MikroTik über LBS steuern | Edomi

Hallo zusammen,

benötige von euch doch nochmal ein wenig Hilfe, denn ich weiß wirklich nicht mehr weiter...

Habe für meinen RB960PGS (hEX PoE) die Scripte von saegefisch angepasst und diese durchlaufen lassen. Im großen und ganzen liefen diese auch sauber durch. Leider hat eine Sache beim Script nicht funktioniert, die musste ich in der winbox machen:

Code:

/interface ethernet switch vlan
add switch=switch01 vlan-id=1   independent-learning=yes ports=eth02,eth03,eth04,switch1-cpu
add switch=switch01 vlan-id=10  independent-learning=yes ports=eth02,eth03,eth04,eth05,switch1-cpu
add switch=switch01 vlan-id=20  independent-learning=yes ports=eth01,eth02,eth03,eth04,switch1-cpu
add switch=switch01 vlan-id=30  independent-learning=yes ports=eth02,switch1-cpu
add switch=switch01 vlan-id=40  independent-learning=yes ports=eth02,eth03,eth04,switch1-cpu
add switch=switch01 vlan-id=99  independent-learning=yes ports=eth01,eth02,switch1-cpu

Ist für mich kein wirkliches Problem, verstehe aber den Fehler in der Syntax noch nicht...

Was aber wirklich nach Tagen, und ich bins langsam Leid, nicht so funktioniert, wie ich es mir vorstelle, sind folgende Dinge:

1. Ich bekomme für den Raspberry, den ich auf eth01 angeschlossen habe, immer vom mgmt-DHCP eine Adresse zugewiesen, obwohl in allen Einstellungen die klare Zuweisung ist, dass eth01 zum Vlan 99 gehört und somit vom dmz-DHCP die Adresse kommen müsste. Erst wenn ich im Bridgemenü eth01 der Bridge "bridge-vlan99" zuweise, dann bekomme ich eine Adresse aus entsprechendem Adresspool....müsste nach meinem Verständnis anders laufen?!

2. Und das nervt mich langsam richtig...ich sehe den angeschlossenen Cap nicht, obwohl dieser sauber eine Adresse zugeordnet bekommen hat. Egal ob ich das Interface mal kurz deaktivere und wieder reaktiviere oder den wAP direkt im Capsmode starte, er wird nie sichtbar im CAPsMAN....So kann ich natürlich kein Wlan nutzen...

Anbei mal noch mein Script, vielleicht findet ja jemand den Fehler. Obige Änderung aus 1 ist im Script natürlich nicht enthalten!

Code:

/system identity
set name="Wichteldorf"

{:local delaytime 5
:delay $delaytime}

/user
add name=Oberwichtel password=xxxxxx group=full comment="Admin"
set admin comment="deaktivierter admin"
disable admin

{:local delaytime 5
:delay $delaytime}

/interface ethernet
set [ find default-name=ether1  ] rx-flow-control=auto tx-flow-control=auto loop-protect=on name=eth01 comment="Reverse Proxy"
set [ find default-name=ether2  ] rx-flow-control=auto tx-flow-control=auto loop-protect=on name=eth02 comment="wAP ac EG"
set [ find default-name=ether3  ] rx-flow-control=auto tx-flow-control=auto loop-protect=on name=eth03 comment="wAP OG"
set [ find default-name=ether4  ] rx-flow-control=auto tx-flow-control=auto loop-protect=on name=eth04 comment="crs125"
set [ find default-name=ether5  ] rx-flow-control=auto tx-flow-control=auto loop-protect=on name=eth05 comment="drucker"
set [ find default-name=sfp1   ] rx-flow-control=auto tx-flow-control=auto loop-protect=on name=sfp01 comment="wan"

{:local delaytime 5
:delay $delaytime}

/interface bridge
add name=bridge protocol-mode=rstp fast-forward=yes comment="Backbone und vlan001"
add name=bridge-WLAN protocol-mode=rstp fast-forward=yes comment="WLAN-Backbone"
add name=bridge-vlan010 protocol-mode=rstp fast-forward=yes comment="Privat"
add name=bridge-vlan020 protocol-mode=rstp fast-forward=yes comment="Haustechnik"
add name=bridge-vlan030 protocol-mode=rstp fast-forward=yes comment="Gäste"
add name=bridge-vlan040 protocol-mode=rstp fast-forward=yes comment="Alexa"
add name=bridge-vlan099 protocol-mode=rstp fast-forward=yes comment="DMZ"

{:local delaytime 5
:delay $delaytime}

/interface vlan
add interface=bridge name=eth-vlan010 vlan-id=10 loop-protect=on comment="Privat"
add interface=bridge name=eth-vlan020 vlan-id=20 loop-protect=on comment="Haustechnik"
add interface=bridge name=eth-vlan030 vlan-id=30 loop-protect=on comment="Gäste"
add interface=bridge name=eth-vlan040 vlan-id=40 loop-protect=on comment="Alexa"
add interface=bridge name=eth-vlan099 vlan-id=99 loop-protect=on comment="DMZ"
add interface=bridge-wlan name=wlan-vlan001 vlan-id=1 loop-protect=on  comment="Managment"
add interface=bridge-wlan name=wlan-vlan010 vlan-id=10 loop-protect=on comment="Privat"
add interface=bridge-wlan name=wlan-vlan020 vlan-id=20 loop-protect=on comment="Haustechnik"
add interface=bridge-wlan name=wlan-vlan030 vlan-id=30 loop-protect=on comment="Gäste"
add interface=bridge-wlan name=wlan-vlan040 vlan-id=40 loop-protect=on comment="Alexa"
add interface=bridge-wlan name=wlan-vlan099 vlan-id=99 loop-protect=on comment="DMZ"

{:local delaytime 5
:delay $delaytime}

/interface ethernet switch
set 0 name=switch01 switch-all-ports=no

/interface ethernet switch vlan
add switch=switch01 vlan-id=1   independent-learning=yes ports=eth02,eth03,eth04,switch1-cpu
add switch=switch01 vlan-id=10  independent-learning=yes ports=eth02,eth03,eth04,eth05,switch1-cpu
add switch=switch01 vlan-id=20  independent-learning=yes ports=eth01,eth02,eth03,eth04,switch1-cpu
add switch=switch01 vlan-id=30  independent-learning=yes ports=eth02,switch1-cpu
add switch=switch01 vlan-id=40  independent-learning=yes ports=eth02,eth03,eth04,switch1-cpu
add switch=switch01 vlan-id=99  independent-learning=yes ports=eth01,eth02,switch1-cpu

{:local delaytime 5
:delay $delaytime}

/interface ethernet switch port
set switch1-cpu vlan-mode=check vlan-header=leave-as-is default-vlan-id=1
set eth01 vlan-mode=check vlan-header=leave-as-is default-vlan-id=99
set eth02 vlan-mode=check vlan-header=leave-as-is default-vlan-id=1
set eth03 vlan-mode=check vlan-header=leave-as-is default-vlan-id=1
set eth04 vlan-mode=check vlan-header=leave-as-is default-vlan-id=1
set eth05 vlan-mode=check vlan-header=leave-as-is default-vlan-id=10

{:local delaytime 5
:delay $delaytime}


/interface bridge port
add interface=eth01 bridge=bridge hw=yes
add interface=eth02 bridge=bridge hw=yes
add interface=eth03 bridge=bridge hw=yes
add interface=eth04 bridge=bridge hw=yes
add interface=eth05 bridge=bridge hw=yes
add interface=wlan-vlan001 bridge=bridge hw=yes
add interface=wlan-vlan010 bridge=bridge-vlan010 hw=yes
add interface=eth-vlan010 bridge=bridge-vlan010 hw=yes
add interface=wlan-vlan020 bridge=bridge-vlan020 hw=yes
add interface=eth-vlan020 bridge=bridge-vlan020 hw=yes
add interface=wlan-vlan030 bridge=bridge-vlan030 hw=yes
add interface=eth-vlan030 bridge=bridge-vlan030 hw=yes
add interface=wlan-vlan040 bridge=bridge-vlan040 hw=yes
add interface=eth-vlan040 bridge=bridge-vlan040 hw=yes
add interface=wlan-vlan099 bridge=bridge-vlan099 hw=yes
add interface=eth-vlan099 bridge=bridge-vlan099 hw=yes

{:local delaytime 5
:delay $delaytime}

/ip address
add address=10.0.0.1/24 network=10.0.0.0 interface=bridge
add address=10.0.10.1/24 network=10.0.10.0 interface=bridge-vlan010
add address=10.0.20.1/24 network=10.0.20.0 interface=bridge-vlan020
add address=10.0.30.1/24 network=10.0.30.0 interface=bridge-vlan030
add address=10.0.40.1/24 network=10.0.40.0 interface=bridge-vlan040
add address=10.0.99.1/24 network=10.0.99.0 interface=bridge-vlan099

{:local delaytime 5
:delay $delaytime}

/ip dhcp-client
add interface=sfp01 use-peer-dns=no use-peer-ntp=no add-default-route=yes disabled=no

{:local delaytime 5
:delay $delaytime}

/ipv6 dhcp-client
add request=prefix pool-name=ipv6.glasfaser pool-prefix-length=64 interface=sfp01 add-default-route=yes

{:local delaytime 5
:delay $delaytime}

/ip dns
set allow-remote-requests=yes servers=9.9.9.9,208.67.220.220,208.67.222.222

{:local delaytime 5
:delay $delaytime}

/ip pool
add name=mgmt ranges=10.0.0.100-10.0.0.110
add name=private ranges=10.0.10.100-10.0.10.200
add name=haustechnik ranges=10.0.20.102-10.0.20.120
add name=gäste ranges=10.0.30.100-10.0.30.120
add name=alexa ranges=10.0.40.100-10.0.40.110
add name=dmz ranges=10.0.99.100-10.0.99.120

{:local delaytime 5
:delay $delaytime}

/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24 dns-server=10.0.0.1 domain=mgmt
add address=10.0.10.0/24 gateway=10.0.10.1 netmask=24 dns-server=10.0.10.1 domain=private
add address=10.0.20.0/24 gateway=10.0.20.1 netmask=24 dns-server=10.0.20.1 domain=haustechnik
add address=10.0.30.0/24 gateway=10.0.30.1 netmask=24 dns-server=10.0.30.1 domain=gäste
add address=10.0.40.0/24 gateway=10.0.40.1 netmask=24 dns-server=10.0.40.1 domain=alexa
add address=10.0.99.0/24 gateway=10.0.99.1 netmask=24 dns-server=10.0.99.1 domain=dmz

{:local delaytime 5
:delay $delaytime}

/ip dhcp-server
add name=mgmt interface=bridge lease-time=1h address-pool=mgmt authoritative=yes bootp-support=none
add name=private interface=bridge-vlan010 lease-time=1h address-pool=private authoritative=yes bootp-support=none
add name=haustechnik interface=bridge-vlan020 lease-time=1h address-pool=haustechnik authoritative=yes bootp-support=none
add name=gäste interface=bridge-vlan030 lease-time=1h address-pool=gäste authoritative=yes bootp-support=none
add name=alexa interface=bridge-vlan040 lease-time=1h address-pool=alexa authoritative=yes bootp-support=none
add name=dmz interface=bridge-vlan099 lease-time=1h address-pool=dmz authoritative=yes bootp-support=none

{:local delaytime 5
:delay $delaytime}

/ip dhcp-server enable mgmt
/ip dhcp-server enable private
/ip dhcp-server enable haustechnik
/ip dhcp-server enable gäste
/ip dhcp-server enable alexa
/ip dhcp-server enable dmz

/system clock
set time-zone-name="Europe/Berlin"
/system ntp client
set server-dns="pool.ntp.org" enabled=yes

{:local delaytime 20
:delay $delaytime}

#Zertifikate erstellen
/certificate
add name=wichtelpolizei.ca common-name="Wichtelpolizei CA" key-usage=key-cert-sign,crl-sign key-size=2048 days-valid=3650
add name=wichtelpolizei.local common-name="wichtelpolizei.local" key-size=2048 days-valid=3650
sign wichtelpolizei.ca name=wichtelpolizei.ca

{:local delaytime 5
:delay $delaytime}

sign wichtelpolizei.local ca=wichtelpolizei.ca name=wichtelpolizei.local

{:local delaytime 5
:delay $delaytime}

set wichtelpolizei.ca trusted=yes

#####################################################################################################################################
# CAPsMAN

/caps-man security
add name=sec-001-mgmt  authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm passphrase=
add name=sec-010-privat   authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm passphrase=
add name=sec-020-haustechnik  authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm passphrase=
add name=sec-030-gäste authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm passphrase=
add name=sec-040-alexa  authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm passphrase=
add name=sec-099-dmz authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm passphrase=

/caps-man datapath
add name=datapath-001-mgmt  bridge=bridge-wlan vlan-mode=use-tag vlan-id=1
add name=datapath-010-privat   bridge=bridge-wlan vlan-mode=use-tag vlan-id=10
add name=datapath-020-haustechnik  bridge=bridge-wlan vlan-mode=use-tag vlan-id=20
add name=datapath-030-gäste bridge=bridge-wlan vlan-mode=use-tag vlan-id=30
add name=datapath-040-alexa   bridge=bridge-wlan vlan-mode=use-tag vlan-id=40
add name=datapath-099-dmz  bridge=bridge-wlan vlan-mode=use-tag vlan-id=99

/caps-man channel
add name="ch-2.4" control-channel-width=20mhz band=2ghz-b/g/n
add name="ch-5" control-channel-width=20mhz band=5ghz-a/n/ac

/caps-man configuration
add name=cfg-001-mgmt  datapath=datapath-001-mgmt security=sec-001-mgmt ssid="Wichtelmanager_01"
add name=cfg-010-privat   datapath=datapath-010-privat security=sec-010-privat ssid="Wichtelstube" mode=ap country=germany
add name=cfg-020-haustechnik  datapath=datapath-020-haustechnik security=sec-020-haustechnik ssid="Wichtelwerkstatt_20"
add name=cfg-030-gäste datapath=datapath-030-gäste security=sec-030-gäste ssid="Wichtelgast_30"
add name=cfg-040-alexa datapath=datapath-040-alexa security=sec-040-alexa ssid="Wichteldisco_40"
add name=cfg-099-dmz  datapath=datapath-099-dmz security=sec-099-dmz ssid="Wichtelsoldat_99"

/caps-man provisioning
add name-format=cap action=create-dynamic-enabled master-configuration=cfg-001-mgmt slave-configurations=cfg-010-privat,cfg-020-haustechnik,cfg-030-gäste,cfg-040-alexa,cfg-099-dmz

/caps-man manager set certificate=wichtelpolizei.local ca-certificate="Wichtelpolizei CA" enabled=yes
/caps-man manager interface
add interface=all forbid=no
add interface=sfp01 forbid=yes

######################################################################################################################################

# Bogons = nicht routbar
/ip firewall address-list add list=bogons address=0.0.0.0/8
/ip firewall address-list add list=bogons address=100.64.0.0/10
/ip firewall address-list add list=bogons address=127.0.0.0/8
/ip firewall address-list add list=bogons address=169.254.0.0/16
/ip firewall address-list add list=bogons address=172.16.0.0/12
/ip firewall address-list add list=bogons address=192.0.0.0/24
/ip firewall address-list add list=bogons address=192.0.2.0/24
/ip firewall address-list add list=bogons address=192.168.0.0/16
/ip firewall address-list add list=bogons address=198.18.0.0/15
/ip firewall address-list add list=bogons address=198.51.100.0/24
/ip firewall address-list add list=bogons address=203.0.113.0/24
/ip firewall address-list add list=bogons address=240.0.0.0/4

##### INPUT-Chain
/ip firewall filter add chain=input action=accept connection-state=established,related comment="accept established,related"
/ip firewall filter add chain=input action=drop connection-state=invalid comment="drop invalid"
# ICMP WAN
/ip firewall filter add chain=input action=accept in-interface=sfp01 protocol=icmp icmp-options=0:0 src-address=!192.168.0.0/16 dst-address=!10.0.0.0/8 comment="accept ICMP echo reply->WAN"
/ip firewall filter add chain=input action=accept in-interface=sfp01 protocol=icmp icmp-options=3:0-1 src-address=!192.168.0.0/16 dst-address=!10.0.0.0/8 comment="accept ICMP destination unreachable->WAN"
/ip firewall filter add chain=input action=accept in-interface=sfp01 protocol=icmp icmp-options=8:0 src-address=!192.168.0.0/16 dst-address=!10.0.0.0/8 comment="accept ICMP echo request->WAN"
/ip firewall filter add chain=input action=accept in-interface=sfp01 protocol=icmp icmp-options=11:0 src-address=!192.168.0.0/16 dst-address=!10.0.0.0/8 comment="accept ICMP time exceeded->WAN"
#ICMP LAN
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=0:0 src-address=10.0.0.0/8 dst-address=10.0.0.0/8 comment="accept ICMP echo reply->LAN"
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=3:0-1 src-address=10.0.0.0/8 dst-address=10.0.0.0/8 comment="accept ICMP destination unreachable->LAN"
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=8:0 src-address=10.0.0.0/8 dst-address=10.0.0.0/8 comment="accept ICMP echo request->LAN"
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=11:0 src-address=10.0.0.0/8 dst-address=10.0.0.0/8 comment="accept ICMP time exceeded->LAN"
# DNS
/ip firewall filter add chain=input action=accept src-address=10.0.0.0/8 dst-address=10.0.0.0/8 protocol=udp dst-port=53 comment="accept DNS-UDP->LAN"
/ip firewall filter add chain=input action=accept src-address=10.0.0.0/8 dst-address=10.0.0.0/8 protocol=tcp dst-port=53 comment="accept DNS-TCP->LAN"
# WInbox, SSH, HTTPS nur aus LAN
/ip firewall filter add chain=input action=accept src-address=10.0.0.0/8 dst-address=10.0.0.0/8 protocol=tcp dst-port=22 comment="accept SSH->LAN"
/ip firewall filter add chain=input action=accept src-address=10.0.0.0/8 dst-address=10.0.0.0/8 protocol=tcp dst-port=443 comment="accept HTTPS->LAN"
/ip firewall filter add chain=input action=accept src-address=10.0.0.0/8 dst-address=10.0.0.0/8 protocol=tcp dst-port=8291 comment="accept WinBox->LAN"
/ip firewall filter add chain=input action=accept src-address=10.0.0.0/8 dst-address=10.0.0.0/8 protocol=udp src-port="5246,5247" comment="accept CAP"
/ip firewall filter add chain=input action=accept src-address=10.0.0.0/8 dst-address=10.0.0.0/8 protocol=udp src-port="5678" comment="accept RouterOS Neighbor Discovery"
/ip firewall filter add chain=input action=accept src-address=10.0.0.0/8 dst-address=10.0.0.0/8 protocol=udp dst-port="5678" comment="accept RouterOS Neighbor Discovery"

/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=0:0 src-address=10.0.0.0/8 dst-address=10.0.0.0/8 comment="accept ICMP echo reply"
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=3:0-1 src-address=10.0.0.0/8 dst-address=10.0.0.0/8 comment="accept ICMP destination unreachable"
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=8:0 src-address=10.0.0.0/8 dst-address=10.0.0.0/8 comment="accept ICMP echo request"
/ip firewall filter add chain=input action=accept protocol=icmp icmp-options=11:0 src-address=10.0.0.0/8 dst-address=10.0.0.0/8 comment="accept ICMP time exceeded"
# ...or DROP it!
/ip firewall filter add chain=input action=drop comment="drop"


##### FOREWARD-Chain
# gültige Verbindungen
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related comment="fasttrack established,related"
/ip firewall filter add chain=forward action=accept connection-state=established,related comment="accept established,related"
# nicht gültige Verbindungen
/ip firewall filter add chain=forward action=drop connection-state=invalid comment="drop invalid"
/ip firewall filter add chain=forward action=drop in-interface=sfp01 src-address-list=bogons comment="drop bogons<-WAN"
/ip firewall filter add chain=forward action=drop in-interface=sfp01 connection-state=new connection-nat-state=!dstnat comment="drop ->WAN w/o DSTNAT"
/ip firewall filter add chain=forward action=reject out-interface=sfp01 protocol=tcp dst-port=25 comment="reject SMTP->WAN"
# und wiederum erlaubt
/ip firewall filter add chain=forward action=accept in-interface=bridge out-interface=sfp01 src-address=10.0.0.0/8 dst-address=!10.0.0.8 comment="accept LAN->WAN"
# ...or DROP it!
/ip firewall filter add chain=forward action=drop comment="drop"

##### OUTPUT-Chain
# erlaubt, solange gültig
/ip firewall filter add chain=output action=drop connection-state=invalid comment="drop invalid"


##### NAT-Chain
# DMZ <-> LAN natten
/ip firewall nat
add chain=srcnat action=masquerade out-interface=sfp01 src-address=10.0.0.0/8 dst-address=!10.0.0.0/8 comment="masquerade LAN->WAN"

Ankündigung

MikroTik über LBS steuern | Edomi

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben:

Einen Kommentar schreiben: