Mikrotik zwei Router verbinden: weitere Fragen
Hallo @aqui,
bzgl. Mikrotik zwei Router verbinden
Nachdem ich inzwischen auch den hAP Lite durch einen cAP ax am ax3 ersetzen konnte, habe ich den hEX an den ax2 per Kabel angebunden, außerdem den Netgear GS308ep an den ax2.
Dazu einige Fragen:
1. Das Netzwerk:
- cAP mit Kabel am ax3
- ax2 mit Kabel am ax3
- hEX mit Kabel am ax2
- Netgear GS308ep mit Kabel am ax2
Wäre es besser, den hEX an den Netgear switch zu hängen? Der ax2 und der Netgear switch sind im selben Raum.
2. Konfiguration
- Nur am ax3 die VLAN Interfaces und die LAN/WAN Interface List definiert (WAN= ppoeout, LAN= alle LAN, einschl. 111
- Bei allen Mikrotik eine einzige Bridge br_vlan mit den ports für Ethernet und den Virtuellen Wifi
- Beim ax2 die Ethernet ports zum hEX und dem Netgear mit PVID 111 und "admit all"
- Beim ax3 nur den Ethernet port zum ax2 und zum cAP ax mit PVID 111 und "admit all"
- Alle anderen Ethernet ports mit "admit only untagged and priority tagged
- Alle Wifi ports "admit only VLAN tagged", wie in "Mikrotik VLAN Konfiguration ab RouterOS Version 6.41" beschrieben
- Bei Bridge VLAN alle nicht 111 ID´s auf Bridge und alle Trunk ports einschl. den Wifi ports getagged
- Den Netgear habe ich wie schon vor der Umstellung das "Einfache 802.1Q-VLAN" verwendet. Dabei hat der TRUNK-Port automatisch immer die PVID=1, das kann man nur bei "Erweitertes 802.1Q-VLAN" umstellen, aber mit diesem Mode bin ich nicht klar gekommen, und wollte erstmal nicht mehr Zeit investieren. Muß ich jetzt alle IDs auf 1 umstellen, oder nur das vom ax2 auf den Switch? Ich habe es auf 111 gelassen, und damit funktioniert es auch. Seltsamerweise taucht der Switch in den Leases als dem VLAN 40 zugehörig auf, das ich an mehreren Switch-Ports habe. Aber ich kann mich von einem Rechner am 111 Port aus in das UI einloggen.
Was noch ein Problem ist: Am Switch hängt ein Raspberry Pi für die Heizungssteuerung, das mir nur über das UI zugänglich ist. Dazu im selben VLAN ein Heizungs-Gateway, das als WIZNet im Lease auftaucht. Der Raspi sollte sich über einen externen Rechner automatisch mit dem Gateway verbinden, was aber nicht geschieht.
3. WLAN
In "Mikrotik VLAN Konfiguration ab RouterOS Version 6.41" steht noch nichts über das Wifi "ax" Band. Ich habe lediglich beim 5 GHz Master
SSID: ...
Country: Germany
Band: 5GHz AX
Channel Width: 20/40/80MHz
Skip DFS Channels: 10min CAC
Authentication Types: WPA2 PSK und WPA3 PSK
Group Update: 02:00:00
Passphrase: ...
Bridge: br_vlan
VLAN ID: 2
gewählt, und beim 2,4GHz Master
SSID: ...
Country: Germany
Band: 2GHz AX
Channel Width: 20/40MHz
Authentication Types: WPA2 PSK und WPA3 PSK
Group Update: 02:00:00
Passphrase: ...
Bridge: br_vlan
VLAN ID: 2
Zusätzlich habe ich mit dem Tool "Freq. Usage" die Frequenzen gesucht, die wenig verwendet werden, und zwei davon bei "Frequency" eingetragen.
Die Master Wifi verwende ich nicht weiter, ich habe mehrere virtuelle Wifi von den Mastern abgeleitet, die verschiedenen VLANs zu geordnet sind. Ich habe alle Wifi, die zum selben VLAN gehören, dieselbe SSID gegeben.
Ist das so alles in Ordnung?
4. Firewall
Versteh ich "add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked" richtig: Es muss mindestens einmal eine Verbindung möglich gewesen sein, damit spätere Verbindungen "forwardet" werden? D.h. ich müsste einmalig ein "new" dazu und später wieder wegnehmen?
Hier noch die Einstellungen (die DHCP Skripts habe ich bisher noch einzeln bei jedem DHCP hinterlegt)
ax3:
ax2:
cAP ax:
hEX:
GS308ep:
bzgl. Mikrotik zwei Router verbinden
Nachdem ich inzwischen auch den hAP Lite durch einen cAP ax am ax3 ersetzen konnte, habe ich den hEX an den ax2 per Kabel angebunden, außerdem den Netgear GS308ep an den ax2.
Dazu einige Fragen:
1. Das Netzwerk:
- cAP mit Kabel am ax3
- ax2 mit Kabel am ax3
- hEX mit Kabel am ax2
- Netgear GS308ep mit Kabel am ax2
Wäre es besser, den hEX an den Netgear switch zu hängen? Der ax2 und der Netgear switch sind im selben Raum.
2. Konfiguration
- Nur am ax3 die VLAN Interfaces und die LAN/WAN Interface List definiert (WAN= ppoeout, LAN= alle LAN, einschl. 111
- Bei allen Mikrotik eine einzige Bridge br_vlan mit den ports für Ethernet und den Virtuellen Wifi
- Beim ax2 die Ethernet ports zum hEX und dem Netgear mit PVID 111 und "admit all"
- Beim ax3 nur den Ethernet port zum ax2 und zum cAP ax mit PVID 111 und "admit all"
- Alle anderen Ethernet ports mit "admit only untagged and priority tagged
- Alle Wifi ports "admit only VLAN tagged", wie in "Mikrotik VLAN Konfiguration ab RouterOS Version 6.41" beschrieben
- Bei Bridge VLAN alle nicht 111 ID´s auf Bridge und alle Trunk ports einschl. den Wifi ports getagged
- Den Netgear habe ich wie schon vor der Umstellung das "Einfache 802.1Q-VLAN" verwendet. Dabei hat der TRUNK-Port automatisch immer die PVID=1, das kann man nur bei "Erweitertes 802.1Q-VLAN" umstellen, aber mit diesem Mode bin ich nicht klar gekommen, und wollte erstmal nicht mehr Zeit investieren. Muß ich jetzt alle IDs auf 1 umstellen, oder nur das vom ax2 auf den Switch? Ich habe es auf 111 gelassen, und damit funktioniert es auch. Seltsamerweise taucht der Switch in den Leases als dem VLAN 40 zugehörig auf, das ich an mehreren Switch-Ports habe. Aber ich kann mich von einem Rechner am 111 Port aus in das UI einloggen.
Was noch ein Problem ist: Am Switch hängt ein Raspberry Pi für die Heizungssteuerung, das mir nur über das UI zugänglich ist. Dazu im selben VLAN ein Heizungs-Gateway, das als WIZNet im Lease auftaucht. Der Raspi sollte sich über einen externen Rechner automatisch mit dem Gateway verbinden, was aber nicht geschieht.
3. WLAN
In "Mikrotik VLAN Konfiguration ab RouterOS Version 6.41" steht noch nichts über das Wifi "ax" Band. Ich habe lediglich beim 5 GHz Master
SSID: ...
Country: Germany
Band: 5GHz AX
Channel Width: 20/40/80MHz
Skip DFS Channels: 10min CAC
Authentication Types: WPA2 PSK und WPA3 PSK
Group Update: 02:00:00
Passphrase: ...
Bridge: br_vlan
VLAN ID: 2
gewählt, und beim 2,4GHz Master
SSID: ...
Country: Germany
Band: 2GHz AX
Channel Width: 20/40MHz
Authentication Types: WPA2 PSK und WPA3 PSK
Group Update: 02:00:00
Passphrase: ...
Bridge: br_vlan
VLAN ID: 2
Zusätzlich habe ich mit dem Tool "Freq. Usage" die Frequenzen gesucht, die wenig verwendet werden, und zwei davon bei "Frequency" eingetragen.
Die Master Wifi verwende ich nicht weiter, ich habe mehrere virtuelle Wifi von den Mastern abgeleitet, die verschiedenen VLANs zu geordnet sind. Ich habe alle Wifi, die zum selben VLAN gehören, dieselbe SSID gegeben.
Ist das so alles in Ordnung?
4. Firewall
Versteh ich "add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked" richtig: Es muss mindestens einmal eine Verbindung möglich gewesen sein, damit spätere Verbindungen "forwardet" werden? D.h. ich müsste einmalig ein "new" dazu und später wieder wegnehmen?
Hier noch die Einstellungen (die DHCP Skripts habe ich bisher noch einzeln bei jedem DHCP hinterlegt)
ax3:
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_200
add address-pool=dhcp_pool_40 interface="vlan40 [PROXMOX]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_40
add address-pool=dhcp_pool_50 interface="vlan50 [PHONE]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_50
add address-pool=dhcp_pool_60 interface="vlan60 [MOBILE OFFICE]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_60
add address-pool=dhcp_pool_100 interface="vlan100 [HOME]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_100
add address-pool=dhcp_pool_1 interface="vlan1 [DEFAULT]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_1
add address-pool=dhcp_pool_111 interface="vlan111 [MANAGEMENT]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n}" lease-time=10m name=dhcp_111
/ppp profile
add change-tcp-mss=yes dns-server=10.10.200.1 name=vpn
/interface bridge port
add bridge=br_vlan interface="ether5 [TRUNK ax2]" internal-path-cost=10 path-cost=10 pvid=111
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether3 [MANAGEMENT]" pvid=111
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi1 [5 GHz MASTER]" point-to-point=no pvid=2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi2 [2.4 GHz MASTER]" point-to-point=no pvid=2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi3 [HOMETEC 5] " point-to-point=no pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether2 [PHONE]" pvid=50
add bridge=br_vlan interface="ether4 [TRUNK AP]" pvid=111
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi4 [HOME 5]" point-to-point=no pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi5 [HOME 2.4]" point-to-point=no pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi6 [HOMETEC 2]" point-to-point=no pvid=200
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2],ether4 [TRUNK AP],wifi3 [HOMETEC 5] ,wifi6 [HOMETEC 2]" vlan-ids=200
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2],wifi1 [5 GHz MASTER],wifi2 [2.4 GHz MASTER]" vlan-ids=2
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2],wifi4 [HOME 5],wifi5 [HOME 2.4],ether4 [TRUNK AP]" vlan-ids=100
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2]" vlan-ids=40
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2]" vlan-ids=50
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2]" vlan-ids=60
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=yes
/interface list member
add interface="vlan1 [DEFAULT]" list=LAN
add interface="vlan200 [HOMETEC]" list=LAN
add interface=pppoe-out1 list=WAN
add interface="vlan2 [WLAN]" list=LAN
add interface="vlan40 [PROXMOX]" list=LAN
add interface="vlan100 [HOME]" list=LAN
add interface="vlan50 [PHONE]" list=LAN
add interface="vlan60 [MOBILE OFFICE]" list=LAN
add interface="vlan111 [MANAGEMENT]" list=LAN
/ip address
add address=10.10.200.1/24 interface="vlan200 [HOMETEC]" network=10.10.200.0
add address=10.10.40.1/24 interface="vlan40 [PROXMOX]" network=10.10.40.0
add address=10.10.50.1/24 interface="vlan50 [PHONE]" network=10.10.50.0
add address=10.10.60.1/24 interface="vlan60 [MOBILE OFFICE]" network=10.10.60.0
add address=10.10.100.1/24 interface="vlan100 [HOME]" network=10.10.100.0
add address=10.10.1.1/24 interface="vlan1 [DEFAULT]" network=10.10.1.0
add address=10.10.111.1/24 interface="vlan111 [MANAGEMENT]" network=10.10.111.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=10.10.111.2 client-id=1:d4:1:c3:7c:b7:b2 mac-address=D4:01:C3:7C:B7:B2 server=dhcp_111
add address=10.10.50.200 mac-address=58:9E:C6:36:4B:BB server=dhcp_50
add address=10.10.200.20 client-id=1:0:50:f4:36:f1:a7 comment="Lambda W\E4rmepumpe" mac-address=00:50:F4:36:F1:A7 server=dhcp_200
add address=10.10.111.4 client-id=1:2e:c8:1b:18:8c:4a mac-address=2E:C8:1B:18:8C:4A server=dhcp_111
add address=10.10.111.10 client-id=1:dc:2c:6e:74:d3:9b mac-address=DC:2C:6E:74:D3:9B server=dhcp_111
add address=10.10.40.117 client-id=1:2:58:8a:7c:5a:3f comment="Home Assistant" mac-address=02:58:8A:7C:5A:3F server=dhcp_40
add address=10.10.111.5 client-id=1:d4:1:c3:b8:f8:a6 mac-address=D4:01:C3:B8:F8:A6 server=dhcp_111
add address=10.10.111.23 client-id=1:dc:a6:32:2c:97:e mac-address=DC:A6:32:2C:97:0E server=dhcp_111
add address=10.10.200.193 client-id=1:dc:a6:32:f6:4a:47 mac-address=DC:A6:32:F6:4A:47 server=dhcp_200
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=10.10.1.1 domain=fasan.home.arpa gateway=10.10.1.1
add address=10.10.20.0/24 dns-server=10.10.20.1 domain=fasan.home.arpa gateway=10.10.20.1
add address=10.10.40.0/24 dns-server=10.10.40.1 domain=fasan.home.arpa gateway=10.10.40.1
add address=10.10.50.0/24 dns-server=10.10.50.1 domain=fasan.home.arpa gateway=10.10.50.1
add address=10.10.60.0/24 dns-server=10.10.60.1 domain=fasan.home.arpa gateway=10.10.60.1
add address=10.10.100.0/24 dns-server=10.10.100.1 domain=fasan.home.arpa gateway=10.10.100.1
add address=10.10.111.0/24 dns-server=10.10.111.1 domain=fasan.home.arpa gateway=10.10.111.1
add address=10.10.200.0/24 dns-server=10.10.200.1 domain=fasan.home.arpa gateway=10.10.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.200.20 comment=dhcp_200-00:50:F4:36:F1:A7 name=10-10-200-20.fasan.home.arpa ttl=15m
add address=10.10.200.189 comment=dhcp_200-24:4C:AB:01:5D:5C name=tibber-host.fasan.home.arpa ttl=15m
add address=10.10.111.10 comment=dhcp_111-DC:2C:6E:74:D3:9B name=mikrotik-hex.fasan.home.arpa ttl=15m
add address=10.10.40.103 comment=dhcp_40-BC:24:11:0A:1D:29 name=debian12.fasan.home.arpa ttl=15m
add address=10.10.40.102 comment=dhcp_40-BC:24:11:F1:C6:49 name=trilium.fasan.home.arpa ttl=15m
add address=10.10.40.101 comment=dhcp_40-BC:24:11:BF:3B:E2 name=seiferth-pdf.fasan.home.arpa ttl=15m
add address=10.10.40.117 comment=dhcp_40-02:58:8A:7C:5A:3F name=homeassistant.fasan.home.arpa ttl=15m
add address=10.10.40.113 comment=dhcp_40-C8:9E:43:8C:05:CA name=gs308ep.fasan.home.arpa ttl=15m
add address=10.10.111.5 comment=dhcp_111-D4:01:C3:B8:F8:A6 name=mikrotik-cap-ax.fasan.home.arpa ttl=15m
add address=10.10.100.173 comment=dhcp_100-F0:B3:EC:1E:A7:9A name=appletvafzimmer.fasan.home.arpa ttl=15m
add address=10.10.200.158 comment=dhcp_200-D4:F9:8D:02:08:74 name=espressif.fasan.home.arpa ttl=15m
add address=10.10.200.156 comment=dhcp_200-D4:F9:8D:01:32:F0 name=espressif.fasan.home.arpa ttl=15m
add address=10.10.100.161 comment=dhcp_100-94:EA:32:7A:16:6C name=schlafzimmer.fasan.home.arpa ttl=15m
add address=10.10.200.157 comment=dhcp_200-68:B6:B3:A2:1F:40 name=ecoflow.fasan.home.arpa ttl=15m
add address=10.10.50.200 comment=dhcp_50-58:9E:C6:36:4B:BB name=s850a-go.fasan.home.arpa ttl=15m
add address=10.10.100.102 comment=dhcp_100-3C:6A:9D:17:6E:A8 name=-y------.fasan.home.arpa ttl=15m
add address=10.10.100.110 comment=dhcp_100-EC:DA:3B:A8:7B:D8 name=espressif.fasan.home.arpa ttl=15m
add address=10.10.111.2 comment=dhcp_111-D4:01:C3:7C:B7:B2 name=mikrotik-ax2.fasan.home.arpa ttl=15m
add address=10.10.200.193 comment=dhcp_200-DC:A6:32:F6:4A:47 name=contromeminiserver.fasan.home.arpa ttl=15m
add address=10.10.100.111 comment=dhcp_100-6C:3C:7C:78:35:92 name=10-10-100-111.fasan.home.arpa ttl=15m
add address=10.10.100.147 comment=dhcp_100-02:6C:1E:90:E3:3F name=10-10-100-147.fasan.home.arpa ttl=15m
add address=10.10.200.155 comment=dhcp_200-68:67:25:B3:0C:B8 name=hw51-1637.fasan.home.arpa ttl=15m
add address=10.10.100.163 comment=dhcp_100-F6:13:48:5A:03:10 name=10-10-100-163.fasan.home.arpa ttl=15m
add address=10.10.200.129 comment=dhcp_200-B4:8A:0A:C0:98:BB name=esp-c098bb.fasan.home.arpa ttl=15m
add address=10.10.100.168 comment=dhcp_100-C6:70:39:A2:8C:25 name=10-10-100-168.fasan.home.arpa ttl=15m
add address=10.10.111.27 comment=dhcp_111-38:C9:86:1A:EA:84 name=my-imac.fasan.home.arpa ttl=15m
add address=10.10.100.101 comment=dhcp_100-66:53:EE:71:9D:CA name=10-10-100-101.fasan.home.arpa ttl=15m
add address=10.10.100.146 comment=dhcp_100-B2:9F:00:1F:DA:0C name=10-10-100-146.fasan.home.arpa ttl=15m
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out IPSec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="defconf: accept out IPSec policy" dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="defconf: accept out IPSec policy" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop all not coming from MANAGEMENT VLAN" in-interface="!vlan111 [MANAGEMENT]"
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward disabled=yes in-interface="vlan111 [MANAGEMENT]" out-interface="vlan200 [HOMETEC]" protocol=tcp
add action=accept chain=forward disabled=yes in-interface="vlan40 [PROXMOX]" out-interface="vlan200 [HOMETEC]" protocol=tcp
add action=accept chain=forward disabled=yes in-interface="vlan200 [HOMETEC]" out-interface="vlan111 [MANAGEMENT]"
add action=accept chain=forward disabled=yes in-interface="vlan111 [MANAGEMENT]" out-interface="vlan40 [PROXMOX]"
add action=accept chain=forward comment="accept all vlan to WAN udp" disabled=yes in-interface=all-vlan out-interface-list=WAN protocol=udp
add action=accept chain=forward comment="accept all vlan to WAN tcp" disabled=yes in-interface=all-vlan out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="accept all vlan to WAN icmp" disabled=yes in-interface=all-vlan out-interface-list=WAN protocol=icmp
add action=accept chain=forward disabled=yes dst-port=22,80,443,502 in-interface="vlan200 [HOMETEC]" protocol=tcp
add action=accept chain=forward disabled=yes in-interface="vlan200 [HOMETEC]" protocol=tcp
add action=accept chain=forward disabled=yes dst-port=22,80,443,502 in-interface="vlan100 [HOME]" protocol=tcp
add action=log chain=forward disabled=yes log=yes log-prefix=DROPPED
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=drop chain=forward out-interface="vlan111 [MANAGEMENT]"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=out,ipsec
add action=dst-nat chain=dstnat comment="Telefon S850A Go" dst-port=49004-49012 protocol=udp to-addresses=10.10.50.200 to-ports=49004-49012
add action=dst-nat chain=dstnat comment="Port 80 Forwarding Miniserver" disabled=yes dst-port=51820 in-interface=pppoe-out1 protocol=tcp to-addresses=10.10.200.193 to-ports=80
add action=dst-nat chain=dstnat comment="Port 80 Forwarding Floor Gateway" disabled=yes dst-port=51720 in-interface=pppoe-out1 protocol=tcp to-addresses=10.10.200.130 to-ports=80
add action=dst-nat chain=dstnat comment="Port 22 Forwarding Floor Gateway" disabled=yes dst-port=51730 in-interface=pppoe-out1 protocol=tcp to-addresses=10.10.200.130 to-ports=22
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl disabled=no
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
# no interface
add action=drop chain=input comment="drop all not coming from MANAGEMENT VLAN" in-interface=!*C
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
/ppp secret
add local-address=10.10.200.1 name=Heating profile=vpn remote-address=10.10.200.150 service=l2tp
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="Mikrotik ax3"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=ntp0.fau.de
add address=ntp1.fau.de
add address=ntp2.fau.de
add address=ntp3.fau.de
add address=npt0.ewetel.de
add address=ntp1.ewetel.de
[SEadmin@Mikrotik ax3] >
ax2:
# 2024-08-03 09:33:53 by RouterOS 7.15.2
# software id = 5MCE-DL16
#
# model = C52iG-5HaxD2HaxD
# serial number = HGC09WRMRVQ
/interface bridge
add igmp-snooping=yes name=br_vlan port-cost-mode=short pvid=111 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[TRUNK]"
set [ find default-name=ether2 ] name="ether2 [DLAN/FBG]"
set [ find default-name=ether3 ] name="ether3 [MANAGEMENT]"
set [ find default-name=ether4 ] name="ether4 [TRUNK HEX]"
set [ find default-name=ether5 ] name="ether5 [TRUNK SWITCH]"
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5805,5865,5300 .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=Germany .hide-ssid=yes .mode=ap .ssid=AX2_5 \
datapath.bridge=br_vlan .vlan-id=2 disabled=no name="wifi1 [5 GHz MASTER]" security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2432,2442 .width=20/40mhz configuration.country=Germany .hide-ssid=yes .mode=ap .ssid=AX2_2.4 datapath.bridge=br_vlan .vlan-id=2 \
disabled=no name="wifi2 [2.4 GHz MASTER]" security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=Neuwlanstein_Hometec_5 datapath.bridge=br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:7C:B7:B7 master-interface="wifi1 [5 GHz MASTER]" name="wifi3 [HOMETEC 5] "
add configuration.mode=ap .ssid=Neuwlanstein_Hometec_2 datapath.bridge=br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:7C:B7:B7 master-interface="wifi2 [2.4 GHz MASTER]" name="wifi4 [HOMETEC 2]"
add configuration.mode=ap .ssid=Neuwlanstein_Home_5 datapath.bridge=br_vlan .vlan-id=100 disabled=no mac-address=D6:01:C3:7C:B7:B8 master-interface="wifi1 [5 GHz MASTER]" name="wifi5 [HOME 5]"
add configuration.mode=ap .ssid=Neuwlanstein_Home_2 datapath.bridge=br_vlan .vlan-id=100 disabled=no mac-address=D6:01:C3:7C:B7:B9 master-interface="wifi2 [2.4 GHz MASTER]" name="wifi6 [HOME 2]"
add configuration.mode=ap .ssid=Neuwlanstein_Homeoffice_5 datapath.bridge=br_vlan .vlan-id=60 disabled=no mac-address=D6:01:C3:7C:B7:BA master-interface="wifi1 [5 GHz MASTER]" name=\
"wifi7 [HOMEOFFICE 5]"
add configuration.mode=ap .ssid=Neuwlanstein_Homeoffice_2 datapath.bridge=br_vlan .vlan-id=60 disabled=no mac-address=D6:01:C3:7C:B7:BB master-interface="wifi2 [2.4 GHz MASTER]" name=\
"wifi8 [HOMEOFFICE 2]"
/interface vlan
add interface=br_vlan name="vlan111 [MANAGEMENT]" vlan-id=111
/interface list
add comment="L2TP interfaces" name=L2TP
add comment="defconf: contains all VLAN interfaces" name=LAN
add comment="contains WAN interface" name=WAN
/interface bridge port
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi1 [5 GHz MASTER]" internal-path-cost=10 path-cost=10 pvid=2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi2 [2.4 GHz MASTER]" internal-path-cost=10 path-cost=10 pvid=2
add bridge=br_vlan fast-leave=yes frame-types=admit-only-untagged-and-priority-tagged interface="ether2 [DLAN/FBG]" internal-path-cost=10 path-cost=10 pvid=200
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi3 [HOMETEC 5] " pvid=200
add bridge=br_vlan interface="ether1[TRUNK]" pvid=111
add bridge=br_vlan interface="ether5 [TRUNK SWITCH]" pvid=111
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether3 [MANAGEMENT]" pvid=111
add bridge=br_vlan interface="ether4 [TRUNK HEX]" pvid=111
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi5 [HOME 5]" pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi4 [HOMETEC 2]" pvid=200
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi7 [HOMEOFFICE 5]" pvid=60
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi8 [HOMEOFFICE 2]" pvid=60
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi6 [HOME 2]" pvid=100
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK],ether4 [TRUNK HEX],ether5 [TRUNK SWITCH],wifi3 [HOMETEC 5] ,wifi4 [HOMETEC 2]" vlan-ids=200
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK],ether5 [TRUNK SWITCH],wifi1 [5 GHz MASTER],wifi2 [2.4 GHz MASTER]" vlan-ids=2
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK],ether5 [TRUNK SWITCH],wifi5 [HOME 5],wifi6 [HOME 2]" vlan-ids=100
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK],ether5 [TRUNK SWITCH]" vlan-ids=40
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK],ether5 [TRUNK SWITCH],wifi7 [HOMEOFFICE 5],wifi8 [HOMEOFFICE 2]" vlan-ids=60
/interface detect-internet
set detect-interface-list=WAN
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface="vlan111 [MANAGEMENT]"
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="Mikrotik ax2"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set manycast=yes multicast=yes
/system ntp client servers
add address=10.10.111.1
/system routerboard settings
set auto-upgrade=yes
[SEadmin@Mikrotik ax2] >
cAP ax:
[SEadmin@MikroTik cAP ax] > hide-
bad command name hide- (line 1 column 1)
[SEadmin@MikroTik cAP ax] >
[SEadmin@MikroTik cAP ax] > export hide-sensitive
# 2024-08-03 09:34:35 by RouterOS 7.15.3
# software id = 20ZI-4D5V
#
# model = cAPGi-5HaxD2HaxD
# serial number = HGG09PJVQH1
/interface bridge
add name=br_vlan port-cost-mode=short pvid=111 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 [TRUNK]"
set [ find default-name=ether2 ] name="ether2 [MANAGEMENT] "
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .width=20/40/80mhz configuration.hide-ssid=yes .mode=ap .ssid=CAP_AX3_5 datapath.bridge=br_vlan .vlan-id=2 disabled=\
no name="wifi1 [MASTER 5]"
set [ find default-name=wifi2 ] channel.band=2ghz-ax .width=20/40mhz configuration.hide-ssid=yes .mode=ap .ssid=CAP_AX3_2 datapath.bridge=br_vlan .vlan-id=2 disabled=no \
name="wifi2 [MASTER 2]"
add configuration.mode=ap .ssid=Neuwlanstein_Home_5 datapath.bridge=br_vlan .vlan-id=100 disabled=no mac-address=D6:01:C3:B8:F8:A8 master-interface="wifi1 [MASTER 5]" \
name="wifi3 [HOME 5]"
add configuration.mode=ap .ssid=Neuwlanstein_Home_2 datapath.bridge=br_vlan .vlan-id=100 disabled=no mac-address=D6:01:C3:B8:F8:AA master-interface="wifi1 [MASTER 5]" \
name="wifi4 [HOME 2]"
add configuration.mode=ap .ssid=Neuwlanstein_Hometec_5 datapath.bridge=br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:B8:F8:AB master-interface="wifi2 [MASTER 2]" \
name="wifi5 [HOMETEC 5]"
add configuration.mode=ap .ssid=Neuwlanstein_Hometec_2 datapath.bridge=br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:B8:F8:A9 master-interface="wifi2 [MASTER 2]" \
name="wifi6 [HOMETEC 2]"
/interface vlan
add interface=br_vlan name="vlan111 [TRUNK]" vlan-id=111
/interface bridge port
add bridge=br_vlan interface="ether1 [TRUNK]" internal-path-cost=10 path-cost=10 pvid=111
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether2 [MANAGEMENT] " internal-path-cost=10 path-cost=10 pvid=111
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi3 [HOME 5]" pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi4 [HOME 2]" pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi5 [HOMETEC 5]" pvid=200
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi6 [HOMETEC 2]" pvid=200
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi1 [MASTER 5]" pvid=2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi2 [MASTER 2]" pvid=2
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether1 [TRUNK],wifi3 [HOME 5],wifi4 [HOME 2]" vlan-ids=100
add bridge=br_vlan tagged="br_vlan,ether1 [TRUNK],wifi5 [HOMETEC 5],wifi6 [HOMETEC 2]" vlan-ids=200
add bridge=br_vlan tagged="br_vlan,ether1 [TRUNK],wifi1 [MASTER 5],wifi2 [MASTER 2]" vlan-ids=2
/ip dhcp-client
add interface="vlan111 [TRUNK]"
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="MikroTik cAP ax"
/system note
set show-at-login=no
[SEadmin@MikroTik cAP ax] >
hEX:
# 2024-08-03 09:35:07 by RouterOS 7.15.2
# software id = FL60-4C0P
#
# model = RB750Gr3
# serial number = D5030F4D57A1
/interface bridge
add igmp-snooping=yes name=br_vlan pvid=111 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 [TRUNK]"
set [ find default-name=ether2 ] name="ether2 [HOMETEC]"
set [ find default-name=ether3 ] name="ether3 [HOMETEC]"
set [ find default-name=ether4 ] name="ether4 [HOMETEC]"
set [ find default-name=ether5 ] name="ether5 [MANAGEMENT]"
/interface vlan
add interface=br_vlan name="vlan111 [MANAGEMENT]" vlan-id=111
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br_vlan interface="ether1 [TRUNK]" pvid=111
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether2 [HOMETEC]" pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether3 [HOMETEC]" pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether4 [HOMETEC]" pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether5 [MANAGEMENT]" pvid=111
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether1 [TRUNK]" vlan-ids=200
/ip dhcp-client
add interface="vlan111 [MANAGEMENT]"
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="MikroTik hEX"
/system note
set show-at-login=no
[SEadmin@MikroTik hEX] >
GS308ep:
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 3270560994
Url: https://administrator.de/forum/mikrotik-zwei-router-verbinden-weitere-fragen-3270560994.html
Ausgedruckt am: 22.12.2024 um 08:12 Uhr
2 Kommentare
Neuester Kommentar
Wenn der Netgear Switch der zentrale Verteiler im Netz ist wäre es designtechnisch sicher besser den Router da anzuhängen. Kaskaden sind in einem an sich für ein Sterndesign bestimmtes Ethernet immer unschön.
Rein funktional ist das aber egal wie du es machst. Beide Varianten klappen.
Die fehlende PVID Option im Netgear ist sicher ein Konfigfehler deinerseits. Das so eine klassische Basisfunktion die essentiell für ein sauberes VLAN Setup ist, nicht vorhanden sein soll ist unglaubwürdig. Netgear ist bekanntlich leider nicht die beste Wahl für ein VLAN Setup wegen der teils mehr als kryptischen Syntax auch im GUI. Das hiesige VLAN Tutorial geht im Groben darauf ein:
VLAN Installation und Routing mit pfSense, Mikrotik, DD-WRT oder Cisco RV Routern
Ggf. hilft dir das beim Setup.
Ansonsten kannst du das PVID VLAN ja auch wechselnd forwarden. Es hat ja keinen VLAN Tag und wenn es auf einer Seite als PVID 111 gesetzt ist und die andere Seite es mit PVID 1 empfängt wird es halt dort im VLAN 1 geforwardet. Technisch ist das kein Problem, allerdings managementtechniach gesehen ein Albtraum sowas zu managen wenn VLAN IDs nicht durchgängig homogen sind. Sollte man sich also gut überlegen ob man so eine Frickelei macht!
Der Rest sieht soweit OK aus.
Rein funktional ist das aber egal wie du es machst. Beide Varianten klappen.
Die fehlende PVID Option im Netgear ist sicher ein Konfigfehler deinerseits. Das so eine klassische Basisfunktion die essentiell für ein sauberes VLAN Setup ist, nicht vorhanden sein soll ist unglaubwürdig. Netgear ist bekanntlich leider nicht die beste Wahl für ein VLAN Setup wegen der teils mehr als kryptischen Syntax auch im GUI. Das hiesige VLAN Tutorial geht im Groben darauf ein:
VLAN Installation und Routing mit pfSense, Mikrotik, DD-WRT oder Cisco RV Routern
Ggf. hilft dir das beim Setup.
Ansonsten kannst du das PVID VLAN ja auch wechselnd forwarden. Es hat ja keinen VLAN Tag und wenn es auf einer Seite als PVID 111 gesetzt ist und die andere Seite es mit PVID 1 empfängt wird es halt dort im VLAN 1 geforwardet. Technisch ist das kein Problem, allerdings managementtechniach gesehen ein Albtraum sowas zu managen wenn VLAN IDs nicht durchgängig homogen sind. Sollte man sich also gut überlegen ob man so eine Frickelei macht!
Der Rest sieht soweit OK aus.