Mikrotik - test VLANS

CRS125-24G-1S-RM : AR9344 / MIPS-BE / routing : 700Mbps (25 rules) / 1 core hEX : (routeur ethernet) : RB750Gr3 - MT7621A / 1128 Mbps / 2 core

Pour VLAN Tables, voir : https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction

On considère que CRS125 est équipé. Les VLAN Tables prennent le pas sur les switch groups.

CRS : voir https://wiki.mikrotik.com/wiki/Manual:CRS_examples#InterVLAN_Routing

Deux modes de fonctionnement :

  1. “InterVLAN Routing” quand on veut gérer le firewalling dans le CRS, OU avoir une IP d'admin !

Utilise les VLAN tables, prioritaires sur les switch groups (voir : https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Vlan_Table)

  1. “Port Based VLAN” quand on ne veut pas gérer le routage

Note:

Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration. On utilisera tout le temps “InterVLAN Routing”

Nota pour RB450G/RB435G/RB850Gx2 :

Switch All Ports Feature Ether1 port on RB450G/RB435G/RB850Gx2 has a feature that allows it to be removed/added to the default switch group. By default ether1 port will be included in the switch group. This configuration can be changed with /interface ethernet switch set switch1 switch-all-ports=no

Jouer avec les VLANS

Note : Some changes may take some time to take effect due to already learned MAC addreses. In such cases flushing Unicast Forwarding Database can help: /interface ethernet switch unicast-fdb flush

/interface ethernet switch print unknown-vlan-lookup-mode unknown-vlan-lookup-mode (ivl | svl; Default: svl) Lookup and learning mode for packets with invalid VLAN.

http://www.stubarea51.net/2016/11/16/mikrotik-routeros-new-feature-loop-protect/ Pas efficace en révision v6.39.2 (stable) car :

CONF TYPE de REFERENCE - mode Switch - IP sur interface VLAN

ether1-8 : vlan 1 - untagged
ether8-16 : vlan 10 - untagged
ether17-23 : clan 100 - untagged
ether24 + sfp1 : vlan trunk

spanning tree OK, loop protection KO (attnetion temêtes de broadcast), VLAN port isolation OK, IP admin joignable via vlan tag et untagged OK


/system clock
set time-zone-name=Europe/Paris

/system routerboard settings
set boot-device=flash-boot

/interface bridge
add name=br-spanning-tree
add name=br-uplink
add name=br-vlan1

/interface ethernet
set [ find default-name=sfp1 ] loop-protect=off

/interface vlan
add interface=sfp1 name=if-vlan1 vlan-id=1

/interface ethernet
set [ find default-name=sfp1 ] master-port=none
set [ find default-name=ether1 ] master-port=sfp1
set [ find default-name=ether2 ] master-port=sfp1
set [ find default-name=ether3 ] master-port=sfp1
set [ find default-name=ether4 ] master-port=sfp1
set [ find default-name=ether5 ] master-port=sfp1
set [ find default-name=ether6 ] master-port=sfp1
set [ find default-name=ether7 ] master-port=sfp1
set [ find default-name=ether8 ] master-port=sfp1
set [ find default-name=ether9 ] master-port=sfp1
set [ find default-name=ether10 ] master-port=sfp1
set [ find default-name=ether11 ] master-port=sfp1
set [ find default-name=ether12 ] master-port=sfp1
set [ find default-name=ether13 ] master-port=sfp1
set [ find default-name=ether14 ] master-port=sfp1
set [ find default-name=ether15 ] master-port=sfp1
set [ find default-name=ether16 ] master-port=sfp1
set [ find default-name=ether17 ] master-port=sfp1
set [ find default-name=ether18 ] master-port=sfp1
set [ find default-name=ether19 ] master-port=sfp1
set [ find default-name=ether20 ] master-port=sfp1
set [ find default-name=ether21 ] master-port=sfp1
set [ find default-name=ether22 ] master-port=sfp1
set [ find default-name=ether23 ] master-port=sfp1
set [ find default-name=ether24 ] master-port=sfp1

/interface bridge port
add bridge=br-spanning-tree interface=sfp1
add bridge=br-vlan1 interface=if-vlan1

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=1
add tagged-ports=ether24,sfp1 vlan-id=10
add tagged-ports=ether24,sfp1 vlan-id=100

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=1 ports=ether1
add customer-vid=0 new-customer-vid=1 ports=ether2
add customer-vid=0 new-customer-vid=1 ports=ether3
add customer-vid=0 new-customer-vid=1 ports=ether4
add customer-vid=0 new-customer-vid=1 ports=ether5
add customer-vid=0 new-customer-vid=1 ports=ether6
add customer-vid=0 new-customer-vid=1 ports=ether7
add customer-vid=0 new-customer-vid=1 ports=ether8
add customer-vid=0 new-customer-vid=10 ports=ether9
add customer-vid=0 new-customer-vid=10 ports=ether10
add customer-vid=0 new-customer-vid=10 ports=ether11
add customer-vid=0 new-customer-vid=10 ports=ether12
add customer-vid=0 new-customer-vid=10 ports=ether13
add customer-vid=0 new-customer-vid=10 ports=ether14
add customer-vid=0 new-customer-vid=10 ports=ether15
add customer-vid=0 new-customer-vid=10 ports=ether16
add customer-vid=0 new-customer-vid=100 ports=ether17
add customer-vid=0 new-customer-vid=100 ports=ether18
add customer-vid=0 new-customer-vid=100 ports=ether19
add customer-vid=0 new-customer-vid=100 ports=ether20
add customer-vid=0 new-customer-vid=100 ports=ether21
add customer-vid=0 new-customer-vid=100 ports=ether22
add customer-vid=0 new-customer-vid=100 ports=ether23

/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether24,sfp1,switch1-cpu vlan-id=1
add ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sfp1 vlan-id=10
add ports=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp1 vlan-id=100

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,\
    ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,\
    ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,\
    ether19,ether20,ether21,ether22,ether23,ether24,sfp1,switch1-cpu" forward-unknown-vlan=no

/ip address
add address=10.0.1.1/24 interface=br-vlan1 network=10.0.1.0

CONf TYPE de REFERENCE - mode routeur simple - IPs sur bridges - uplink internet sur port 23 hors switch master

ether1-8 : vlan 1 - untagged
ether8-16 : vlan 10 - untagged
ether17-22 : vlan 100 - untagged
ether23 : untagged, pas de vlan => uplink internet
ether24 + sfp1 : vlan trunk

/system clock
set time-zone-name=Europe/Paris

/system routerboard settings
set boot-device=flash-boot

/interface bridge
add name=br-spanning-tree
add name=br-uplink
add name=br-vlan1
add name=br-vlan10
add name=br-vlan100

/interface vlan
add interface=sfp1 name=if-vlan1 vlan-id=1
add interface=sfp1 name=if-vlan10 vlan-id=10
add interface=sfp1 name=if-vlan100 vlan-id=100

/interface ethernet
set [ find default-name=sfp1 ] master-port=none
set [ find default-name=ether23 ] master-port=none
set [ find default-name=ether1 ] master-port=sfp1
set [ find default-name=ether2 ] master-port=sfp1
set [ find default-name=ether3 ] master-port=sfp1
set [ find default-name=ether4 ] master-port=sfp1
set [ find default-name=ether5 ] master-port=sfp1
set [ find default-name=ether6 ] master-port=sfp1
set [ find default-name=ether7 ] master-port=sfp1
set [ find default-name=ether8 ] master-port=sfp1
set [ find default-name=ether9 ] master-port=sfp1
set [ find default-name=ether10 ] master-port=sfp1
set [ find default-name=ether11 ] master-port=sfp1
set [ find default-name=ether12 ] master-port=sfp1
set [ find default-name=ether13 ] master-port=sfp1
set [ find default-name=ether14 ] master-port=sfp1
set [ find default-name=ether15 ] master-port=sfp1
set [ find default-name=ether16 ] master-port=sfp1
set [ find default-name=ether17 ] master-port=sfp1
set [ find default-name=ether18 ] master-port=sfp1
set [ find default-name=ether19 ] master-port=sfp1
set [ find default-name=ether20 ] master-port=sfp1
set [ find default-name=ether21 ] master-port=sfp1
set [ find default-name=ether22 ] master-port=sfp1
set [ find default-name=ether24 ] master-port=sfp1

/interface bridge port
add bridge=br-spanning-tree interface=sfp1
add bridge=br-uplink interface=ether23
add bridge=br-vlan1 interface=if-vlan1
add bridge=br-vlan10 interface=if-vlan10
add bridge=br-vlan100 interface=if-vlan100

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=1
add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=10
add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=100

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=1 ports=ether1
add customer-vid=0 new-customer-vid=1 ports=ether2
add customer-vid=0 new-customer-vid=1 ports=ether3
add customer-vid=0 new-customer-vid=1 ports=ether4
add customer-vid=0 new-customer-vid=1 ports=ether5
add customer-vid=0 new-customer-vid=1 ports=ether6
add customer-vid=0 new-customer-vid=1 ports=ether7
add customer-vid=0 new-customer-vid=1 ports=ether8
add customer-vid=0 new-customer-vid=10 ports=ether9
add customer-vid=0 new-customer-vid=10 ports=ether10
add customer-vid=0 new-customer-vid=10 ports=ether11
add customer-vid=0 new-customer-vid=10 ports=ether12
add customer-vid=0 new-customer-vid=10 ports=ether13
add customer-vid=0 new-customer-vid=10 ports=ether14
add customer-vid=0 new-customer-vid=10 ports=ether15
add customer-vid=0 new-customer-vid=10 ports=ether16
add customer-vid=0 new-customer-vid=100 ports=ether17
add customer-vid=0 new-customer-vid=100 ports=ether18
add customer-vid=0 new-customer-vid=100 ports=ether19
add customer-vid=0 new-customer-vid=100 ports=ether20
add customer-vid=0 new-customer-vid=100 ports=ether21
add customer-vid=0 new-customer-vid=100 ports=ether22

/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether24,sfp1,switch1-cpu vlan-id=1
add ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sfp1,switch1-cpu vlan-id=10
add ports=ether17,ether18,ether19,ether20,ether21,ether22,ether24,sfp1,switch1-cpu vlan-id=100

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,\
    ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,\
    ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,\
    ether19,ether20,ether21,ether22,ether24,sfp1,switch1-cpu" forward-unknown-vlan=no

/ip address
add address=10.0.1.1/24 interface=br-vlan1 network=10.0.1.0
add address=10.0.10.1/24 interface=br-vlan10 network=10.0.10.0
add address=10.0.100.1/24 interface=br-vlan100 network=10.0.100.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=br-uplink

CONf TYPE de REFERENCE - mode routeur + firewall - IPs sur bridges

ether1-8 : vlan 1 - untagged
ether8-16 : vlan 10 - untagged
ether17-22 : vlan 101 - untagged
ether23 : vlan 300 - untagged => uplink internet
ether24 + sfp1 : vlan trunk

Change firewall administration IP (look for 192.168.210.253 in the config) Change vars here : Change firewall administration IP (look for 192.168.210.253 in the config) Change vars here :

{
  :local fwIp 192.168.210.253;
  :local fwHostname plmagw03;
  :local dnsServers 192.168.210.254,192.168.200.254,8.8.8.8
  :local adminNetwork 0.0.0.0/0
  :local timeZone Europe/Paris
  :local NTPServerIP1 37.187.56.220
  :local NTPServerIP2 5.135.3.88
  :local SyslogServerIP 192.168.210.10
  :local defaultGW 192.168.210.254

  /system identity
  set name=$fwHostname

  /ip dns
  set allow-remote-requests=yes servers=$dnsServers

  /ip dns static
  add address=$fwIp name=$fwHostname

  /ip cloud
  set update-time=no
  set ddns-enabled=no
  /ip upnp
  set enabled=no
  set show-dummy-rule=no
  /ip settings
  set rp-filter=strict
  /ip neighbor discovery settings
  set default=no

  /ip service
  set telnet disabled=yes
  set api disabled=yes
  set api-ssl disabled=yes
  set ftp address=$adminNetwork
  set www address=$adminNetwork
  set ssh address=$adminNetwork
  set winbox address=$adminNetwork

  /interface bridge settings
  set use-ip-firewall=yes

  /system clock
  set time-zone-autodetect=no
  set time-zone-name=$timeZone
  /system ntp client
  set enabled=yes primary-ntp=$NTPServerIP1 secondary-ntp=$NTPServerIP2

  /system logging action
  add name=syslg remote=$SyslogServerIP target=remote
  
  /system logging
  add prefix=debug topics=wireless
  add prefix=debug topics=manager
  add action=syslg topics=!dns
  
  /ip route
  add distance=1 gateway=$defaultGW
  
  /ip firewall address-list
  add address=0.0.0.0/0 comment="Allowed IPs for this equipment managment " list=support
}
/port
set 0 name=serial0

/system routerboard settings
set boot-device=flash-boot protected-routerboot=disabled

/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no

/interface bridge
add name=br-spanning-tree
add name=br-admin-v1
add name=br-data-v10
add name=br-services-v101
add name=br-internet-v200

/interface vlan
add interface=sfp1 name=if-vlan-1 vlan-id=1
add interface=sfp1 name=if-vlan-10 vlan-id=10
add interface=sfp1 name=if-vlan-101 vlan-id=101
add interface=sfp1 name=if-vlan-200 vlan-id=200

/interface ethernet
set [ find default-name=sfp1 ] master-port=none
set [ find default-name=ether23 ] master-port=none
set [ find default-name=ether1 ] master-port=sfp1
set [ find default-name=ether2 ] master-port=sfp1
set [ find default-name=ether3 ] master-port=sfp1
set [ find default-name=ether4 ] master-port=sfp1
set [ find default-name=ether5 ] master-port=sfp1
set [ find default-name=ether6 ] master-port=sfp1
set [ find default-name=ether7 ] master-port=sfp1
set [ find default-name=ether8 ] master-port=sfp1
set [ find default-name=ether9 ] master-port=sfp1
set [ find default-name=ether10 ] master-port=sfp1
set [ find default-name=ether11 ] master-port=sfp1
set [ find default-name=ether12 ] master-port=sfp1
set [ find default-name=ether13 ] master-port=sfp1
set [ find default-name=ether14 ] master-port=sfp1
set [ find default-name=ether15 ] master-port=sfp1
set [ find default-name=ether16 ] master-port=sfp1
set [ find default-name=ether17 ] master-port=sfp1
set [ find default-name=ether18 ] master-port=sfp1
set [ find default-name=ether19 ] master-port=sfp1
set [ find default-name=ether20 ] master-port=sfp1
set [ find default-name=ether21 ] master-port=sfp1
set [ find default-name=ether22 ] master-port=sfp1
set [ find default-name=ether23 ] master-port=sfp1
set [ find default-name=ether24 ] master-port=sfp1

/interface bridge port
add bridge=br-spanning-tree interface=sfp1
add bridge=br-admin-v1 interface=if-vlan-1
add bridge=br-data-v10 interface=if-vlan-10
add bridge=br-services-v101 interface=if-vlan-101
add bridge=br-internet-v200 interface=if-vlan-200

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=1
add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=10
add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=101
add tagged-ports=ether24,sfp1,switch1-cpu vlan-id=200

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=1 ports=ether1
add customer-vid=0 new-customer-vid=1 ports=ether2
add customer-vid=0 new-customer-vid=1 ports=ether3
add customer-vid=0 new-customer-vid=1 ports=ether4
add customer-vid=0 new-customer-vid=1 ports=ether5
add customer-vid=0 new-customer-vid=1 ports=ether6
add customer-vid=0 new-customer-vid=1 ports=ether7
add customer-vid=0 new-customer-vid=1 ports=ether8
add customer-vid=0 new-customer-vid=10 ports=ether9
add customer-vid=0 new-customer-vid=10 ports=ether10
add customer-vid=0 new-customer-vid=10 ports=ether11
add customer-vid=0 new-customer-vid=10 ports=ether12
add customer-vid=0 new-customer-vid=10 ports=ether13
add customer-vid=0 new-customer-vid=10 ports=ether14
add customer-vid=0 new-customer-vid=10 ports=ether15
add customer-vid=0 new-customer-vid=10 ports=ether16
add customer-vid=0 new-customer-vid=101 ports=ether17
add customer-vid=0 new-customer-vid=101 ports=ether18
add customer-vid=0 new-customer-vid=101 ports=ether19
add customer-vid=0 new-customer-vid=101 ports=ether20
add customer-vid=0 new-customer-vid=101 ports=ether21
add customer-vid=0 new-customer-vid=101 ports=ether22
add customer-vid=0 new-customer-vid=200 ports=ether23

/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether24,sfp1,switch1-cpu vlan-id=1
add ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sfp1,switch1-cpu vlan-id=10
add ports=ether17,ether18,ether19,ether20,ether21,ether22,sfp1,switch1-cpu vlan-id=101
add ports=ether23,ether24,sfp1,switch1-cpu vlan-id=200

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,\
        ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,\
        ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,\
        ether19,ether20,ether21,ether22,ether23,ether24,sfp1,switch1-cpu" forward-unknown-vlan=no

/ip address
add address=10.1.255.254/16 interface=br-admin-v1 network=10.1.0.0
add address=10.10.255.254/16 interface=br-data-v10 network=10.10.0.0
add address=10.100.255.254/16 interface=br-services-v101 network=10.100.0.0
add address=192.168.210.253/24 interface=br-internet-v200 network=192.168.210.0

/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix=out_masq out-interface=br-internet-v200

/ip firewall address-list
remove [find]
add address=0.0.0.0/0 comment="Allowed IPs for this equipment managment " list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons
add address=192.168.250.0/24 comment="Local network admin" list=local_network

/ip firewall filter
remove [find]

add action=passthrough chain=separator comment="######## Invalid packets managment"
add action=drop chain=input comment="Drop input invalid packets" connection-state=invalid log=yes
add action=drop chain=output comment="Drop output invalid packets" connection-state=invalid log=yes
add action=drop chain=forward comment="Drop forward invalid packets" connection-state=invalid log=yes

add action=passthrough chain=separator comment="######## flood/scan/spam/enforcment"
add action=drop chain=forward comment="Drop dest. local IP routed to Internet uplink" connection-state=established,related,new dst-address-list=local_network in-interface=!br-internet-v200 log=yes out-interface=br-internet-v200
add action=drop chain=forward comment="Drop bogons from Internet uplink" connection-state=established,related,new in-interface=br-internet-v200 src-address-list=bogons
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 connection-state=new log=yes log-prefix=syn_flood protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" connection-state=established,related,new src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" connection-state=new log=yes log-prefix=port_scanner protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" connection-state=established,related,new src-address-list=Port_Scanner
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 connection-state=new dst-port=25,587 limit=30/1m,0 log=yes log-prefix=spammers protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" connection-state=established,related,new dst-port=25,587 protocol=tcp src-address-list=spammers
add action=drop chain=input comment="Block all access to the winbox - except to support list ; change support list in order to enable this feature" dst-port=8291,80,21,22 protocol=tcp src-address-list=!support

add action=passthrough chain=separator comment="######## Accept established and related packets"
add chain=input comment="Accept established/related connections/packets" connection-state=established,related
add chain=output comment="Accept established/related connections/packets" connection-state=established,related
add chain=forward comment="Accept established/related connections/packets" connection-state=established,related

add action=passthrough chain=separator comment="######## input : to this equipment OS"
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add chain=input comment=DHCP dst-port=67,68 in-interface=!br-internet-v200 protocol=udp
add chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add chain=input comment="This equipement administration allowed from SUPPORT address list" dst-address=192.168.210.253 dst-port=8291,80,21,22 log=yes log-prefix=ADMIN protocol=tcp src-address-list=support
add action=passthrough chain=separator comment="######## output : from this equipment OS"
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add chain=output comment="Anti chat log (ex : DNS)" dst-port=53 protocol=udp
add chain=output comment="Firewall to Internet (updates, DNS)" log=yes log-prefix=FW-INET out-interface=br-internet-v200
add chain=output comment=DHCP dst-port=67,68 out-interface=!br-internet-v200 protocol=udp

add action=passthrough chain=separator comment="######## forward : thru this equipment OS"
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add chain=forward comment="Accept Internet outgoing" out-interface=br-internet-v200

add action=passthrough chain=separator comment="######## ICMP chain"
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add chain=input disabled=yes log=yes log-prefix=XXXXX
add chain=output disabled=yes log=yes log-prefix=XXXXX
add chain=forward disabled=yes log=yes log-prefix=XXXXX

add action=passthrough chain=separator comment="######## Final reject/DROP"
add action=reject chain=input in-interface=!br-internet-v200 log=yes log-prefix=reject_input reject-with=icmp-admin-prohibited
add action=reject chain=output out-interface=!br-internet-v200 log=yes log-prefix=reject_output reject-with=icmp-admin-prohibited
add action=reject chain=forward in-interface=!br-internet-v200 log=yes log-prefix=reject_forward reject-with=icmp-admin-prohibited
add action=drop chain=input log=yes log-prefix=drop_input
add action=drop chain=output log=yes log-prefix=drop_output
add action=drop chain=forward log=yes log-prefix=drop_forward

OLD _ CONF TYPE de REFERENCE - mode Switch - IP sur interface VLAN /!\ connerie avec CPU : potentiellement, des paquets non taggués remontent en CPU. C'est inutile et ça peut être dangereux.

ether1-8 : vlan 1 - untagged
ether8-16 : vlan 10 - untagged
ether17-23 : clan 100 - untagged
ether24 + sfp1 : vlan trunk

Spanning tree OK, loop protection KO (attnetion temêtes de broadcast), VLAN port isolation OK, IP admin joignable via vlan tag et untagged OK


/interface ethernet
set [ find default-name=sfp1 ] master-port=none
set [ find default-name=ether1 ] master-port=sfp1
set [ find default-name=ether2 ] master-port=sfp1
set [ find default-name=ether3 ] master-port=sfp1
set [ find default-name=ether4 ] master-port=sfp1
set [ find default-name=ether5 ] master-port=sfp1
set [ find default-name=ether6 ] master-port=sfp1
set [ find default-name=ether7 ] master-port=sfp1
set [ find default-name=ether8 ] master-port=sfp1
set [ find default-name=ether9 ] master-port=sfp1
set [ find default-name=ether10 ] master-port=sfp1
set [ find default-name=ether11 ] master-port=sfp1
set [ find default-name=ether12 ] master-port=sfp1
set [ find default-name=ether13 ] master-port=sfp1
set [ find default-name=ether14 ] master-port=sfp1
set [ find default-name=ether15 ] master-port=sfp1
set [ find default-name=ether16 ] master-port=sfp1
set [ find default-name=ether17 ] master-port=sfp1
set [ find default-name=ether18 ] master-port=sfp1
set [ find default-name=ether19 ] master-port=sfp1
set [ find default-name=ether20 ] master-port=sfp1
set [ find default-name=ether21 ] master-port=sfp1
set [ find default-name=ether22 ] master-port=sfp1
set [ find default-name=ether23 ] master-port=sfp1
set [ find default-name=ether24 ] master-port=sfp1

/port
set 0 name=serial0

/system routerboard settings
set boot-device=flash-boot protected-routerboot=disabled

/interface bridge
add name=br-spanning-tree

/interface bridge port
add bridge=br-spanning-tree interface=sfp1

/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp1,ether24,switch1-cpu vlan-id=1
add tagged-ports=sfp1,ether24 vlan-id=10
add tagged-ports=sfp1,ether24 vlan-id=100

/interface ethernet switch ingress-vlan-translation
add ports=ether1 customer-vid=0 new-customer-vid=1 sa-learning=yes
add ports=ether2 customer-vid=0 new-customer-vid=1 sa-learning=yes
add ports=ether3 customer-vid=0 new-customer-vid=1 sa-learning=yes
add ports=ether4 customer-vid=0 new-customer-vid=1 sa-learning=yes
add ports=ether5 customer-vid=0 new-customer-vid=1 sa-learning=yes
add ports=ether6 customer-vid=0 new-customer-vid=1 sa-learning=yes
add ports=ether7 customer-vid=0 new-customer-vid=1 sa-learning=yes
add ports=ether8 customer-vid=0 new-customer-vid=1 sa-learning=yes
add ports=ether9 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether10 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether11 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether12 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether13 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether14 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether15 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether16 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether17 customer-vid=0 new-customer-vid=100 sa-learning=yes
add ports=ether18 customer-vid=0 new-customer-vid=100 sa-learning=yes
add ports=ether19 customer-vid=0 new-customer-vid=100 sa-learning=yes
add ports=ether20 customer-vid=0 new-customer-vid=100 sa-learning=yes
add ports=ether21 customer-vid=0 new-customer-vid=100 sa-learning=yes
add ports=ether22 customer-vid=0 new-customer-vid=100 sa-learning=yes
add ports=ether23 customer-vid=0 new-customer-vid=100 sa-learning=yes

/interface ethernet switch vlan
add ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether24,sfp1 vlan-id=1 learn=yes
add ports=switch1-cpu,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sfp1 vlan-id=10 learn=yes
add ports=switch1-cpu,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp1 vlan-id=100 learn=yes

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp1

/interface ethernet switch
set forward-unknown-vlan=no

/interface vlan
add name=if-vlan1 interface=sfp1 vlan-id=1

/ip address
add address=10.0.1.1/24 interface=if-vlan1 network=10.0.1.0

/ip route
add dst-address=0.0.0.0/0 gateway=10.0.1.254