See inline comments:
# Add vlan bridge
/interface bridge
add name=bridge_vlan5
# add security profile for wifi
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=iot supplicant-identity=""
# add virtual wifi to 2.4G and 5G APs
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-g/n country=netherlands disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=xxxxxxxxxxx ssid=MYSSID station-roaming=enabled wireless-protocol=802.11 wps-mode=\
disabled
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce country=netherlands disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan5 security-profile=xxxxxxxxxxxxx skip-dfs-channels=all ssid=\
MYSSID station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:48:A4:69 master-interface=wlan2 multicast-buffering=disabled name=wlan_iot2 security-profile=iot ssid=IOT vlan-id=5 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:80:CE:1D master-interface=wlan5 multicast-buffering=disabled name=wlan_iot5 security-profile=iot ssid=IOT vlan-id=5 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
# Add vlans to virtual Wifi
/interface vlan
add interface=wlan_iot2 name=vlan5_iot-2 vlan-id=5
add interface=wlan_iot5 name=vlan5_iot-5 vlan-id=5
# add ip range for dhcp
/ip pool
add name=dhcp_pool5_iot ranges=10.5.0.2-10.5.0.200
# add dhcp server with above range
/ip dhcp-server
add address-pool=dhcp_pool5_iot interface=bridge_vlan5 name=dhcpiot
# add vlans and interfaces to vlan bridge
/interface bridge port
add bridge=bridge interface=wlan_iot2
add bridge=bridge interface=wlan_iot5
add bridge=bridge_vlan5 interface=vlan5_iot-5
add bridge=bridge_vlan5 interface=vlan5_iot-2
# add vlan to existing bridge (Not really needed) is for inter vlan traffic
/interface bridge vlan
add bridge=bridge_vlan5 vlan-ids=5
# add interfaces to LAN list (firewall needs this)
/interface list member
add interface=vlan5_iot-2 list=LAN
add interface=bridge_vlan5 list=LAN
add interface=vlan5_iot-5 list=LAN
# Add gateway/dhcpserver ip address
/ip address
add address=10.5.0.254/24 comment="IOT (vlan5)" interface=bridge_vlan5 network=10.5.0.0
# dhcp server network
/ip dhcp-server network
add address=10.5.0.0/24 dns-server=1.1.1.1 gateway=10.5.0.254 netmask=24
# generic NAT rule
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
My work document for my Mikrotiks (Also for my friend Vincent, with a similar setup.) I’m going to collect information on this page for below changes.
WIFI
Access list connections only
Default forward – only certain clients
Guest network – better setup. I’ve got a folkband guest network right now and a captive portal AP on my internet router. (Outside my network) This is for colleagues of Coline.
Vlan for certain clients
Zerotier
IOT
Move all clients to own vlan New or better VLAN setup
Redo Guest network
IOT Vlan
Manage Vlan better setup
Lab – a redo because of changes in DMZ
Info
YT : https://www.youtube.com/watch?v=Hqu8JlieSq4
Switches and access-points
Today i got my RB4011 ! Wooot!
Total tally
MikroTik CRS305-1G-4S+IN – Lab MikroTik RB2011UiAS-RM – Office MikroTik hAP AC2 – Studio MikroTik CRS109-8G-1S-2HnD-IN – Attic MikroTik RB4011iGS+5HacQ2HnD-IN – Livingroom
NEW (2022-04-02) crs125-24g-1s-in (2022-04-02)
To replace .. 4 SLM2008 and a TPLink switch 🙂
How much fun is this! .. A display on a switch!
I’ll be posting something about connecting an arduino to the serial console using a tcp server later.
Mikrotiks are all you can eat .. And there is a lot of functionality. One of the main features (besides being switches and routers)
Openvpn server DIY display connect Proxy Today Vincent mentioned Mqtt plugin (2022-apr-6) https://help.mikrotik.com/docs/display/ROS/Packet+Sniffer sounds interesting also
Installing extra packages
Download correct package zip from ( https://mikrotik.com/download ) Extract and use file upload Reboot your mikrotik
I’ve got several AccessPoints in my network. Using a roaming setup, clients can connect to strongest AP.
For our Folkband i’ve setup same. With the exception of those clients only being able to connect to the Internet, and not the rest of my Network
Virtual Access Point Own subnet dhcp server only for this access point NAT and Firewall rules for access limitation
/interface bridge
add name=bridgeguest
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=guest supplicant-identity=MikroTikHAP wpa2-pre-shared-key=guestkey
/interface wireless
add disabled=no mac-address=MACADDRESS master-interface=wlan1 name=guest security-profile=guest ssid=guest station-roaming=enabled wds-default-bridge=bridge wps-mode=disabled
/ip pool
add name=guest ranges=10.5.0.2-10.5.0.250
/ip dhcp-server
add address-pool=guest disabled=no interface=bridgeguest name=dhcpserverguest
/interface bridge port
add bridge=bridgenb interface=guest
/ip address
add address=10.1.0.5/24 comment=defconf interface=ether2 network=10.1.0.0
add address=10.5.0.1/24 interface=bridgeguest network=10.5.0.0
/ip dhcp-client
/ip dhcp-server network
add address=10.5.0.0/24 dns-server=1.1.1.1 gateway=10.5.0.1
/ip dns static
add address=10.1.0.5 name=router.lan type=A
/ip firewall filter
add action=drop chain=input dst-address=10.1.0.5 dst-port=22,80,443,8291,21,23 protocol=tcp src-address=10.5.0.1-10.5.0.254
add action=drop chain=input dst-address=MYNETWORKSHERE/16 src-address=10.5.0.2-10.5.0.250
add action=drop chain=forward dst-address=MYNETWORKSHERE/16 src-address=10.5.0.2-10.5.0.250
add action=drop chain=forward dst-address=MYNETWORKSHERE/16 src-address=10.5.0.2-10.5.0.250
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat src-address=10.5.0.0/24
"If something is worth doing, it's worth overdoing."