name="cap-Schoppen 2,4 Gast"  
add channel.frequency=2300-7300 configuration=5.0 configuration.mode=ap \
    disabled=no name="cap-Schoppen 5.0" radio-mac=DC:2C:6E:1B:87:05  
add channel.frequency=2300-7300 configuration="WiFi 5.0 Gast" \  
    configuration.mode=ap disabled=no mac-address=DE:2C:6E:1B:87:05 \
    master-interface="cap-Schoppen 5.0" name="cap-Schoppen 5.0 Gast"  
add channel.frequency=2300-7300 configuration=IoT configuration.mode=ap \
    disabled=no mac-address=DE:2C:6E:1B:87:06 master-interface=\
    "cap-Schoppen 2,4" name="cap-Schoppen IoT"  
add channel.frequency=2300-7300 configuration=2,4 configuration.mode=ap \
    disabled=no name="cap-Terrasse 2,4" radio-mac=08:55:31:3D:6E:F8  
add channel.frequency=2300-7300 configuration="WiFi 2.4 Gast" \  
    configuration.mode=ap disabled=no mac-address=0A:55:31:3D:6E:F8 \
    master-interface="cap-Terrasse 2,4" name="cap-Terrasse 2,4 Gast"  
add channel.frequency=2300-7300 configuration=5.0 configuration.mode=ap \
    disabled=no name="cap-Terrasse 5.0" radio-mac=08:55:31:3D:6E:F9  
add channel.frequency=2300-7300 configuration="WiFi 5.0 Gast" \  
    configuration.mode=ap disabled=no mac-address=0A:55:31:3D:6E:F9 \
    master-interface="cap-Terrasse 5.0" name="cap-Terrasse 5.0 Gast"  
add channel.frequency=2300-7300 configuration=IoT configuration.mode=ap \
    disabled=no mac-address=0A:55:31:3D:6E:FB master-interface=\
    "cap-Terrasse 2,4" name="cap-Terrasse IoT"  
/ip pool
add name=Pool_LAN ranges=192.168.178.100-192.168.178.199
add name=Privat ranges=192.168.10.100-192.168.10.199
add name=Gast ranges=192.168.20.99-192.168.20.199
add name=IoT ranges=192.168.30.99-192.168.30.199
/ip dhcp-server
add address-pool=Privat interface="vlan10 Privat" name=dhcp_Privat  
add address-pool=Gast interface="vlan20 Gast" name=dhcp_Gast  
add address-pool=IoT interface="vlan30 IoT" name=dhcp_IoT  
/ip smb users
set [ find default=yes ] disabled=yes
/queue type
add kind=pcq name=pcq-download-gastnetz pcq-classifier=dst-address pcq-rate=\
    5M
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing table
add disabled=no fib name=Wireguard
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8 pvid=10
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface="vlan10 Privat" pvid=10  
add bridge=bridge interface="vlan20 Gast" pvid=20  
add bridge=bridge interface="vlan30 IoT" pvid=30  
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether8,ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether8,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether1,ether8,ether4 vlan-ids=30
add bridge=bridge untagged=ether5 vlan-ids=10
add bridge=bridge vlan-ids=20
add bridge=bridge vlan-ids=30
/interface list member
add interface=Teutel-FTTH list=WAN
add interface="vlan10 Privat" list=LAN  
add interface="vlan20 Gast" list=LAN  
add interface="vlan30 IoT" list=LAN  
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=bridge list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifi access-list
add action=accept disabled=yes interface=any signal-range=-80..120
add action=reject disabled=yes interface=any signal-range=-120..-81
/interface wifi cap
set caps-man-addresses="" discovery-interfaces=""  
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=\
    "vlan10 Privat" package-path="" require-peer-certificate=no \  
    upgrade-policy=none
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=PRIMARY endpoint-address=\
    wg1.connect2any.net endpoint-port=xxxxx interface=wg0 name=peer1 \
    persistent-keepalive=1m public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"  
/ip address
add address=192.168.178.254/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.178.0
add address=10.0.0.56 interface=wg0 network=10.0.0.0
add address=192.168.10.254/24 interface="vlan10 Privat" network=192.168.10.0  
add address=192.168.20.254/24 interface="vlan20 Gast" network=192.168.20.0  
add address=192.168.30.254/24 interface="vlan30 IoT" network=192.168.30.0  
/ip arp
add address=192.168.10.201 interface="vlan10 Privat" mac-address=\  
    xxxxx
add address=192.168.10.202 interface="vlan10 Privat" mac-address=\  
    xxxxx
add address=192.168.10.203 interface="vlan10 Privat" mac-address=\  
    xxxxxx
add address=192.168.10.204 interface="vlan10 Privat" mac-address=\  
    xxxxx
add address=192.168.10.205 interface="vlan10 Privat" mac-address=\  
    xxxxx
add address=192.168.10.100 interface="vlan10 Privat" mac-address=\  
    9xxxxx
add address=192.168.10.1 interface="vlan10 Privat" published=yes  
add address=192.168.10.2 interface="vlan10 Privat" published=yes  
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=1.1.1.1 gateway=192.168.10.254 \
    netmask=24
add address=192.168.20.0/24 dns-server=1.1.1.1 gateway=192.168.20.254 \
    netmask=24
add address=192.168.30.0/24 dns-server=1.1.1.1 gateway=192.168.30.254 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UPD" \  
    dst-port=53 hw-offload=yes protocol=udp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UPD" \  
    dst-address-list=192.168.10.254 dst-port=53 hw-offload=yes protocol=udp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS TCP" \  
    dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=input comment="Fasttrack DNS TCP" \  
    dst-address-list=192.168.10.254 dst-port=53 hw-offload=yes protocol=tcp
add action=drop chain=input comment="WAN => Firewall => Ping blockieren" \  
    in-interface=Teutel-FTTH protocol=icmp
add action=accept chain=input comment="Aufgebaute Verbindungen erlauben" \  
    connection-state=established,related
add action=accept chain=input comment="LAN => Firewall => Zugriff erlaubt" \  
    in-interface=bridge
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\  
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\  
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1  
add action=drop chain=input comment="defconf: drop all not coming from LAN" \  
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \  
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \  
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\  
    established,related,untracked
add action=drop chain=input comment=\
    "Allg. Verbindungen ohne Grund werden gedroppt"  
add action=drop chain=forward comment="defconf: drop invalid" \  
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \  
    connection-state=new in-interface-list=WAN
add action=accept chain=input in-interface=sfp-sfpplus1 protocol=icmp
add action=accept chain=input comment="VLAN 10 zur Firewall Ping erlauben" \  
    in-interface="vlan10 Privat" protocol=icmp  
add action=accept chain=forward comment="Ping von Privat zu Gast" \  
    in-interface="vlan10 Privat" out-interface="vlan20 Gast" protocol=icmp  
add action=accept chain=forward comment="Ping von Gast zu IoT" in-interface=\  
    "vlan10 Privat" out-interface="vlan30 IoT" protocol=icmp  
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=wg0 new-connection-mark=wireguard passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    new-connection-mark=wireguard passthrough=yes src-address=192.168.10.2
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \  
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=!192.168.10.2 out-interface=\
    bridge
add action=masquerade chain=srcnat out-interface=wg0
add action=dst-nat chain=dstnat dst-port=\
    25,80,110,143,443,465,587,993,995,5001 in-interface=wg0 protocol=tcp \
    to-addresses=192.168.10.2
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src="" \  
    routing-table=Wireguard scope=30 suppress-hw-offload=no target-scope=10
/ipv6 dhcp-client
add disabled=yes interface=Teutel-FTTH pool-name=IPv6 request=prefix
/ipv6 dhcp-server
add address-pool="" disabled=yes interface=bridge name=IPv6  
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6  
add address=::1/128 comment="defconf: lo" list=bad_ipv6  
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6  
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6  
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6  
add address=100::/64 comment="defconf: discard only " list=bad_ipv6  
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6  
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6  
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6  
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\  
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\  
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\  
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \  
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\  
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \  
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\  
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\  
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec  
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\  
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\  
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \  
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6  
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6  
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \  
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\  
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139  
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\  
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\  
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\  
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec  
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\  
    !LAN
/routing rule
add action=lookup disabled=no src-address=192.168.10.2/32 table=Wireguard
add action=lookup disabled=yes src-address=192.168.178.2/32 table=Wireguard
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MT_RB5009_FTTH_Router
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


RB5009 (Syno), ROS 7.16:
=> Switch, DS718+, 2x Wifi-AP und Uplink zu RB4011(Schoppen)
/interface bridge
add admin-mac=Cxxxxxxxxxxx9 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=\
    "Uplink > RB4011 Schoppen | VLAN 10 / 20 / 30 "  
set [ find default-name=ether2 ] comment=\
    "Downlink => RB5009_Schoppen | 192.168.10.252 | VLAN 10 / 20 / 30 "  
set [ find default-name=ether3 ] comment=\
    "MT_Audience | VLAN 10 / 20 / 30 "  
set [ find default-name=ether4 ] comment=\
    "MT_Schlafzimmer | VLAN 10 / 20 / 30 "  
set [ find default-name=ether5 ] comment=\
    "BrickSpace | 192.168.10.2 | VLAN 10 "  
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
/interface vlan
add interface=bridge name="vlan 10 Privat" vlan-id=10  
add interface=bridge name="vlan 20 Gast" vlan-id=20  
add interface=bridge name="vlan 30 IoT" vlan-id=30  
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=ether6 pvid=10
add bridge=bridge interface=ether7 pvid=10
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface="vlan 10 Privat" pvid=10  
add bridge=bridge interface="vlan 20 Gast" pvid=20  
add bridge=bridge interface="vlan 30 IoT" pvid=30  
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 untagged=ether3,ether4,ether5 \
    vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 vlan-ids=30
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface="vlan 10 Privat" list=LAN  
add interface="vlan 20 Gast" list=LAN  
add interface="vlan 30 IoT" list=LAN  
add interface=bridge list=LAN
/ip address
add address=192.168.178.253/24 disabled=yes interface=bridge network=\
    192.168.178.0
add address=192.168.10.253/24 interface="vlan 10 Privat" network=192.168.10.0  
add address=192.168.20.253/24 interface="vlan 20 Gast" network=192.168.20.0  
add address=192.168.30.253/24 interface="vlan 30 IoT" network=192.168.30.0  
/ip dns
set servers=1.1.1.1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.254 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MT_RB5009_SYNO
/system note
set show-at-login=no
/system scheduler
add interval=1d name=reboot-6am on-event="/system reboot" policy=\  
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2017-01-17 start-time=04:30:00
add interval=1w name=Update on-event="/system package update install" policy=\  
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=1970-01-05 start-time=04:10:00


RB4011 (Schoppen)ROS 7.16:
=> Switch für DS718+ (Stby-Gerät), DS112+ (BackUpTarget), Drucker, IP-Telefon, Reo-Link Cam, Uplink zum HEXs (dieser wird nicht weiter betrachtet)
/interface bridge
add admin-mac=CxxxxxxxxxB auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Downlink => RB5009 SYNO"  
set [ find default-name=ether2 ] comment="MT_Schoppen | VLAN10/20/30"  
set [ find default-name=ether3 ] comment="HEXs| VLAN 10"  
set [ find default-name=ether4 ] comment="Drucker VLAN 10"  
set [ find default-name=ether5 ] comment="DS718+ Two-Digits | VLAN 10"  
set [ find default-name=ether6 ] comment="DS118+ Vault | VLAN 10"  
set [ find default-name=ether7 ] comment="ReoLink 520 Einfahrt | VLAN 10"  
set [ find default-name=ether8 ] comment="PC-B\FCro | VLAN 10"  
set [ find default-name=ether9 ] comment=\
    "D-Link Werkstatt => MT_Terrasse | VLAN 10/20/30"  
set [ find default-name=ether10 ] comment=--ohne---
/interface vlan
add interface=bridge name="vlan 10 Privat" vlan-id=10  
add interface=bridge name="vlan 20 Gast" vlan-id=20  
add interface=bridge name="vlan 30 IoT" vlan-id=30  
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface="vlan 10 Privat" pvid=10  
add bridge=bridge interface="vlan 20 Gast" pvid=20  
add bridge=bridge interface="vlan 30 IoT" pvid=30  
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether3 untagged=\
    ether2,ether4,ether5,ether6,ether8,ether9,ether7 vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether2,ether9,ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether1,ether2,ether9,ether3 vlan-ids=30
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface="vlan 10 Privat" list=LAN  
add interface="vlan 20 Gast" list=LAN  
add interface="vlan 30 IoT" list=LAN  
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.10.252/24 disabled=yes interface=bridge network=\
    192.168.10.0
add address=192.168.20.252/24 interface="vlan 20 Gast" network=192.168.20.0  
add address=192.168.30.252/24 interface="vlan 30 IoT" network=192.168.30.0  
add address=192.168.10.252/24 interface="vlan 10 Privat" network=192.168.10.0  
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.10.252 comment=defconf name=router.lan type=A
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MT_RB4011_Schoppen
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address="server 0.de.pool.ntp.org"  
add address=192.53.103.104
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=reboot-6am on-event="/system reboot" policy=\  
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2017-01-17 start-time=04:30:00
add interval=1w name=Update on-event="/system package update install" policy=\  
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-08-20 start-time=04:00:00
/system script
add dont-require-permissions=yes name="System Package" owner=admin policy=\  
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\  
    if ([/system package update get status] = \"New version is available\") do\  
    ={\r\
    \n:log warning \"System package update is available\";\r\  
    \n/system package update install;\r\
    \n:delay 10:\r\
    \n:log warning \"reboot\";\r\  
    \n/system reboot} else={:log warning \"No System package update is availab\  
    le\"}\r\  
    \n:log warning \"END\"\r\  
    \n"  
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


etwas viel....ok....

Könnt Ihr erkennen, was ich das falsch eingestellt habe?


Grüße
Marco
2024-10-02 16_13_50-vm-1
2024-10-02 16_12_19-synology surveillance station - brickspace
ShareTeilen
Auf Facebook teilen Auf Twitter teilen Auf Reddit teilen Auf Linkedin teilen

Content-ID: 668541

Url: https://administrator.de/contentid/668541

Ausgedruckt am: 03.10.2024 um 06:10 Uhr

FrageNetzwerkeMikroTik
Mehr von Marco243Marco243Traffic ? Wifi-APs Interface local Forwarding?Marco243 - 4 KommentareMarco243CAPSMAN VLAN DHCPMarco243 - 23 Kommentare
Heiß diskutiert
BierkistenschlepperNachfolger für Heimserver mit ProxmoxBierkistenschlepper - 40 Kommentarem.sterServer neu aufsetzen - die RAID-Qual der Wahl?m.ster - 40 Kommentarehaudegen93VMware ESXi 8 neue Server langsamer als alter Serverhaudegen93 - 29 KommentareMegaadwwhNextcloud intern nicht erreichbar, was ist zu tun?Megaadwwh - 27 KommentarenachgefragtBroadcast Datenverkehr .255 unterbindennachgefragt - 22 KommentareJojo1979Exchange2019.edb auslesenJojo1979 - 18 KommentaresupertuxFritzBox! 7490 Internet über LAN1supertux - 18 Kommentaremorpheus2010IKEv2 VPN hinter Fritzbox funktioniert nur mit einem Rechnermorpheus2010 - 18 KommentareBN2023Angaben über Switch herausfindenBN2023 - 17 KommentareDelta9Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU Linux SystemsDelta9 - 16 KommentareTannahServerseitiges Profil wird nicht gespeichertTannah - 14 KommentareEvolutioE-Mail vom Telekomsicherheitsteam bzgl. Auffälligkeiten am NetzanschlussEvolutio - 14 Kommentare