No Comments
Mikrotik CRS1xx/2xx Trunk+Access Hybrid/Routed R.O. 6.41 Esempio2
Anche in questa configurazione le porte sono ibride, con l’aggiunta del layer3 quindi il CRS fa da Router e gestisce Nat,Dhcp,Firewall. Nell’export della config ho lasciato le porte 1 e 2 libere per gestire la parte pubblica.
/interface bridge
add fast-forward=no name=bridge_switch
/interface ethernet
set [ find default-name=ether1 ] comment=Wan1
set [ find default-name=ether2 ] comment=Wan2
set [ find default-name=sfp-sfpplus1 ] name=sfp1
set [ find default-name=sfpplus2 ] name=sfp2
/interface pppoe-client
add add-default-route=yes allow=pap,chap comment="Wan1-PPPoe" disabled=no interface=ether1 name=pppoe-wan1 password=pluto user=pippo
/interface vlan
add interface=bridge_switch name=vlan10 vlan-id=10
add interface=bridge_switch name=vlan20 vlan-id=20
add interface=bridge_switch name=vlan30 vlan-id=30
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="switch1-cpu,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ethe\
r14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp1,sfp2"
/ip pool
add name=pool_vlan10 ranges=192.168.10.10-192.168.10.100
add name=pool_vlan20 ranges=192.168.20.20-192.168.20.100
add name=pool_vlan30 ranges=192.168.30.20-192.168.30.100
/ip dhcp-server
add address-pool=pool_vlan10 disabled=no interface=vlan10 name=dhcp_vlan10
add address-pool=pool_vlan20 disabled=no interface=vlan20 name=dhcp_vlan20
add address-pool=pool_vlan30 disabled=no interface=vlan30 name=dhcp_vlan30
/interface bridge port
add bridge=bridge_switch interface=ether3
add bridge=bridge_switch interface=ether4
add bridge=bridge_switch interface=ether5
add bridge=bridge_switch interface=ether6
add bridge=bridge_switch interface=ether7
add bridge=bridge_switch interface=ether8
add bridge=bridge_switch interface=ether9
add bridge=bridge_switch interface=ether10
add bridge=bridge_switch interface=ether11
add bridge=bridge_switch interface=ether12
add bridge=bridge_switch interface=ether13
add bridge=bridge_switch interface=ether14
add bridge=bridge_switch interface=ether15
add bridge=bridge_switch interface=ether16
add bridge=bridge_switch interface=ether17
add bridge=bridge_switch interface=ether18
add bridge=bridge_switch interface=ether19
add bridge=bridge_switch interface=ether20
add bridge=bridge_switch interface=ether21
add bridge=bridge_switch interface=ether22
add bridge=bridge_switch interface=ether23
add bridge=bridge_switch interface=ether24
add bridge=bridge_switch interface=sfp1
add bridge=bridge_switch interface=sfp2
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=10
add tagged-ports="ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,eth\
er21,ether22,ether23,ether24,sfp1,sfp2,switch1-cpu" vlan-id=20
add tagged-ports="ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,eth\
er21,ether22,ether23,ether24,sfp1,sfp2,switch1-cpu" vlan-id=30
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether3
add customer-vid=0 new-customer-vid=10 ports=ether4
add customer-vid=0 new-customer-vid=10 ports=ether5
add customer-vid=0 new-customer-vid=10 ports=ether6
add customer-vid=0 new-customer-vid=10 ports=ether7
add customer-vid=0 new-customer-vid=10 ports=ether8
add customer-vid=0 new-customer-vid=10 ports=ether9
add customer-vid=0 new-customer-vid=10 ports=ether10
add customer-vid=0 new-customer-vid=10 ports=ether11
add customer-vid=0 new-customer-vid=10 ports=ether12
add customer-vid=0 new-customer-vid=10 ports=ether13
add customer-vid=0 new-customer-vid=10 ports=ether14
add customer-vid=0 new-customer-vid=10 ports=ether15
add customer-vid=0 new-customer-vid=10 ports=ether16
add customer-vid=0 new-customer-vid=10 ports=ether17
add customer-vid=0 new-customer-vid=10 ports=ether18
add customer-vid=0 new-customer-vid=10 ports=ether19
add customer-vid=0 new-customer-vid=10 ports=ether20
add customer-vid=0 new-customer-vid=10 ports=ether21
add customer-vid=0 new-customer-vid=10 ports=ether22
add customer-vid=0 new-customer-vid=10 ports=ether23
add customer-vid=0 new-customer-vid=10 ports=ether24
add customer-vid=0 new-customer-vid=10 ports=sfp1
add customer-vid=0 new-customer-vid=10 ports=sfp2
/interface ethernet switch vlan
add ports="ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,et\
her22,ether23,ether24,sfp1,sfp2,switch1-cpu" vlan-id=10
add ports="ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,et\
her22,ether23,ether24,sfp1,sfp2,switch1-cpu" vlan-id=20
add ports="ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,et\
her22,ether23,ether24,sfp1,sfp2,switch1-cpu" vlan-id=30
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=8.8.4.4,208.67.220.220
/ip firewall filter
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add action=accept chain=forward comment="allow already established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" connection-state=related
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=input dst-port=53 in-interface=pppoe-wan1 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-wan1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set api disabled=yes
set api-ssl disabled=yes
/lcd
set default-screen=informative-slideshow read-only-mode=yes
/system clock
set time-zone-name=Europe/Rome
/system ntp client
set enabled=yes primary-ntp=91.189.89.198 secondary-ntp=188.40.67.131
Spero ti sia stato utile e se vuoi offrimi una birra 😉
Submit a Comment