====== Mikrotik - test VLANS ====== CRS125-24G-1S-RM : AR9344 / MIPS-BE / routing : 700Mbps (25 rules) / 1 core hEX : (routeur ethernet) : RB750Gr3 - MT7621A / 1128 Mbps / 2 core Pour VLAN Tables, voir : https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction On considère que CRS125 est équipé. Les VLAN Tables prennent le pas sur les switch groups. CRS : voir https://wiki.mikrotik.com/wiki/Manual:CRS_examples#InterVLAN_Routing Deux modes de fonctionnement : - "InterVLAN Routing" quand on veut gérer le firewalling dans le CRS, OU avoir une IP d'admin ! Utilise les VLAN tables, prioritaires sur les switch groups (voir : https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Vlan_Table) - "Port Based VLAN" quand on ne veut pas gérer le routage **Note:** Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration. On utilisera tout le temps "InterVLAN Routing" **Nota pour RB450G/RB435G/RB850Gx2 :** Switch All Ports Feature Ether1 port on RB450G/RB435G/RB850Gx2 has a feature that allows it to be removed/added to the default switch group. By default ether1 port will be included in the switch group. This configuration can be changed with /interface ethernet switch set switch1 switch-all-ports=no ===== Jouer avec les VLANS ===== **Note :** Some changes may take some time to take effect due to already learned MAC addreses. In such cases flushing Unicast Forwarding Database can help: /interface ethernet switch unicast-fdb flush /interface ethernet switch print unknown-vlan-lookup-mode unknown-vlan-lookup-mode (ivl | svl; Default: svl) Lookup and learning mode for packets with invalid VLAN. http://www.stubarea51.net/2016/11/16/mikrotik-routeros-new-feature-loop-protect/ Pas efficace en révision v6.39.2 (stable) car : * si sur VLAN, le VLAN est désactivé * sur chaque port : ne fonctionne pas (pas de paquets spécifiques émis) CONF TYPE de REFERENCE - mode Switch - IP sur interface VLAN ether1-8 : vlan 1 - untagged ether8-16 : vlan 10 - untagged ether17-23 : clan 100 - untagged ether24 + sfp1 : vlan trunk spanning tree OK, loop protection KO (attnetion temêtes de broadcast), VLAN port isolation OK, IP admin joignable via vlan tag et untagged OK ----- /system clock set time-zone-name=Europe/Paris /system routerboard settings set boot-device=flash-boot /interface bridge add name=br-spanning-tree add name=br-uplink add name=br-vlan1 /interface ethernet set [ find default-name=sfp1 ] loop-protect=off /interface vlan add interface=sfp1 name=if-vlan1 vlan-id=1 /interface ethernet set [ find default-name=sfp1 ] master-port=none set [ find default-name=ether1 ] master-port=sfp1 set [ find default-name=ether2 ] master-port=sfp1 set [ find default-name=ether3 ] master-port=sfp1 set [ find default-name=ether4 ] master-port=sfp1 set [ find default-name=ether5 ] master-port=sfp1 set [ find default-name=ether6 ] master-port=sfp1 set [ find default-name=ether7 ] master-port=sfp1 set [ find default-name=ether8 ] master-port=sfp1 set [ find default-name=ether9 ] master-port=sfp1 set [ find default-name=ether10 ] master-port=sfp1 set [ find default-name=ether11 ] master-port=sfp1 set [ find default-name=ether12 ] master-port=sfp1 set [ find default-name=ether13 ] master-port=sfp1 set [ find default-name=ether14 ] master-port=sfp1 set [ find default-name=ether15 ] master-port=sfp1 set [ find default-name=ether16 ] master-port=sfp1 set [ find default-name=ether17 ] master-port=sfp1 set [ find default-name=ether18 ] master-port=sfp1 set [ find default-name=ether19 ] master-port=sfp1 set [ find default-name=ether20 ] master-port=sfp1 set [ find default-name=ether21 ] master-port=sfp1 set [ find default-name=ether22 ] master-port=sfp1 set [ find default-name=ether23 ] master-port=sfp1 set [ find default-name=ether24 ] master-port=sfp1 /interface bridge port add bridge=br-spanning-tree interface=sfp1 add bridge=br-vlan1 interface=if-vlan1 /interface ethernet switch egress-vlan-tag add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=1 add tagged-ports=ether24,sfp1 vlan-id=10 add tagged-ports=ether24,sfp1 vlan-id=100 /interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=1 ports=ether1 add customer-vid=0 new-customer-vid=1 ports=ether2 add customer-vid=0 new-customer-vid=1 ports=ether3 add customer-vid=0 new-customer-vid=1 ports=ether4 add customer-vid=0 new-customer-vid=1 ports=ether5 add customer-vid=0 new-customer-vid=1 ports=ether6 add customer-vid=0 new-customer-vid=1 ports=ether7 add customer-vid=0 new-customer-vid=1 ports=ether8 add customer-vid=0 new-customer-vid=10 ports=ether9 add customer-vid=0 new-customer-vid=10 ports=ether10 add customer-vid=0 new-customer-vid=10 ports=ether11 add customer-vid=0 new-customer-vid=10 ports=ether12 add customer-vid=0 new-customer-vid=10 ports=ether13 add customer-vid=0 new-customer-vid=10 ports=ether14 add customer-vid=0 new-customer-vid=10 ports=ether15 add customer-vid=0 new-customer-vid=10 ports=ether16 add customer-vid=0 new-customer-vid=100 ports=ether17 add customer-vid=0 new-customer-vid=100 ports=ether18 add customer-vid=0 new-customer-vid=100 ports=ether19 add customer-vid=0 new-customer-vid=100 ports=ether20 add customer-vid=0 new-customer-vid=100 ports=ether21 add customer-vid=0 new-customer-vid=100 ports=ether22 add customer-vid=0 new-customer-vid=100 ports=ether23 /interface ethernet switch vlan add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether24,sfp1,switch1-cpu vlan-id=1 add ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sfp1 vlan-id=10 add ports=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp1 vlan-id=100 /interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,\ ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,\ ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,\ ether19,ether20,ether21,ether22,ether23,ether24,sfp1,switch1-cpu" forward-unknown-vlan=no /ip address add address=10.0.1.1/24 interface=br-vlan1 network=10.0.1.0 CONf TYPE de REFERENCE - mode routeur simple - IPs sur bridges - uplink internet sur port 23 hors switch master ether1-8 : vlan 1 - untagged ether8-16 : vlan 10 - untagged ether17-22 : vlan 100 - untagged ether23 : untagged, pas de vlan => uplink internet ether24 + sfp1 : vlan trunk ----- /system clock set time-zone-name=Europe/Paris /system routerboard settings set boot-device=flash-boot /interface bridge add name=br-spanning-tree add name=br-uplink add name=br-vlan1 add name=br-vlan10 add name=br-vlan100 /interface vlan add interface=sfp1 name=if-vlan1 vlan-id=1 add interface=sfp1 name=if-vlan10 vlan-id=10 add interface=sfp1 name=if-vlan100 vlan-id=100 /interface ethernet set [ find default-name=sfp1 ] master-port=none set [ find default-name=ether23 ] master-port=none set [ find default-name=ether1 ] master-port=sfp1 set [ find default-name=ether2 ] master-port=sfp1 set [ find default-name=ether3 ] master-port=sfp1 set [ find default-name=ether4 ] master-port=sfp1 set [ find default-name=ether5 ] master-port=sfp1 set [ find default-name=ether6 ] master-port=sfp1 set [ find default-name=ether7 ] master-port=sfp1 set [ find default-name=ether8 ] master-port=sfp1 set [ find default-name=ether9 ] master-port=sfp1 set [ find default-name=ether10 ] master-port=sfp1 set [ find default-name=ether11 ] master-port=sfp1 set [ find default-name=ether12 ] master-port=sfp1 set [ find default-name=ether13 ] master-port=sfp1 set [ find default-name=ether14 ] master-port=sfp1 set [ find default-name=ether15 ] master-port=sfp1 set [ find default-name=ether16 ] master-port=sfp1 set [ find default-name=ether17 ] master-port=sfp1 set [ find default-name=ether18 ] master-port=sfp1 set [ find default-name=ether19 ] master-port=sfp1 set [ find default-name=ether20 ] master-port=sfp1 set [ find default-name=ether21 ] master-port=sfp1 set [ find default-name=ether22 ] master-port=sfp1 set [ find default-name=ether24 ] master-port=sfp1 /interface bridge port add bridge=br-spanning-tree interface=sfp1 add bridge=br-uplink interface=ether23 add bridge=br-vlan1 interface=if-vlan1 add bridge=br-vlan10 interface=if-vlan10 add bridge=br-vlan100 interface=if-vlan100 /interface ethernet switch egress-vlan-tag add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=1 add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=10 add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=100 /interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=1 ports=ether1 add customer-vid=0 new-customer-vid=1 ports=ether2 add customer-vid=0 new-customer-vid=1 ports=ether3 add customer-vid=0 new-customer-vid=1 ports=ether4 add customer-vid=0 new-customer-vid=1 ports=ether5 add customer-vid=0 new-customer-vid=1 ports=ether6 add customer-vid=0 new-customer-vid=1 ports=ether7 add customer-vid=0 new-customer-vid=1 ports=ether8 add customer-vid=0 new-customer-vid=10 ports=ether9 add customer-vid=0 new-customer-vid=10 ports=ether10 add customer-vid=0 new-customer-vid=10 ports=ether11 add customer-vid=0 new-customer-vid=10 ports=ether12 add customer-vid=0 new-customer-vid=10 ports=ether13 add customer-vid=0 new-customer-vid=10 ports=ether14 add customer-vid=0 new-customer-vid=10 ports=ether15 add customer-vid=0 new-customer-vid=10 ports=ether16 add customer-vid=0 new-customer-vid=100 ports=ether17 add customer-vid=0 new-customer-vid=100 ports=ether18 add customer-vid=0 new-customer-vid=100 ports=ether19 add customer-vid=0 new-customer-vid=100 ports=ether20 add customer-vid=0 new-customer-vid=100 ports=ether21 add customer-vid=0 new-customer-vid=100 ports=ether22 /interface ethernet switch vlan add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether24,sfp1,switch1-cpu vlan-id=1 add ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sfp1,switch1-cpu vlan-id=10 add ports=ether17,ether18,ether19,ether20,ether21,ether22,ether24,sfp1,switch1-cpu vlan-id=100 /interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,\ ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,\ ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,\ ether19,ether20,ether21,ether22,ether24,sfp1,switch1-cpu" forward-unknown-vlan=no /ip address add address=10.0.1.1/24 interface=br-vlan1 network=10.0.1.0 add address=10.0.10.1/24 interface=br-vlan10 network=10.0.10.0 add address=10.0.100.1/24 interface=br-vlan100 network=10.0.100.0 /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=br-uplink CONf TYPE de REFERENCE - mode routeur + firewall - IPs sur bridges ether1-8 : vlan 1 - untagged ether8-16 : vlan 10 - untagged ether17-22 : vlan 101 - untagged ether23 : vlan 300 - untagged => uplink internet ether24 + sfp1 : vlan trunk ----- Change firewall administration IP (look for 192.168.210.253 in the config) Change vars here : Change firewall administration IP (look for 192.168.210.253 in the config) Change vars here : { :local fwIp 192.168.210.253; :local fwHostname plmagw03; :local dnsServers 192.168.210.254,192.168.200.254,8.8.8.8 :local adminNetwork 0.0.0.0/0 :local timeZone Europe/Paris :local NTPServerIP1 37.187.56.220 :local NTPServerIP2 5.135.3.88 :local SyslogServerIP 192.168.210.10 :local defaultGW 192.168.210.254 /system identity set name=$fwHostname /ip dns set allow-remote-requests=yes servers=$dnsServers /ip dns static add address=$fwIp name=$fwHostname /ip cloud set update-time=no set ddns-enabled=no /ip upnp set enabled=no set show-dummy-rule=no /ip settings set rp-filter=strict /ip neighbor discovery settings set default=no /ip service set telnet disabled=yes set api disabled=yes set api-ssl disabled=yes set ftp address=$adminNetwork set www address=$adminNetwork set ssh address=$adminNetwork set winbox address=$adminNetwork /interface bridge settings set use-ip-firewall=yes /system clock set time-zone-autodetect=no set time-zone-name=$timeZone /system ntp client set enabled=yes primary-ntp=$NTPServerIP1 secondary-ntp=$NTPServerIP2 /system logging action add name=syslg remote=$SyslogServerIP target=remote /system logging add prefix=debug topics=wireless add prefix=debug topics=manager add action=syslg topics=!dns /ip route add distance=1 gateway=$defaultGW /ip firewall address-list add address=0.0.0.0/0 comment="Allowed IPs for this equipment managment " list=support } /port set 0 name=serial0 /system routerboard settings set boot-device=flash-boot protected-routerboot=disabled /interface bridge settings set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no /interface bridge add name=br-spanning-tree add name=br-admin-v1 add name=br-data-v10 add name=br-services-v101 add name=br-internet-v200 /interface vlan add interface=sfp1 name=if-vlan-1 vlan-id=1 add interface=sfp1 name=if-vlan-10 vlan-id=10 add interface=sfp1 name=if-vlan-101 vlan-id=101 add interface=sfp1 name=if-vlan-200 vlan-id=200 /interface ethernet set [ find default-name=sfp1 ] master-port=none set [ find default-name=ether23 ] master-port=none set [ find default-name=ether1 ] master-port=sfp1 set [ find default-name=ether2 ] master-port=sfp1 set [ find default-name=ether3 ] master-port=sfp1 set [ find default-name=ether4 ] master-port=sfp1 set [ find default-name=ether5 ] master-port=sfp1 set [ find default-name=ether6 ] master-port=sfp1 set [ find default-name=ether7 ] master-port=sfp1 set [ find default-name=ether8 ] master-port=sfp1 set [ find default-name=ether9 ] master-port=sfp1 set [ find default-name=ether10 ] master-port=sfp1 set [ find default-name=ether11 ] master-port=sfp1 set [ find default-name=ether12 ] master-port=sfp1 set [ find default-name=ether13 ] master-port=sfp1 set [ find default-name=ether14 ] master-port=sfp1 set [ find default-name=ether15 ] master-port=sfp1 set [ find default-name=ether16 ] master-port=sfp1 set [ find default-name=ether17 ] master-port=sfp1 set [ find default-name=ether18 ] master-port=sfp1 set [ find default-name=ether19 ] master-port=sfp1 set [ find default-name=ether20 ] master-port=sfp1 set [ find default-name=ether21 ] master-port=sfp1 set [ find default-name=ether22 ] master-port=sfp1 set [ find default-name=ether23 ] master-port=sfp1 set [ find default-name=ether24 ] master-port=sfp1 /interface bridge port add bridge=br-spanning-tree interface=sfp1 add bridge=br-admin-v1 interface=if-vlan-1 add bridge=br-data-v10 interface=if-vlan-10 add bridge=br-services-v101 interface=if-vlan-101 add bridge=br-internet-v200 interface=if-vlan-200 /interface ethernet switch egress-vlan-tag add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=1 add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=10 add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=101 add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=200 /interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=1 ports=ether1 add customer-vid=0 new-customer-vid=1 ports=ether2 add customer-vid=0 new-customer-vid=1 ports=ether3 add customer-vid=0 new-customer-vid=1 ports=ether4 add customer-vid=0 new-customer-vid=1 ports=ether5 add customer-vid=0 new-customer-vid=1 ports=ether6 add customer-vid=0 new-customer-vid=1 ports=ether7 add customer-vid=0 new-customer-vid=1 ports=ether8 add customer-vid=0 new-customer-vid=10 ports=ether9 add customer-vid=0 new-customer-vid=10 ports=ether10 add customer-vid=0 new-customer-vid=10 ports=ether11 add customer-vid=0 new-customer-vid=10 ports=ether12 add customer-vid=0 new-customer-vid=10 ports=ether13 add customer-vid=0 new-customer-vid=10 ports=ether14 add customer-vid=0 new-customer-vid=10 ports=ether15 add customer-vid=0 new-customer-vid=10 ports=ether16 add customer-vid=0 new-customer-vid=101 ports=ether17 add customer-vid=0 new-customer-vid=101 ports=ether18 add customer-vid=0 new-customer-vid=101 ports=ether19 add customer-vid=0 new-customer-vid=101 ports=ether20 add customer-vid=0 new-customer-vid=101 ports=ether21 add customer-vid=0 new-customer-vid=101 ports=ether22 add customer-vid=0 new-customer-vid=200 ports=ether23 /interface ethernet switch vlan add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether24,sfp1,switch1-cpu vlan-id=1 add ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sfp1,switch1-cpu vlan-id=10 add ports=ether17,ether18,ether19,ether20,ether21,ether22,sfp1,switch1-cpu vlan-id=101 add ports=ether23,ether24,sfp1,switch1-cpu vlan-id=200 /interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,\ ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,\ ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,\ ether19,ether20,ether21,ether22,ether23,ether24,sfp1,switch1-cpu" forward-unknown-vlan=no /ip address add address=10.1.255.254/16 interface=br-admin-v1 network=10.1.0.0 add address=10.10.255.254/16 interface=br-data-v10 network=10.10.0.0 add address=10.100.255.254/16 interface=br-services-v101 network=10.100.0.0 add address=192.168.210.253/24 interface=br-internet-v200 network=192.168.210.0 /ip firewall nat add action=masquerade chain=srcnat log=yes log-prefix=out_masq out-interface=br-internet-v200 /ip firewall address-list remove [find] add address=0.0.0.0/0 comment="Allowed IPs for this equipment managment " list=support add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" list=bogons add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\_need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons add address=198.18.0.0/15 comment="NIDB Testing" list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons add address=192.168.250.0/24 comment="Local network admin" list=local_network /ip firewall filter remove [find] add action=passthrough chain=separator comment="######## Invalid packets managment" add action=drop chain=input comment="Drop input invalid packets" connection-state=invalid log=yes add action=drop chain=output comment="Drop output invalid packets" connection-state=invalid log=yes add action=drop chain=forward comment="Drop forward invalid packets" connection-state=invalid log=yes add action=passthrough chain=separator comment="######## flood/scan/spam/enforcment" add action=drop chain=forward comment="Drop dest. local IP routed to Internet uplink" connection-state=established,related,new dst-address-list=local_network in-interface=!br-internet-v200 log=yes out-interface=br-internet-v200 add action=drop chain=forward comment="Drop bogons from Internet uplink" connection-state=established,related,new in-interface=br-internet-v200 src-address-list=bogons add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 connection-state=new log=yes log-prefix=syn_flood protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" connection-state=established,related,new src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" connection-state=new log=yes log-prefix=port_scanner protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" connection-state=established,related,new src-address-list=Port_Scanner add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 connection-state=new dst-port=25,587 limit=30/1m,0 log=yes log-prefix=spammers protocol=tcp add action=drop chain=forward comment="Avoid spammers action" connection-state=established,related,new dst-port=25,587 protocol=tcp src-address-list=spammers add action=drop chain=input comment="Block all access to the winbox - except to support list ; change support list in order to enable this feature" dst-port=8291,80,21,22 protocol=tcp src-address-list=!support add action=passthrough chain=separator comment="######## Accept established and related packets" add chain=input comment="Accept established/related connections/packets" connection-state=established,related add chain=output comment="Accept established/related connections/packets" connection-state=established,related add chain=forward comment="Accept established/related connections/packets" connection-state=established,related add action=passthrough chain=separator comment="######## input : to this equipment OS" add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp add chain=input comment=DHCP dst-port=67,68 in-interface=!br-internet-v200 protocol=udp add chain=input comment="Accept DNS - UDP" port=53 protocol=udp add chain=input comment="Accept DNS - TCP" port=53 protocol=tcp add chain=input comment="This equipement administration allowed from SUPPORT address list" dst-address=192.168.210.253 dst-port=8291,80,21,22 log=yes log-prefix=ADMIN protocol=tcp src-address-list=support add action=passthrough chain=separator comment="######## output : from this equipment OS" add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp add chain=output comment="Anti chat log (ex : DNS)" dst-port=53 protocol=udp add chain=output comment="Firewall to Internet (updates, DNS)" log=yes log-prefix=FW-INET out-interface=br-internet-v200 add chain=output comment=DHCP dst-port=67,68 out-interface=!br-internet-v200 protocol=udp add action=passthrough chain=separator comment="######## forward : thru this equipment OS" add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp add chain=forward comment="Accept Internet outgoing" out-interface=br-internet-v200 add action=passthrough chain=separator comment="######## ICMP chain" add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp add chain=input disabled=yes log=yes log-prefix=XXXXX add chain=output disabled=yes log=yes log-prefix=XXXXX add chain=forward disabled=yes log=yes log-prefix=XXXXX add action=passthrough chain=separator comment="######## Final reject/DROP" add action=reject chain=input in-interface=!br-internet-v200 log=yes log-prefix=reject_input reject-with=icmp-admin-prohibited add action=reject chain=output out-interface=!br-internet-v200 log=yes log-prefix=reject_output reject-with=icmp-admin-prohibited add action=reject chain=forward in-interface=!br-internet-v200 log=yes log-prefix=reject_forward reject-with=icmp-admin-prohibited add action=drop chain=input log=yes log-prefix=drop_input add action=drop chain=output log=yes log-prefix=drop_output add action=drop chain=forward log=yes log-prefix=drop_forward OLD ___ CONF TYPE de REFERENCE - mode Switch - IP sur interface VLAN__ **/!\ connerie avec CPU :** potentiellement, des paquets non taggués remontent en CPU. C'est inutile et ça peut être dangereux. ether1-8 : vlan 1 - untagged ether8-16 : vlan 10 - untagged ether17-23 : clan 100 - untagged ether24 + sfp1 : vlan trunk Spanning tree OK, loop protection KO (attnetion temêtes de broadcast), VLAN port isolation OK, IP admin joignable via vlan tag et untagged OK ----- /interface ethernet set [ find default-name=sfp1 ] master-port=none set [ find default-name=ether1 ] master-port=sfp1 set [ find default-name=ether2 ] master-port=sfp1 set [ find default-name=ether3 ] master-port=sfp1 set [ find default-name=ether4 ] master-port=sfp1 set [ find default-name=ether5 ] master-port=sfp1 set [ find default-name=ether6 ] master-port=sfp1 set [ find default-name=ether7 ] master-port=sfp1 set [ find default-name=ether8 ] master-port=sfp1 set [ find default-name=ether9 ] master-port=sfp1 set [ find default-name=ether10 ] master-port=sfp1 set [ find default-name=ether11 ] master-port=sfp1 set [ find default-name=ether12 ] master-port=sfp1 set [ find default-name=ether13 ] master-port=sfp1 set [ find default-name=ether14 ] master-port=sfp1 set [ find default-name=ether15 ] master-port=sfp1 set [ find default-name=ether16 ] master-port=sfp1 set [ find default-name=ether17 ] master-port=sfp1 set [ find default-name=ether18 ] master-port=sfp1 set [ find default-name=ether19 ] master-port=sfp1 set [ find default-name=ether20 ] master-port=sfp1 set [ find default-name=ether21 ] master-port=sfp1 set [ find default-name=ether22 ] master-port=sfp1 set [ find default-name=ether23 ] master-port=sfp1 set [ find default-name=ether24 ] master-port=sfp1 /port set 0 name=serial0 /system routerboard settings set boot-device=flash-boot protected-routerboot=disabled /interface bridge add name=br-spanning-tree /interface bridge port add bridge=br-spanning-tree interface=sfp1 /interface ethernet switch egress-vlan-tag add tagged-ports=sfp1,ether24,switch1-cpu vlan-id=1 add tagged-ports=sfp1,ether24 vlan-id=10 add tagged-ports=sfp1,ether24 vlan-id=100 /interface ethernet switch ingress-vlan-translation add ports=ether1 customer-vid=0 new-customer-vid=1 sa-learning=yes add ports=ether2 customer-vid=0 new-customer-vid=1 sa-learning=yes add ports=ether3 customer-vid=0 new-customer-vid=1 sa-learning=yes add ports=ether4 customer-vid=0 new-customer-vid=1 sa-learning=yes add ports=ether5 customer-vid=0 new-customer-vid=1 sa-learning=yes add ports=ether6 customer-vid=0 new-customer-vid=1 sa-learning=yes add ports=ether7 customer-vid=0 new-customer-vid=1 sa-learning=yes add ports=ether8 customer-vid=0 new-customer-vid=1 sa-learning=yes add ports=ether9 customer-vid=0 new-customer-vid=10 sa-learning=yes add ports=ether10 customer-vid=0 new-customer-vid=10 sa-learning=yes add ports=ether11 customer-vid=0 new-customer-vid=10 sa-learning=yes add ports=ether12 customer-vid=0 new-customer-vid=10 sa-learning=yes add ports=ether13 customer-vid=0 new-customer-vid=10 sa-learning=yes add ports=ether14 customer-vid=0 new-customer-vid=10 sa-learning=yes add ports=ether15 customer-vid=0 new-customer-vid=10 sa-learning=yes add ports=ether16 customer-vid=0 new-customer-vid=10 sa-learning=yes add ports=ether17 customer-vid=0 new-customer-vid=100 sa-learning=yes add ports=ether18 customer-vid=0 new-customer-vid=100 sa-learning=yes add ports=ether19 customer-vid=0 new-customer-vid=100 sa-learning=yes add ports=ether20 customer-vid=0 new-customer-vid=100 sa-learning=yes add ports=ether21 customer-vid=0 new-customer-vid=100 sa-learning=yes add ports=ether22 customer-vid=0 new-customer-vid=100 sa-learning=yes add ports=ether23 customer-vid=0 new-customer-vid=100 sa-learning=yes /interface ethernet switch vlan add ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether24,sfp1 vlan-id=1 learn=yes add ports=switch1-cpu,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sfp1 vlan-id=10 learn=yes add ports=switch1-cpu,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp1 vlan-id=100 learn=yes /interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp1 /interface ethernet switch set forward-unknown-vlan=no /interface vlan add name=if-vlan1 interface=sfp1 vlan-id=1 /ip address add address=10.0.1.1/24 interface=if-vlan1 network=10.0.1.0 /ip route add dst-address=0.0.0.0/0 gateway=10.0.1.254