Стенд собраеться на VirtualBOX версия RouterOS X86 6.42.1 (Current) с последующим переносом на железо.
Пытаюсь настраивать по докам: https://wiki.mikrotik.com/wiki/Vlans_on ... nvironment и https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
Код: Выделить всё
На MKT_1 необходимо реализовать:
InterVLAN Routing.
Повесить DHCP на VLAN-ы.
Доступ из VLAN-ов в интернет.
Порты Режим порта
ether1 (ISP)
ether2 (Access).
ether3 + ether4 = Bonding1 (Trunk).
ether5, ether6, ether7 (Access).
ether8 (Hybrid).
Код: Выделить всё
#Обзываем железяку.
/system identity set name=MKT_1
#============================================================================================
#Подписываем порты.
/interface ethernet
set [ find default-name=ether1 ] comment=ISP
set [ find default-name=ether2 ] comment=MGMT-VLAN1
set [ find default-name=ether3 ] advertise=100M-full comment=bonding1 #настройка скорости порта для bonding1.
set [ find default-name=ether4 ] advertise=100M-full comment=bonding1 #настройка скорости порта для bonding1.
set [ find default-name=ether5 ] comment=VLAN10
set [ find default-name=ether6 ] comment=VLAN20
set [ find default-name=ether7 ] comment=VLAN30
set [ find default-name=ether8 ] comment=Hybrid-VLAN1,10,20,30
#============================================================================================
#Настраиваем bonding1, путём добавления портов (режим balance-rr).
/interface bonding add name=bonding1 slaves=ether3,ether4
#============================================================================================
#Создаём bridges для VLAN-ов с выключенным vlan-filtering.
/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=no
add fast-forward=no name=bridge10 pvid=10 vlan-filtering=no
add fast-forward=no name=bridge20 pvid=20 vlan-filtering=no
add fast-forward=no name=bridge30 pvid=30 vlan-filtering=no
#============================================================================================
#Вешаем VLAN-ы на мосты.
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge10 name=vlan10 vlan-id=10
add interface=bridge20 name=vlan20 vlan-id=20
add interface=bridge30 name=vlan30 vlan-id=30
#============================================================================================
#Добавляем пулы адресов для VLAN-ов.
/ip pool
add name=VLAN10 ranges=10.0.0.10-10.0.0.20
add name=VLAN20 ranges=20.0.0.10-20.0.0.20
add name=VLAN30 ranges=30.0.0.10-30.0.0.20
#============================================================================================
#Вешаем IP на VLAN-ы.
/ip address
add address=10.0.0.1/24 comment=VLAN10 interface=vlan10 network=10.0.0.0
add address=20.0.0.1/24 comment=VLAN20 interface=vlan20 network=20.0.0.0
add address=30.0.0.1/24 comment=VLAN30 interface=vlan30 network=30.0.0.0
add address=192.168.0.1/24 comment=VLAN1 interface=bridge1 network=192.168.0.0
add address=10.0.2.15/24 comment=ISP interface=ether1 network=10.0.2.0
#============================================================================================
#Добавляем DHCP сервера на VLAN-ы.
/ip dhcp-server
add address-pool=VLAN10 disabled=no interface=vlan10 name=server10
add address-pool=VLAN20 disabled=no interface=vlan20 name=server20
add address-pool=VLAN30 disabled=no interface=vlan30 name=server30
#============================================================================================
#Добавляем сети для DHCP.
/ip dhcp-server network
add address=10.0.0.0/24 comment=VLAN10 dns-server=10.0.0.1 gateway=10.0.0.1 netmask=24
add address=20.0.0.0/24 comment=VLAN20 dns-server=20.0.0.1 gateway=20.0.0.1 netmask=24
add address=30.0.0.0/24 comment=VLAN30 dns-server=30.0.0.1 gateway=30.0.0.1 netmask=24
#============================================================================================
#Добавляем порты в мосты.
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=bonding1
add bridge=bridge10 frame-types=admit-only-vlan-tagged interface=vlan10 pvid=10
add bridge=bridge20 frame-types=admit-only-vlan-tagged interface=vlan20 pvid=20
add bridge=bridge30 frame-types=admit-only-vlan-tagged interface=vlan30 pvid=30
add bridge=bridge10 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge20 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=20
add bridge=bridge30 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=30
#============================================================================================
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
#============================================================================================
#Тегирование или растегирование портов на выходе.?
/interface bridge vlan
add bridge=bridge10 tagged=bonding1,bridge10,vlan10,ether8 untagged=ether5 vlan-ids=10
add bridge=bridge20 tagged=bonding1,bridge20,vlan20,ether8 untagged=ether6 vlan-ids=20
add bridge=bridge30 tagged=bonding1,bridge30,vlan30,ether8 untagged=ether7 vlan-ids=30
#============================================================================================
#Добавляем правила для VLAN-ов (запрещаем хождение трафика между VLAN-ами).
/ip route rule
add action=drop comment=Deny_VLAN10_to_20 disabled=no dst-address=10.0.0.0/24 src-address=20.0.0.0/24
add action=drop comment=Deny_VLAN10_to_30 disabled=no dst-address=10.0.0.0/24 src-address=30.0.0.0/24
add action=drop comment=Deny_VLAN20_to_10 disabled=no dst-address=20.0.0.0/24 src-address=10.0.0.0/24
add action=drop comment=Deny_VLAN10_to_20 disabled=no dst-address=10.0.0.0/24 src-address=20.0.0.0/24
add action=drop comment=Deny_VLAN10_to_30 disabled=no dst-address=10.0.0.0/24 src-address=30.0.0.0/24
add action=drop comment=Deny_VLAN20_to_10 disabled=no dst-address=20.0.0.0/24 src-address=10.0.0.0/24
add action=drop comment=Deny_VLAN20_to_30 disabled=no dst-address=20.0.0.0/24 src-address=30.0.0.0/24
add action=drop comment=Deny_VLAN30_to_10 disabled=no dst-address=30.0.0.0/24 src-address=10.0.0.0/24
add action=drop comment=Deny_VLAN30_to_20 disabled=no dst-address=30.0.0.0/24 src-address=20.0.0.0/24
add action=drop comment=Deny_VLAN10_to_1 disabled=no dst-address=10.0.0.0/24 src-address=192.168.0.0/24
add action=drop comment=Deny_VLAN20_to_1 disabled=no dst-address=20.0.0.0/24 src-address=192.168.0.0/24
add action=drop comment=Deny_VLAN30_to_1 disabled=no dst-address=30.0.0.0/24 src-address=192.168.0.0/24
#============================================================================================
#Включаем vlan-filtering.
/interface bridge set bridge10,bridge20,bridge30 vlan-filtering=yes
#============================================================================================
/ip neighbor discovery-settings set discover-interface-list=all
/ip dns set allow-remote-requests=yes servers=100.0.0.2,8.8.8.8
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip route add distance=1 gateway=100.0.0.2
#============================================================================================
#Простейшая защита
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/tool bandwidth-server set authenticate=no enabled=no
/tool mac-server ping set enabled=no