# 2023-07-23 14:27:26 by RouterOS 7.10
# software id = Q8LX-3IVL
#
# model = RB760iGS
:delay 30000ms
#######################################
# Naming
#######################################
# name the device being configuIoT
/system identity set name="MikroTik"
#######################################
# VLAN Overview
#######################################
# 99 = MGMT_VLAN .0
# 10 = Home_VLAN .10
# 20 = Cams_VLAN .20
# 30 = IoT_VLAN .30
# 40 = Guest_VLAN .40
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=bridge_LAN protocol-mode=none vlan-filtering=no
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=bridge_LAN interface=ether1
add bridge=bridge_LAN interface=ether2
add bridge=bridge_LAN interface=ether3
add bridge=bridge_LAN interface=ether4
add bridge=bridge_LAN interface=ether5
/port
set 0 name=serial0a
# egress behavior
/interface bridge vlan
# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=bridge_LAN tagged=bridge_LAN,ether1,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge_LAN tagged=bridge_LAN,ether1,ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=bridge_LAN tagged=bridge_LAN,ether1,ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=bridge_LAN tagged=bridge_LAN,ether1,ether2,ether3,ether4,ether5 vlan-ids=40
add bridge=bridge_LAN tagged=bridge_LAN,ether1,ether2,ether3,ether4,ether5 vlan-ids=99
#######################################
# IP Services
#######################################
# Home VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge_LAN name=Home_VLAN vlan-id=10
/ip address add interface=Home_VLAN address=192.168.10.1/24
/ip pool add name=Home_POOL ranges=192.168.10.2-192.168.10.254
/ip dhcp-server add address-pool=Home_POOL interface=Home_VLAN name=Home_DHCP disabled=no
/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
# Cams VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge_LAN name=Cams_VLAN vlan-id=20
/ip address add interface=Cams_VLAN address=192.168.20.1/24
/ip pool add name=Cams_POOL ranges=192.168.20.2-192.168.20.254
/ip dhcp-server add address-pool=Cams_POOL interface=Cams_VLAN name=Cams_DHCP disabled=no
/ip dhcp-server network add address=192.168.20.0/24 dns-server=192.168.0.1 gateway=192.168.20.1
# IoT VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge_LAN name=IoT_VLAN vlan-id=30
/ip address add interface=IoT_VLAN address=192.168.30.1/24
/ip pool add name=IoT_POOL ranges=192.168.30.2-192.168.30.254
/ip dhcp-server add address-pool=IoT_POOL interface=IoT_VLAN name=IoT_DHCP disabled=no
/ip dhcp-server network add address=192.168.30.0/24 dns-server=192.168.0.1 gateway=192.168.30.1
# Guest VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge_LAN name=Guest_VLAN vlan-id=40
/ip address add interface=Guest_VLAN address=192.168.40.1/24
/ip pool add name=Guest_POOL ranges=192.168.40.2-192.168.40.254
/ip dhcp-server add address-pool=Guest_POOL interface=Guest_VLAN name=Guest_DHCP disabled=no
/ip dhcp-server network add address=192.168.40.0/24 dns-server=192.168.0.1 gateway=192.168.40.1
# MGMT_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge_LAN name=MGMT_VLAN vlan-id=99
/ip address add interface=MGMT_VLAN address=192.168.0.1/24
/ip pool add name=MGMT_POOL ranges=192.168.0.20-192.168.0.254
/ip dhcp-server add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
#######################################
# IP Addressing & Routing
#######################################
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="8.8.8.8"
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=MGMT
/interface list add name=LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp1 name=pppoe-out2 \
use-peer-dns=yes user=ROMANSKI_SZPITALNA
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=*8 list=WAN
add interface=sfp1 list=WAN
add interface=pppoe-out2 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=Home_VLAN list=VLAN
add interface=Cams_VLAN list=VLAN
add interface=IoT_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
/ip route
add dst-address=192.168.0.0/24 gateway=192.168.0.1 routing-table=main \
suppress-hw-offload=no
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
# Allow MGMT_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=MGMT_VLAN comment="Allow MGMT_VLAN Full Access"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface-list=WAN
#######################################
# VLAN Security
#######################################
# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from MGMT_VLAN, the MGMT_VLAN network
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT
#######################################
# Leases
#######################################
#MGMT leases
#1 NAS
/ip dns static
add address=192.168.0.5 name=NAS
/ip dhcp-server lease
add address=192.168.0.5 client-id=NAS mac-address=3C:52:82:50:D6:D0 server=MGMT_DHCP
#2 105 SWITCH
/ip dhcp-server lease
add address=192.168.0.2 client-id=SW105 mac-address=3C-84-6A-61-99-27 server=MGMT_DHCP
#3 108 SWITCH
/ip dhcp-server lease
add address=192.168.0.3 client-id=SW108 mac-address=54-AF-97-01-99-55 server=MGMT_DHCP
#4 LAPTOP
/ip dhcp-server lease
add address=192.168.0.10 client-id=LAPTOP mac-address=8C-16-45-75-52-2F server=MGMT_DHCP
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge_LAN vlan-filtering=yes