MikroTik RBD52G-5HacD2HnD-TC hAP ac²

@ogo

[admin@MikroTik] >> ip dhcp-client print								
Flags: X - disabled, I - invalid, D - dynamic
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS	 ADDRESS
0 XI ;;; defconf
	 ether1	 yes		 yes

@tyby...rezolvat cu acel "list"....nu am pus in textbox-ul corect adresa....

@all....si totusi de ce nu am aceasta regula: /ip firewall nat add chain=srcnat out-interface=pppoe-out1 action=masquerade ? se pare ca totul merige ok.....

Edited by joystick, 17 December 2018 - 23:44.

ip dhcp-server> print

ip dhcp-server lease> print

Ai grija la sintaxa comenzilor.

Paste la output-ul asta, sa nu o mai luam pe ghicite:

export compact hide-sensitive

Vezi sa fi in / cand dai export la configuratie.
Ca sa fi sigur apesi / si dai enter; dupa, comanda de mai sus.

Edited by ogo, 18 December 2018 - 10:15.

[admin@MikroTik] >> export compact hide-sensitive	
# dec/18/2018 14:55:16 by RouterOS 6.43.7
# software id = 4LJ9-06RT
#
# model = RBD52G-5HacD2HnD
# serial number = 8FDE0xxxxxx
/interface bridge
add admin-mac=B8:69:xxxxxxxxx auto-mac=no comment=defconf name=bridge
add comment=bridgeIoT name=bridgeIoT
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=BVxxxxxxx
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee \
distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-2FA7D2 \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=ReteaAcasaMK supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=ReteaAcasaIoT supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=ReteaAcasaAsus supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge name=\
"wlan1 Master" security-profile=ReteaAcasaMK ssid=ReteaAcasaMK \
wireless-protocol=802.11
add keepalive-frames=disabled mac-address=BA:69:xxxxxx master-interface=\
"wlan1 Master" multicast-buffering=disabled name=ReteaAcasaAsus \
security-profile=ReteaAcasaAsus ssid=ReteaAcasaAsus wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=BA:69:xxxxxxx
master-interface="wlan1 Master" multicast-buffering=disabled name=\
ReteaAcasaIoT security-profile=ReteaAcasaIoT ssid=ReteaAcasaIoT \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface="wlan1 Master"
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ReteaAcasaAsus
add bridge=bridge interface=ReteaAcasaIoT
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.0.160 comment="Amazon Alexa" mac-address=00:71:xxxxxxx\
server=defconf
add address=192.168.0.150 comment="Xiaomi Gateway" mac-address=\
78:11:xxxxxxx server=defconf
add address=192.168.0.156 comment="Yeelight Strip Dulap" mac-address=\
78:11:DC:A2:21:9A server=defconf
add address=192.168.0.157 comment="Yeelight Strip TV" mac-address=\
78:11:xxxxxxxx server=defconf
add address=192.168.0.159 comment="Broadlink IR" mac-address=34:EA:xxxxxxxx \
server=defconf
add address=192.168.0.151 comment="Bec Yeelight Perete" mac-address=\
34:CE:00xxxxxxx server=defconf
add address=192.168.0.155 comment=HassIO mac-address=B8:27:xxxxxxxx server=\
defconf
add address=192.168.0.152 comment="Bec Yeelight Geam" mac-address=\
78:11:xxxxxxxxx server=defconf
add address=192.168.0.153 comment="Bec Yeelight Centru" mac-address=\
78:11:xxxxxxxxx server=defconf
add address=192.168.0.161 comment="Pinell Supersound" mac-address=\
00:22:xxxxxxxxx server=defconf
add address=192.168.0.253 client-id=1:cc:5d:xxxxxxx mac-address=\
CC:5D:4E:CA:02:B1 server=defconf
add address=192.168.0.2 client-id=1:18:d6:xxxxxxxx mac-address=\
18:D6:C7:D7:A9:7D server=defconf
add address=192.168.0.19 comment="Camera 720P" mac-address=00:12:xxxxxxx \
server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=drop chain=forward comment="Blocare camera 720 Internet." \
dst-address=!192.168.0.0/24 src-mac-address=00:12:xxxxxxxx
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Puff...cam asa arata. Desi sunt in concediu parca am mai putin timp ca atunci cand merg la munca....

Asta sunt configurile pe care le cauti!

# dec/18/2018 14:55:16 by RouterOS 6.43.7

/interface list member
add interface=pppoe-out1 list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN

Edited by Tyby, 18 December 2018 - 15:58.

Da, acum am văzut... Nu stiam sa export toata configurația....

Usor, usor îmi mai adaug reguli...

joystick, on 18 decembrie 2018 - 16:58, said:

Usor, usor devii expert in MK )

Ha ha...
Hai ca am una mai buna daca tot sunteti baieti faini si ma ajutati:

Se da un server HassIO (controleaza becuri yeelight + gateway xiaomi cu intrerupatoare...bla bla).
Pe el am instalat un plugin numit MotionEye (pentru cei interesati de motiv....camera de supraveghere bebe...pe fir). Ma conectez la o camera PNI pe care zic eu ca am blocat-o. Intrebari:
1. cum ma asigur ca un device nu se poate conecta la internet? Stiu ca e cam tampita intrebarea dar vreaus a stiu sigur ca nu am configurat nimic gresit.
2. Vreau ca acea camera sa nu poata fi accesata decat de Hassio....dupa mintea mea am facut asa:
- chain: forward
- dest Address: not 192.168.0.155 (ip hass io)
- src mac address: adresa mac a camerei
- Action: drop

totusi, pot da ping de pe PC.....ce este gresit?
3. cand setez o regula de firewall: A sa nu poata accesa B, trebuie setata si invers, adica nici B sa nu poata accesa A? Cred ca e tampita intrebarea dar....

vezi ca ai acolo o problema cu sesiunile deja initiate!

....adica?
E clar ca nu am inteles ceva...am restartat routerul...la fel face.

Camera respectiva trebuie:
a) sa poata fi accesata doar din lan si fara acces la internet
b) sa poata fi accesata din lan doar de HAS IO si fara acces la internet
sunt 2 afirmatii diferite.

trebuie sa faci diferenta intre diferitele "stari" ale unui pachet: ESTABLISHED / RELATED / NEW / UNTRACKED

/ip firewall filter
add action=drop chain=forward comment="Blocare camera 720 Internet." \
dst-address=!192.168.0.0/24 src-mac-address=00:12:xxxxxxxx
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked

asta ce ai tu in config. Permiti ca "virgula" camera sa poata fi accesata si sa raspunda la oricine din lan-ul tau !192.168.0.0/24
established, related => raspunde cam la orice initiat din lan-ul tau, inclusiv la icmp adica ping: . (nu e un lucru rau sa raspunda la ping doar din lanul tau, asa macar ai idee ca e online nu?)

state
This module, when combined with connection tracking, allows access to the connection tracking state for
this packet.
[!] --state state
Where state is a comma separated list of the connection states to match. Possible states are:

INVALIDmeaning that the packet could not be identified for some reason which includes running out
of memory and ICMP errors which don't correspond to any known connection;

ESTABLISHED meaning that
the packet is associated with a connection which has seen packets in both directions;

NEW]meaning
that the packet has started a new connection, or otherwise associated with a connection which has
not seen packets in both directions;

and RELATED meaning that the packet is starting a new
connection, but is associated with an existing connection, such as an FTP data transfer, or an
ICMP error.

UNTRACKED meaning that the packet is not tracked at all, which happens if you use the
NOTRACK target in raw table.

Ideea e ca, e deja setat okeish:) ai putea doar sa pui in loc de lanul tau doar ip-ul HAS IO si gata: va raspunde numai la HAS IO (am inteles ca e un controler ceva) adica:

/ip firewall filter
add action=drop chain=forward comment="Blocare camera 720 Internet." \
dst-address=!IP-CONTROLER/32 src-mac-address=00:12:xxxxxxxx
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked

https://explainshell...lain/8/iptables <-- iti recomand sa arunci o privire.

sau peste imaginea asta  "imprumutata"  

PS
un lucru care nu trebuie uitat vreodata:
regulile de firewall se executa in ordinea in care le-ai pus tu: adica daca ai regula 1 ACCEPT si regula 2 DROP/REJECT (in acelasi chain respectiv pt aceasi client) atunci firewall-ul va lua in considerare doar regula 1 deci ACCEPT si restul nici nu le mai baga in seama. (are lagatura cu default action dar alta data asta)
(e mai usor de explicat pe un modelul cisco/juniper/edgeos - pare mai logic firewall-ul)
Exemplu:

Line 116: set firewall name IOT_IN default-action accept
Line 117: set firewall name IOT_IN description 'IoT access to lan/wan'
Line 118: set firewall name IOT_IN rule 10 action accept
Line 119: set firewall name IOT_IN rule 10 description 'IoT to local dns server'
Line 120: set firewall name IOT_IN rule 10 destination address 192.168.0.2
Line 121: set firewall name IOT_IN rule 10 destination port 53
Line 122: set firewall name IOT_IN rule 10 log disable
Line 123: set firewall name IOT_IN rule 10 protocol tcp_udp
Line 124: set firewall name IOT_IN rule 10 source address 10.0.20.0/24
Line 125: set firewall name IOT_IN rule 20 action accept
Line 126: set firewall name IOT_IN rule 20 description 'IoT reply to icmp from lan'
Line 127: set firewall name IOT_IN rule 20 destination group network-group LAN_NETWORKS
Line 128: set firewall name IOT_IN rule 20 log disable
Line 129: set firewall name IOT_IN rule 20 protocol icmp
Line 130: set firewall name IOT_IN rule 20 source address 10.0.20.0/24
Line 131: set firewall name IOT_IN rule 20 state established enable
Line 132: set firewall name IOT_IN rule 20 state invalid disable
Line 133: set firewall name IOT_IN rule 20 state new disable
Line 134: set firewall name IOT_IN rule 20 state related enable
Line 135: set firewall name IOT_IN rule 30 action drop
Line 136: set firewall name IOT_IN rule 30 description 'IoT network to local lan'
Line 137: set firewall name IOT_IN rule 30 destination group network-group LAN_NETWORKS
Line 138: set firewall name IOT_IN rule 30 log disable
Line 139: set firewall name IOT_IN rule 30 protocol all
Line 140: set firewall name IOT_IN rule 30 source address 10.0.20.0/24

Line 141: set firewall name IOT_LOCAL default-action drop
Line 142: set firewall name IOT_LOCAL description 'IoT network to router'
Line 143: set firewall name IOT_LOCAL rule 10 action accept
Line 144: set firewall name IOT_LOCAL rule 10 description 'IoT reply to icmp from router'
Line 145: set firewall name IOT_LOCAL rule 10 destination group network-group LAN_NETWORKS
Line 146: set firewall name IOT_LOCAL rule 10 log disable
Line 147: set firewall name IOT_LOCAL rule 10 protocol icmp
Line 148: set firewall name IOT_LOCAL rule 10 source address 10.0.20.0/24
Line 149: set firewall name IOT_LOCAL rule 10 state established enable
Line 150: set firewall name IOT_LOCAL rule 10 state invalid disable
Line 151: set firewall name IOT_LOCAL rule 10 state new disable
Line 152: set firewall name IOT_LOCAL rule 10 state related enable

unde LOCAL = input chain = traficul catre router din lan-ul respectiv (DST = adresa routerului i.e. ssh catre router sau pagina lui de administrare etc.)
si IN = forward chain = traficul care trece prin router (SCR si DST nu e routerul i.e. faci un speed test de pe laptop pe pe o pagina din internet, gen speedtest.net)

Edited by ogo, 18 December 2018 - 23:11.

Multumesc  ogo pentru rabdare...

Hmmmm...eu incerc sa aplic reguli..progresive, adica..
T0: incerc sa tai accesul camerei din/la internet
T1: suplimentar restrang accesul din lan la un singur device (doar hassio) o poate accesa

Cred ca incerc mai tarziu sa mai sap ca acum ma depaseste....

joystick, on 19 decembrie 2018 - 00:33, said:

Ia o pauza si documenteaza-te bine despre iptables, incearca sa intelegi tot mecanismul si apoi vei ramane uimit de cata flexibilitate in configurare iti confera aceasta jucarie.

Tu deja vrei lucruri avansate, cu timpul vei rezolva totul si nu vei regreta alegerea facuta

Cred ca ogo a vrut sa spuna ca...da....nu e ca la mate...o intersectie de multimi...
Deseara voi incerca sa rumeg....am facut 2 reguli care se contrazic...

@johny
Singurul lucru pe care il regret e ca am baut cerneala....in it trebuia sa am un master, nu in... (nu, nu am facut ase sau ceva uman dar totusi).

Edited by joystick, 19 December 2018 - 00:55.

Daca lan-ul este 192.168.0.0/24 si camera are IP din aceeasi clasa (192.168.0.188 sa zicem) toate device-urile din LAN comunica direct intre ele, fara sa treaca prin router, deci degeaba pui reguli de fw intre ele.
Mai fa o subinterfata 192.168.1.1/24 pe Mikrotik, pune 192.168.1.10/24 pe camera (static) cu gw 192.168.1.1 si pe urma poti seta reguli de fw.

joystick, on 19 decembrie 2018 - 00:52, said:

Lasa ca regretul asta il am si eu, desi de 15 ani activez in IT, am terminat un ASE si apoi facut masterul in Informatica(in Romanica se poate). Regret ca nu m-am axat de mic pe ceea ce-mi place.. c’est la vie!

Da, corect. M-am gandit ca sunt implicite vlan-urile dar nu e asa.  Forward o sa mearga (deci fara acces in internet), input (local) nu, ca e acelasi layer2 x.x.x.0/24, deci toti au acces din vlan respectiv.
Solutia e un nou vlan cum a zis @Alice si regulile de fwd  si input le aplici pe noua interfata creata.

Ce ziceati?! Baiatu' a terminat medicina. Umana. Bucuresti!