Hi there, i’m “upgrading” my RB’s settings, assigning vlans, ip ranges, implement port knocking and etc, just got some servers to start my homelab journey, but now i’m having some problems with DHCP servers, they’re showing up in red with an “I” for inactive, and i can’t connect to internet either (my router pings google tho)
Even asked GPT-4 if he could see something that i can’t, but it didn’t help
# 2023-11-26 04:31:27 by RouterOS 7.12.1
# software id = 73G8-DCW6
#
# model = RB3011UiAS
# serial number = HIDDEN
/interface ethernet
set [ find default-name=ether2 ] comment=\
"Link 02 | Auth: DHCP | Rx: 500 Mbps | Tx: 500 Mbps | FlyLink Telecom"
set [ find default-name=ether3 ] comment=\
"Link 03 | Auth: DHCP | Rx: 100 Mbps | Tx: 100 Mbps | Algar LTE"
set [ find default-name=ether4 ] comment="Management Port 01"
set [ find default-name=ether5 ] comment="Management Port 02"
set [ find default-name=ether6 ] comment="MikroTik CCS326-24G2S+RM"
set [ find default-name=ether7 ] comment="Disabled for port security" \
disabled=yes
set [ find default-name=ether8 ] comment="Disabled for port security" \
disabled=yes
set [ find default-name=ether9 ] comment="Disabled for port security" \
disabled=yes
set [ find default-name=ether10 ] comment="MikroTik hAP AC3" poe-out=off
set [ find default-name=sfp1 ] comment="Disabled for port security" disabled=\
yes
/interface vlan
add comment="10.0.10.0/24 - VLAN 10 - Trusted Users" interface=ether6 name=\
VLAN10 vlan-id=10
add comment="10.0.20.0/24 - VLAN 20 - Untrusted Users" interface=ether6 name=\
VLAN20 vlan-id=20
add comment="10.0.30.0/24 - VLAN 30 - Video Games" interface=ether6 name=\
VLAN30 vlan-id=30
add comment="10.0.40.0/24 - VLAN 40 - IoT Devices" interface=ether6 name=\
VLAN40 vlan-id=40
add comment="10.0.50.0/24 - VLAN 50 - Cameras" interface=ether6 name=VLAN50 \
vlan-id=50
add comment="10.0.99.0/24 - VLAN 99 - Management" interface=ether4 name=\
VLAN99 vlan-id=99
add comment="10.0.100.0/24 - VLAN 100 - Servers" interface=ether6 name=\
VLAN100 vlan-id=100
/interface pppoe-client
add add-default-route=yes comment="PPPoE Algar Telecom" disabled=no \
interface=ether1 max-mru=1492 max-mtu=1492 name=PPPoE-AlgarTelecom user=\
algar@algar
/ip pool
add name=pool-vlan10 ranges=10.0.10.2-10.0.10.254
add name=pool-vlan20 ranges=10.0.20.2-10.0.20.254
add name=pool-vlan30 ranges=10.0.30.2-10.0.30.254
add name=pool-vlan40 ranges=10.0.40.2-10.0.40.254
add name=pool-vlan50 ranges=10.0.50.2-10.0.50.254
add name=pool-vlan99 ranges=10.0.99.2-10.0.99.254
add name=pool-vlan100 ranges=10.0.100.2-10.0.100.254
/ip dhcp-server
add address-pool=pool-vlan10 interface=VLAN10 name=dhcp-vlan10 relay=\
10.0.10.1
add address-pool=pool-vlan20 interface=VLAN20 name=dhcp-vlan20 relay=\
10.0.20.1
add address-pool=pool-vlan30 interface=VLAN30 name=dhcp-vlan30 relay=\
10.0.30.1
add address-pool=pool-vlan40 interface=VLAN40 name=dhcp-vlan40 relay=\
10.0.40.1
add address-pool=pool-vlan50 interface=VLAN50 name=dhcp-vlan50 relay=\
10.0.50.1
add address-pool=pool-vlan99 interface=VLAN99 name=dhcp-vlan99 relay=\
10.0.99.1
add address-pool=pool-vlan100 interface=VLAN100 name=dhcp-vlan100 relay=\
10.0.100.1
/port
set 0 name=serial0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=94.140.14.14,94.140.15.15,1.1.1.1,8.8.8.8 \
gateway=10.0.10.1 netmask=24 ntp-server=\
200.160.7.186,201.49.148.135,200.186.125.195
add address=10.0.20.0/24 dns-server=94.140.14.14,94.140.15.15,1.1.1.1,8.8.8.8 \
gateway=10.0.20.1 netmask=24 ntp-server=\
200.160.7.186,201.49.148.135,200.186.125.195
add address=10.0.30.0/24 dns-server=94.140.14.14,94.140.15.15,1.1.1.1,8.8.8.8 \
gateway=10.0.30.1 netmask=24 ntp-server=\
200.160.7.186,201.49.148.135,200.186.125.195
add address=10.0.40.0/24 dns-server=94.140.14.14,94.140.15.15,1.1.1.1,8.8.8.8 \
gateway=10.0.40.1 netmask=24 ntp-server=\
200.160.7.186,201.49.148.135,200.186.125.195
add address=10.0.50.0/24 dns-server=94.140.14.14,94.140.15.15,1.1.1.1,8.8.8.8 \
gateway=10.0.50.1 netmask=24 ntp-server=\
200.160.7.186,201.49.148.135,200.186.125.195
add address=10.0.99.0/24 dns-server=94.140.14.14,94.140.15.15,1.1.1.1,8.8.8.8 \
gateway=10.0.99.1 netmask=24 ntp-server=\
200.160.7.186,201.49.148.135,200.186.125.195
add address=10.0.100.0/24 dns-server=\
94.140.14.14,94.140.15.15,1.1.1.1,8.8.8.8 gateway=10.0.100.1 netmask=24 \
ntp-server=200.160.7.186,201.49.148.135,200.186.125.195
/ip dns
set servers=94.140.14.14,94.140.15.15,1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Aceitar conexes estabelecidas" \
connection-state=established
add action=accept chain=input comment="Aceitar conexes relacionadas" \
connection-state=related
add action=drop chain=input comment="Bloquear conexes invlidas" \
connection-state=invalid
add action=accept chain=forward comment="VLAN 10 - Acesso total" src-address=\
10.0.10.0/24
add action=accept chain=forward comment="VLAN 20 - Acesso apenas Internet" \
dst-address-type=!local src-address=10.0.20.0/24
add action=accept chain=forward comment="VLAN 30 - Acesso aos servidores" \
dst-address=10.0.100.0/24 src-address=10.0.30.0/24
add action=accept chain=forward comment="VLAN 30 - Acesso Internet" \
dst-address-type=!local src-address=10.0.30.0/24
add action=accept chain=forward comment="VLAN 40 - Acesso apenas Internet" \
dst-address-type=!local src-address=10.0.40.0/24
add action=accept chain=forward comment="VLAN 50 - Acesso VLAN 10" \
dst-address=10.0.10.0/24 src-address=10.0.50.0/24
add action=accept chain=forward comment="VLAN 50 - Acesso VLAN 100" \
dst-address=10.0.100.0/24 src-address=10.0.50.0/24
add action=accept chain=input comment="VLAN 99 - Acesso ao RB3011UiAS-RM" \
in-interface=VLAN99 src-address=10.0.99.0/24
add action=accept chain=forward comment="VLAN 99 - Acesso total" src-address=\
10.0.99.0/24
add action=accept chain=forward comment="VLAN 100 - Acesso VLAN 10" \
dst-address=10.0.10.0/24 src-address=10.0.100.0/24
add action=accept chain=forward comment="VLAN 100 - Acesso Internet" \
dst-address-type=!local src-address=10.0.100.0/24
add action=add-src-to-address-list address-list=PortKnock1 \
address-list-timeout=1m chain=input dst-port=HIDDEN protocol=tcp
add action=add-src-to-address-list address-list=PortKnock2 \
address-list-timeout=1m chain=input dst-port=HIDDEN protocol=tcp \
src-address-list=PortKnock1
add action=accept chain=input src-address-list=PortKnock2
add action=fasttrack-connection chain=forward comment=\
"FastTrack established and related connections" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"Accept established and related connections" connection-state=\
established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE-AlgarTelecom
/ip route
add check-gateway=ping distance=1 gateway=PPPoE-AlgarTelecom
add check-gateway=ping distance=2 gateway=ether2
add check-gateway=ping distance=3 gateway=ether3
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=America/Sao_Paulo
/system logging
add topics=firewall
add topics=critical
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=200.160.7.186
add address=201.49.148.135
add address=200.186.125.195
No ip addresses set on the vlan interfaces
You got answered on r/mikrotik ?
Actually no, i’ve fixed some thinks like the DHCP relay, and also assigned ip addresses for the VLAN interfaces, like u/SirLagz suggested, the DHCP servers seems to be working now
I’ve bridged both management interfaces to try other approach, but i still can’t access the internet from this RouterBOARD
I’ll leave a comment with an updated configuration script, if one of you want to take a look