Buongiorno, ieri openfiber mi ha installato il GPON nokia e la Station 6 di Vodafone.
Avendo già un Mikrotik Hap ax2 che usavo in cascata sul modem Fastweb, avrei voluto iniziare ad usarlo in PPPoE collegandolo direttamente all'ethernet del GPON.

Ho provato seguendo le configurazioni da documentazione Vodafone ma gli unici campi che sono riuscito a settare sul client PPPoE configurato sulla eth1, sono username e password, il resto l'ho lasciato di default senza successo.

Ho tentato anche settando la VLAN indicata sull'interfaccia ma comunque il PPPoE non riesce a connettere.

Potreste aiutarmi? Devo chiedere altri dettagli a Vodafone?

Grazie

Salve.

Ho studiato meglio la documentazione e alcuni post e fatti nuovi tentativi.
Purtroppo non riesco a fare partire la comunicazione del PPPoE client.
Ho provato configurando la VLAN, il masquerading ecc ma non riesco a capire cosa mi manca.

Al momento mi sono messo in cascata dietro alla Vodafone station inserendo l'indirizzo del Mikrotik in DMZ al suo interno, ma continuo a voler riuscire a fare funzionare il mikrotik direttamente collegato all'ONT di Openfiber.

Premetto che al momento ho configurato anche un container seguendo questa guida https://xaizone.eu/post/setup-blocky-on-mikrotik-routeros/ e che ho applicato le regole di firewall avanzate come da documentazione router OS.

Come visto in altri post condivido la configurazione sperando che qualche anima pia riesca a guidarmi in questa impresa:

# 2024-06-20 01:12:37 by RouterOS 7.15
# software id = H9VE-RJNQ
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add admin-mac=48:A9:8A:80:C7:FE auto-mac=no comment=defconf name=bridge port-cost-mode=short
add name=containers port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Italy .hide-ssid=yes .mode=ap .ssid=ninja disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Italy .hide-ssid=yes .mode=ap .ssid=ninja disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes interface=ether1 max-mtu=1500 name=Vodafone user=vodafoneadsl
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=veth1
/interface vlan
add disabled=yes interface=ether1 name=vlan1 use-service-tag=yes vlan-id=1036
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp-home ranges=10.10.10.21-10.10.10.30
/ip dhcp-server
add address-pool=dhcp-home interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/system logging action
set 1 disk-file-count=3
add disk-file-name=ERROR_log name=errorDisk target=disk
/container
add interface=veth1 logging=yes root-dir=docker/blocky start-on-boot=yes workdir=/app
/container config
set registry-url=https://registry-1.docker.io tmpdir=docker/temp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 path-cost=10
add bridge=containers interface=veth1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!LAN
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.10.10.1/27 comment=defconf interface=bridge network=10.10.10.0
add address=192.168.1.5/24 interface=ether1 network=192.168.1.0
add address=172.17.0.1/24 interface=containers network=172.17.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=10.10.10.30 client-id=1:12:18:8a:8f:4f:6 mac-address=12:18:8A:8F:4F:06 server=defconf
/ip dhcp-server network
add address=10.10.10.0/27 comment=defconf dns-server=10.10.10.1 gateway=10.10.10.1 netmask=27
/ip dns
set servers=10.10.10.1,1.1.1.1
/ip dns static
add address=10.10.10.1 comment=defconf name=router.lan
add address=159.148.172.226 name=upgrade.mikrotik.com
/ip firewall address-list
add address=10.10.10.2-10.10.10.30 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=172.17.0.0/24 comment="made for blocky" list=container_LAN
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=\
    yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked \
    disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input log=yes log-prefix=input_default_drop
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=forward comment="Allow forward to blocky" log-prefix=allowed_to_blocky out-interface=containers src-address=\
    10.10.10.0/27
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge \
    log=yes log-prefix=!public_from_LAN out-interface=!bridge
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public \
    src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes log-prefix=LAN_!LAN \
    src-address=!10.10.10.0/27
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" log=yes log-prefix=bad_icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 in-interface=bridge protocol=udp to-addresses=172.17.0.2 to-ports=6969
add action=dst-nat chain=dstnat dst-port=53 in-interface=bridge protocol=tcp to-addresses=172.17.0.2 to-ports=6969
add action=masquerade chain=srcnat src-address=172.17.0.0/24
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN \
    protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" log=yes log-prefix=raw_pre_bad_ip_src src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4 log=yes log-prefix=raw_pre_bad_ip_dst
add action=drop chain=prerouting comment="defconf: drop bogon IP's" log=yes log-prefix=raw_pre_bad_src_ip src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4 log-prefix=raw_pre_bad_dst_ip
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=10.10.10.0/27 in-interface-list=WAN log=yes \
    log-prefix=raw_pre_drop_forw_to_lan_from_wan
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN log=yes log-prefix=\
    raw_pre_drop_local_if_not_lan src-address=!10.10.10.0/27
add action=drop chain=prerouting comment="defconf: drop bad UDP" log=yes log-prefix=raw_pre_drop_bad_udp port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=allow_dns_requests in-interface=containers
add action=drop chain=prerouting comment="defconf: drop the rest" log=yes log-prefix=raw_pre_drop_the_rest
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN log=yes log-prefix=\
    IPV6_DROP_NOT_FROM_LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Rome
/system logging
add action=errorDisk topics=error,critical,warning
add action=disk topics=account
/system note
set show-at-login=no
/system ntp client
set mode=broadcast
/system ntp client servers
add address=0.it.pool.ntp.org iburst=no
add address=1.it.pool.ntp.org iburst=no
add address=2.it.pool.ntp.org iburst=no
add address=3.it.pool.ntp.org iburst=no
add address=ntp1.inrim.it iburst=no
add address=ntp2.inrim.it iburst=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LA
  • GioAda ha risposto a questo messaggio

    makeg /interface pppoe-client
    add add-default-route=yes interface=ether1 max-mtu=1500 name=Vodafone user=vodafoneadsl

    Per il client PPPoE devi usare la vlan1 che hai creato per Vodafone e non la ether1
    Devi poi aggiungere l'interfaccia pppoe-out1 alla lista delle interfacce WAN, così ti eviti di creare altre regole per il firewall/NAT

      Grazie @GioAda per la risposta.
      Ho provato a seguire il tuo suggerimento ma senza successo.

      Ho fatto anche vari tentativi non sapendo cosa inserire nella address list e di conseguenza cosa fare nella configurazione delle route list.
      Queste le varie configurazioni che ho ora (per poter usare internet).

      Il profile PPP non mi è proprio chiaro

        makeg
        L'interfaccia vlan1 sembra disabilitata. Hai provato ad abilitarla?
        Se non funziona posta la configurazione aggiornata e uno screenshot dei log.

        • makeg ha risposto a questo messaggio

            mario152475
            Grazie del consiglio.
            Quello che vedete disattivato è per utilizzare la configurazione "vecchia". Quando faccio i test le attivo. In serata vi faccio avere la config di quando faccio i test.

                makeg
                considera che è importante che le informazioni che posti (configurazione e screenshot) riflettano i tuoi test, altrimenti è difficile aiutarti.

                • makeg ha risposto a questo messaggio

                    mario152475
                    Hai più che ragione e mi scuso per avervi fatto perdere del tempo.

                    Ho rifatto il test e questa è la configurazione principale che sto provando a fare andare.

                    export hide-sensitive        
# 2024-06-21 19:39:02 by RouterOS 7.15
# software id = H9VE-RJNQ
#
# model = C52iG-5HaxD2HaxD
# serial number = 

/interface bridge
add admin-mac=45:A9:3A:90:C8:CE auto-mac=no comment=defconf name=bridge port-cost-mode=short
add name=containers port-cost-mode=short

/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Italy .hide-ssid=yes .mode=ap .ssid=ninja disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Italy .hide-ssid=yes .mode=ap .ssid=ninja disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk

/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=veth1

/interface vlan
add interface=ether1 name=vlan1 use-service-tag=yes vlan-id=1036

/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 user=vodafoneadsl

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp-home ranges=10.10.10.21-10.10.10.30

/ip dhcp-server
add address-pool=dhcp-home interface=bridge lease-time=10m name=defconf

/ip smb users
set [ find default=yes ] disabled=yes

/system logging action
set 1 disk-file-count=3
add disk-file-name=ERROR_log name=errorDisk target=disk

/container
add interface=veth1 logging=yes root-dir=docker/blocky start-on-boot=yes workdir=/app

/container config
set registry-url=https://registry-1.docker.io tmpdir=docker/temp

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 path-cost=10
add bridge=containers interface=veth1 internal-path-cost=10 path-cost=10

/ip firewall connection tracking
set udp-timeout=10s

/ip neighbor discovery-settings
set discover-interface-list=!LAN

/ipv6 settings
set disable-ipv6=yes

/interface detect-internet
set detect-interface-list=all

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan1 list=WAN
add comment=";;;defconf" interface=ether1 list=WAN

/ip address
add address=10.10.10.1/27 comment=defconf interface=bridge network=10.10.10.0
add address=172.17.0.1/24 interface=containers network=172.17.0.0

/ip cloud
set update-time=no

/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

/ip dhcp-server lease
add address=10.10.10.30 client-id=1:12:18:8a:8f:4f:6 mac-address=12:18:8A:8F:4F:06 server=defconf

/ip dhcp-server network
add address=10.10.10.0/27 comment=defconf dns-server=10.10.10.1 gateway=10.10.10.1 netmask=27

/ip dns
set servers=1.1.1.1

/ip dns static
add address=10.10.10.1 comment=defconf name=router.lan
add address=159.148.172.226 name=upgrade.mikrotik.com

/ip firewall address-list
add address=10.10.10.2-10.10.10.30 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=172.17.0.0/24 comment="made for blocky" list=container_LAN

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=\
    yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked \
    disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input log=yes log-prefix=input_default_drop
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=forward comment="Allow forward to blocky" log-prefix=allowed_to_blocky out-interface=containers src-address=\
    10.10.10.0/27
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge \
    log=yes log-prefix=!public_from_LAN out-interface=!bridge
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public \
    src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes log-prefix=LAN_!LAN \
    src-address=!10.10.10.0/27
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" log=yes log-prefix=bad_icmp

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 in-interface=bridge protocol=udp to-addresses=172.17.0.2 to-ports=6969
add action=dst-nat chain=dstnat dst-port=53 in-interface=bridge protocol=tcp to-addresses=172.17.0.2 to-ports=6969
add action=masquerade chain=srcnat src-address=172.17.0.0/24

/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN \
    protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" log=yes log-prefix=raw_pre_bad_ip_src src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4 log=yes log-prefix=raw_pre_bad_ip_dst
add action=drop chain=prerouting comment="defconf: drop bogon IP's" log=yes log-prefix=raw_pre_bad_src_ip src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4 log-prefix=raw_pre_bad_dst_ip
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=10.10.10.0/27 in-interface-list=WAN log=yes \
    log-prefix=raw_pre_drop_forw_to_lan_from_wan
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN log=yes log-prefix=\
    raw_pre_drop_local_if_not_lan src-address=!10.10.10.0/27
add action=drop chain=prerouting comment="defconf: drop bad UDP" log=yes log-prefix=raw_pre_drop_bad_udp port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=allow_dns_requests in-interface=containers
add action=drop chain=prerouting comment="defconf: drop the rest" log=yes log-prefix=raw_pre_drop_the_rest
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp

/ip firewall service-port
set ftp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip smb shares
set [ find default=yes ] directory=/pub

/ip ssh
set strong-crypto=yes

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN log=yes log-prefix=\
    IPV6_DROP_NOT_FROM_LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/system clock
set time-zone-name=Europe/Rome

/system logging
add action=errorDisk topics=error,critical,warning
add action=disk topics=account

/system note
set show-at-login=no

/system ntp client
set mode=broadcast

/system ntp client servers
add address=0.it.pool.ntp.org iburst=no
add address=1.it.pool.ntp.org iburst=no
add address=2.it.pool.ntp.org iburst=no
add address=3.it.pool.ntp.org iburst=no
add address=ntp1.inrim.it iburst=no
add address=ntp2.inrim.it iburst=no

/tool bandwidth-server
set enabled=no

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

                    Quesa invece quella specifica del pppoe client

                    /interface pppoe-client print
Flags: X - disabled, I - invalid; R - running 
 0    name="pppoe-out1" max-mtu=auto max-mru=auto mrru=disabled interface=vlan1 user="vodafoneadsl" password="vodafoneadsl" profile=default keepalive-timeout=10 service-name="" ac-name="" add-default-route=yes default-route-distance=1 dial-on-demand=no use-peer-dns=no allow=pap,chap,mschap1,mschap2

                    Grazie ancora a tutti

                        makeg
                        nessun problema. È per aiutarti meglio.

                        Non vedo evidenti problemi (ma non ho controllato il fw). Disabilitarei il detect-internet perché è risaputo che possa dare problemi subdoli (modifica la configurazione a modo suo).

                        Potresti postare anche uno screenshot della finestra dei log, in particolare dopo un reboot?

                        E disabiliterei ether1 nella lista WAN.

                        • makeg ha risposto a questo messaggio

                            mario152475
                            Buone nuove.
                            Ho disabilitato il detect-internet e disabilitato ether1 dalla WAN ma non era bastato.
                            Non so se sono stato io nei vari test ma rimuovendo il "Use Service Tag" dalla con della VLAN ha fatto partire la il PPPoE.

                            Tutto bene ma anche male dato che l'architettura non semplice che ho a causa del filtro dns nel container e le molte regole di firewall non permettevano il traffico DNS.
                            Ho subito notato che le regole del firewall che blocavano traffico lecito erano quelle di default drop in fondo alle chain del raw, e disattivando il raw (attivando l'allow all nel raw), poi venivano bloccate dal default in fondo alle regole normali.

                            Ho quindi aggiunto degli allow prerouting nell'in dell'interfaccia pppoe-out1 (in maniera speculare allow in interface list WAN), e una volta che riusciva a passare alle filter rules, ho aggiunta anche una rule per permettere il forward tra l'interfaccia dei containers e il pppoe-out1.

                            Inoltre ho aggiunto una regola di srcnat, così come era per la WAN, per la pppoe-out1

                            DNS funziona come previsto, ping pure, farò altri test per verificare che anche altri protocolli funzionino ma dai log sembra che venga blocato tutto il traffico che non viene iniziato dalla mia rete.

                            Avreste qualche altro consiglio per migliorare il filtro considerando che ora il mikrotik è direttamente esposto?

                            Finalmente potrò staccare il modem Vodafone 🙂🎉

                                makeg
                                Sono tutt'altro che un esperto di FW. Tuttavia la tua configurazione mi sembra diversa da una configurazione defconf (ad esempio il prerouting). Mi sembra una variazione di quello "advanced" sulla documentazione. Dal mio punto di vista, maneggiare con il firewall se non si ha una precisa conoscenza della materia è un po' pericoloso, quindi ti consiglierei di attenerti al default (quello di reset della configurazione + quickset). E di mettere il container nella stessa rete della LAN, in modo da semplificare routing/FW. Just my 2 cents.

                                • makeg ha risposto a questo messaggio

                                    mario152475
                                    Grazie del consiglio.

                                    Non dico di essere un esperto neanche io di Firewalling ma ho intrapreso da poco una carriera che richiede anche questa competenza quindi quello che non capisco lo devo imparare.
                                    La guida a cui ho fatto riferimento che dettaglia anche il prerouting è questa https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall#BuildingAdvancedFirewall-RAWFiltering .
                                    Ero molto curioso del suo funzionamento date le capacità di efficenziare le rule normali e viene spiegato meglio qua. https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS.

                                    Grazie mille

                                        makeg
                                        A mio avviso non dovresti costruire le regole sulle interfacce, ma sull'interface-list WAN. E in questo senso in WAN dovrebbe esserci la pppoe-out1 e non la vlan. Per quanto ne capisco, il FW della documentazione (che avevo riconosciuto) dovrebbe funzionare AS-IS anche nel tuo caso lato WAN, quindi ogni scostamento è sospetto. Diverso è il caso del container ma che, a mio avviso, dovresti mettere nella rete 10.10.10.1/27, risolvendoti un sacco di problemi. (A proposito, perché non /24?)

                                        In bocca al lupo per la tua carriera, comunque.

                                        • makeg ha risposto a questo messaggio

                                            mario152475

                                            A mio avviso non dovresti costruire le regole sulle interfacce, ma sull'interface-list WAN. E in questo senso in WAN dovrebbe esserci la pppoe-out1 e non la vlan. Per quanto ne capisco, il FW della documentazione (che avevo riconosciuto) dovrebbe funzionare AS-IS anche nel tuo caso lato WAN, quindi ogni scostamento è sospetto.

                                            Avevi ragione, impostando pppoe-out1 con unica interfaccia della lista WAN le regole che avevo prima per il firewall bastavano.

                                            Per questo direi che ora è più che a posto.

                                            Diverso è il caso del container ma che, a mio avviso, dovresti mettere nella rete 10.10.10.1/27, risolvendoti un sacco di problemi.

                                            Dovrei rivedere anche la parte di configurazione delle interfacce e porte dato che alla creazione del container viene anche assegnata una interfaccia dedicata (veth1).

                                            La guida che ho seguito https://xaizone.eu/post/setup-blocky-on-mikrotik-routeros/ è stata adattata dalla documentazione ufficiale https://help.mikrotik.com/docs/display/ROS/Container#Container-Createnetwork

                                            A proposito, perché non /24?

                                            Perché mi voglio male😵. A parte gli scherzi, l'ho preso anche come esercizio per il netmasking, dato che per lavoro ne sto facendo parecchio, ho voluto provare creando la rete con una netmask grande il giusto per i device che ho, anche se ero partito con una /28 ma, non appena ho comprato un telefono nuovo io e mia moglie, ho radoppiato altrimenti non ci stava più nulla mentre passavamo dal vecchio al nuovo. A parte dover andare a rivedere ogni tanto a quanto equivale in formattazione lunga (che con la memoria che ho equivale a sempre) non ho avuto alcun altro problema.

                                            Per ora penso che manterrò il container con quella configurazione dato che comunque è alineata con quella ufficiale.

                                            Nelle prossime settimane voglio anche creare una VLAN di segregazione dei device lavorativi per quando faccio smartworking per bypassare il container e non comunicare con il resto della rete di casa, dato che stavo considerando anche di investire in un NAS. Senza fretta chiaramente.

                                            Grazie ancora di tutto.

                                                makeg Dovrei rivedere anche la parte di configurazione delle interfacce e porte dato che alla creazione del container viene anche assegnata una interfaccia dedicata (veth1).

                                                Appunto. La metti nella rete principale e sei a posto. So che la documentazione la presenta così, ma spesso e volentieri sul forum mikrotik consigliano questa soluzione. Comunque vedi tu.

                                                Per la vlan ricordati di togliere un'interfaccia dal bridge, altrimenti rischi di chiuderti fuori.

                                                  Informativa privacy - Informativa cookie - Termini e condizioni - Regolamento - Disclaimer - 🏳️‍🌈
                                                  P.I. IT16712091004 - info@fibraclick.it

                                                  ♻️ Il server di questo sito è alimentato al 100% con energia rinnovabile