# MikroTik VLAN Setup Script # Run this once to configure VLAN infrastructure # NOTE: Does NOT enable VLAN filtering - see mikrotik-vlan-enable.rsc # =========================================== # VLAN Interfaces # =========================================== /interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10 comment="Management VLAN" add interface=bridge name=vlan20-trusted vlan-id=20 comment="Trusted VLAN" add interface=bridge name=vlan30-iot vlan-id=30 comment="IoT VLAN" add interface=bridge name=vlan35-cameras vlan-id=35 comment="Cameras VLAN" add interface=bridge name=vlan40-servers vlan-id=40 comment="Servers VLAN" add interface=bridge name=vlan50-guest vlan-id=50 comment="Guest VLAN" # =========================================== # IP Addresses for VLANs # =========================================== /ip address add address=192.168.10.1/24 interface=vlan10-mgmt comment="Management VLAN" add address=192.168.20.1/24 interface=vlan20-trusted comment="Trusted VLAN" add address=192.168.30.1/24 interface=vlan30-iot comment="IoT VLAN" add address=192.168.35.1/24 interface=vlan35-cameras comment="Cameras VLAN" add address=192.168.40.1/24 interface=vlan40-servers comment="Servers VLAN" add address=192.168.50.1/24 interface=vlan50-guest comment="Guest VLAN" # =========================================== # DHCP Pools # =========================================== /ip pool add name=pool-mgmt ranges=192.168.10.100-192.168.10.200 add name=pool-trusted ranges=192.168.20.100-192.168.20.220 add name=pool-iot ranges=192.168.30.100-192.168.30.220 add name=pool-cameras ranges=192.168.35.100-192.168.35.150 add name=pool-servers ranges=192.168.40.100-192.168.40.150 add name=pool-guest ranges=192.168.50.100-192.168.50.220 # =========================================== # DHCP Servers # =========================================== /ip dhcp-server add name=dhcp-mgmt interface=vlan10-mgmt address-pool=pool-mgmt lease-time=30m add name=dhcp-trusted interface=vlan20-trusted address-pool=pool-trusted lease-time=30m add name=dhcp-iot interface=vlan30-iot address-pool=pool-iot lease-time=30m add name=dhcp-cameras interface=vlan35-cameras address-pool=pool-cameras lease-time=30m add name=dhcp-servers interface=vlan40-servers address-pool=pool-servers lease-time=30m add name=dhcp-guest interface=vlan50-guest address-pool=pool-guest lease-time=4h # =========================================== # DHCP Networks # =========================================== /ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.31.1 comment="Management VLAN" add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.31.1 comment="Trusted VLAN" add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.31.1 comment="IoT VLAN" add address=192.168.35.0/24 gateway=192.168.35.1 dns-server=192.168.31.1 comment="Cameras VLAN" add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.31.1 comment="Servers VLAN" add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.31.1 comment="Guest VLAN" # =========================================== # Bridge VLAN Table # =========================================== /interface bridge vlan add bridge=bridge vlan-ids=1 tagged=bridge,eth3_CSS326_Uplink untagged=eth2_CAPac_Uplink,eth4_ZX-SWTGW218AS_Uplink,ether5 comment="Legacy VLAN" add bridge=bridge vlan-ids=10 tagged=bridge,eth3_CSS326_Uplink comment="Management VLAN" add bridge=bridge vlan-ids=20 tagged=bridge,eth3_CSS326_Uplink untagged=hap-wifi1,hap-wifi2 comment="Trusted VLAN" add bridge=bridge vlan-ids=30 tagged=bridge,eth3_CSS326_Uplink comment="IoT VLAN" add bridge=bridge vlan-ids=35 tagged=bridge,eth3_CSS326_Uplink comment="Cameras VLAN" add bridge=bridge vlan-ids=40 tagged=bridge,eth3_CSS326_Uplink comment="Servers VLAN" add bridge=bridge vlan-ids=50 tagged=bridge,eth3_CSS326_Uplink comment="Guest VLAN" # =========================================== # Bridge Port PVIDs # =========================================== /interface bridge port set [find interface=hap-wifi1] pvid=20 set [find interface=hap-wifi2] pvid=20 # =========================================== # Firewall Address Lists # =========================================== /ip firewall address-list add list=vlan-mgmt address=192.168.10.0/24 add list=vlan-trusted address=192.168.20.0/24 add list=vlan-iot address=192.168.30.0/24 add list=vlan-cameras address=192.168.35.0/24 add list=vlan-servers address=192.168.40.0/24 add list=vlan-guest address=192.168.50.0/24 add list=vlan-legacy address=192.168.31.0/24 add list=all-vlans address=192.168.10.0/24 add list=all-vlans address=192.168.20.0/24 add list=all-vlans address=192.168.30.0/24 add list=all-vlans address=192.168.35.0/24 add list=all-vlans address=192.168.40.0/24 add list=all-vlans address=192.168.50.0/24 add list=all-vlans address=192.168.31.0/24 # =========================================== # Inter-VLAN Firewall Rules # =========================================== /ip firewall filter # Allow rules add chain=forward action=accept src-address-list=vlan-mgmt dst-address-list=all-vlans comment="VLAN: Mgmt to All" add chain=forward action=accept src-address-list=vlan-legacy dst-address-list=all-vlans comment="VLAN: Legacy to All" add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-iot comment="VLAN: Trusted to IoT" add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-cameras dst-port=80,443,554,8080,8554 protocol=tcp comment="VLAN: Trusted to Cameras (view)" add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-servers comment="VLAN: Trusted to Servers" add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-legacy comment="VLAN: Trusted to Legacy" # DNS access for isolated VLANs add chain=forward action=accept src-address-list=vlan-iot dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: IoT to DNS" add chain=forward action=accept src-address-list=vlan-iot dst-address=192.168.31.1 dst-port=53 protocol=tcp comment="VLAN: IoT to DNS TCP" add chain=forward action=accept src-address-list=vlan-cameras dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: Cameras to DNS" add chain=forward action=accept src-address-list=vlan-guest dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: Guest to DNS" # Block rules add chain=forward action=drop src-address-list=vlan-guest dst-address-list=all-vlans comment="VLAN: Block Guest to internal" add chain=forward action=drop src-address-list=vlan-cameras dst-address-list=all-vlans comment="VLAN: Block Cameras to VLANs" add chain=forward action=drop src-address-list=vlan-iot dst-address-list=vlan-mgmt comment="VLAN: Block IoT to Mgmt" add chain=forward action=drop src-address-list=vlan-iot dst-address-list=vlan-trusted comment="VLAN: Block IoT to Trusted"