Понимаю, что по виланам уже далеко не первый вопрос, однако под свою ситуацию решения не нашел. Поэтому прошу помощи.
Есть работающая сеть - склад+офис (КД, файлопомойка, IP-камеры, SIP, WiFi, зоопарк из компов и оргтехники). Возникла необходимость, разделить все это хозяйство на сегменты.
Сетевое оборудование - на входе RB1100AHx2 -> Dlink DGS-1210-52MP -> еще n длинков в разных концах помещения. Сейчас все просто - все устройства в одной куче. Задача, разделить все оборудование на группы - отдельно SIP, отдельно камеры и т.д.
Схема будет такой:
С длинками разобрались быстро (все конечное оборудование разбито на группы, раскидано по портам по схеме), а вот с микротиком затык, неделю себе мозг кипячу - после включения вилана, комп либо вообще не получает IP, либо получает, но не дотягивается до КД.
# apr/12/2019 15:53:04 by RouterOS 6.43.8
#
# model = 1100AHx2
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2432 name=channel5
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2452 name=channel9
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=channel13
/interface bridge
add name=bridge-lan
add name=bridge-mx
add name=bridge-wlan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN speed=100Mbps
set [ find default-name=ether2 ] loop-protect=on speed=100Mbps
set [ find default-name=ether3 ] loop-protect=on name=ether3-LANmaster speed=100Mbps
set [ find default-name=ether4 ] loop-protect=on speed=100Mbps
set [ find default-name=ether5 ] loop-protect=on
set [ find default-name=ether6 ] loop-protect=on name=ether6 speed=100Mbps
set [ find default-name=ether7 ] loop-protect=on name=ether7 speed=100Mbps
set [ find default-name=ether8 ] loop-protect=on speed=100Mbps
set [ find default-name=ether9 ] loop-protect=on speed=100Mbps
set [ find default-name=ether10 ] loop-protect=on speed=100Mbps
set [ find default-name=ether11 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full loop-protect=on
set [ find default-name=ether12 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether13 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add disabled=yes interface=ether3-LANmaster name=VLNMain vlan-id=1
add disabled=yes interface=ether3-LANmaster name=VLNSIP vlan-id=22
add interface=ether3-LANmaster loop-protect=on loop-protect-disable-time=3m loop-protect-send-interval=3s name=VLNUsers vlan-id=44
add disabled=yes interface=ether3-LANmaster name=VLNVideo vlan-id=33
/caps-man datapath
add bridge=bridge-wlan client-to-client-forwarding=yes local-forwarding=no name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security1 passphrase=********
/caps-man configuration
add country=russia datapath=datapath1 mode=ap name=cfg1 rx-chains=0,1,2 security=security1 ssid=******** tx-chains=0,1,2
/caps-man interface
add channel=channel1 configuration=cfg1 disabled=yes l2mtu=1600 mac-address=******** master-interface=none name=cap1-admin radio-mac=********
add channel=channel5 configuration=cfg1 disabled=no l2mtu=1600 mac-address=******** master-interface=none name=cap2-of radio-mac=********
add channel=channel9 configuration=cfg1 disabled=no l2mtu=1600 mac-address=******** master-interface=none name=cap3-in radio-mac=********
add channel=channel13 configuration=cfg1 disabled=no l2mtu=1600 mac-address=******** master-interface=none name=cap4-pv radio-mac=********
/interface ethernet switch
set 0 mirror-source=ether3-LANmaster mirror-target=ether2
/interface ethernet switch port
set 2 default-vlan-id=1
set 5 default-vlan-id=0 vlan-mode=fallback
set 6 default-vlan-id=0 vlan-mode=fallback
set 7 default-vlan-id=0 vlan-mode=fallback
set 8 default-vlan-id=0 vlan-mode=fallback
set 9 default-vlan-id=0 vlan-mode=fallback
set 10 default-vlan-id=0 vlan-mode=fallback
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=3 name=GW-0 value="'172.20.40.57'"
add code=6 name=PDC-DNS value="'172.20.40.8'"
add code=121 name=Kerio value=0x10c0a8ac14280100ac142839
add code=3 name=NOGW value="' '"
add code=66 name=pxe value="'172.20.40.53'"
/ip dhcp-server option sets
add name=set1 options=PDC-DNS,Kerio,GW-0
/ip firewall layer7-protocol
add name=******** regexp=********
/ip pool
add name=LAN-Main ranges=172.20.40.2-172.20.40.200
add name=WLAN ranges=172.31.255.2-172.31.255.100
add name=VLN-Video ranges=172.20.41.2-172.20.41.254
add name=VLN-SIP ranges=172.20.40.130-172.20.40.254
add name=VLN-Users ranges=172.20.42.2-172.20.42.254
/ip dhcp-server
add address-pool=WLAN disabled=no interface=bridge-wlan lease-time=12h name=WLAN
add add-arp=yes address-pool=LAN-Main disabled=no interface=bridge-lan lease-time=1d name=LAN-Main
add address-pool=VLN-Video interface=VLNVideo lease-time=12h name=VLN-Video
add address-pool=VLN-SIP interface=VLNSIP lease-time=12h name=VLN-SIP
add add-arp=yes address-pool=VLN-Users disabled=no interface=VLNUsers lease-time=12h name=VLN-Users
/interface bridge port
add bridge=bridge-lan interface=ether3-LANmaster
add bridge=bridge-mx disabled=yes interface=ether1-WAN
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether2
add bridge=bridge-wlan interface=cap2-of
add bridge=bridge-wlan interface=cap3-in
add bridge=bridge-wlan interface=cap4-pv
/interface ethernet switch vlan
add independent-learning=yes ports=ether3-LANmaster switch=switch2 vlan-id=1
add independent-learning=yes ports=ether3-LANmaster switch=switch2 vlan-id=22
add independent-learning=yes ports=ether3-LANmaster switch=switch2 vlan-id=33
add independent-learning=yes ports=ether3-LANmaster switch=switch2 vlan-id=44
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge-mx list=WAN
add interface=bridge-lan list=LAN
add interface=city list=LAN
add interface=ether10 list=LAN
/ip address
add address=172.31.255.1/24 comment=WLAN interface=bridge-wlan network=172.31.255.0
add address=172.20.40.1/23 comment=LAN-Main interface=bridge-lan network=172.20.40.0
add address=******** comment=WAN interface=ether1-WAN network=********
add address=172.20.41.1/24 comment=VLN-Video disabled=yes interface=VLNVideo network=172.20.41.0
add address=172.20.40.129/25 comment=VLN-SIP disabled=yes interface=VLNSIP network=172.20.40.128
add address=172.20.42.1/24 comment=VLN-Users interface=VLNUsers network=172.20.42.0
/ip dhcp-server network
add address=172.20.40.0/23 boot-file-name=boot.wim comment=LAN-Main dns-server=172.20.40.8,172.20.40.1 domain=******** gateway=172.20.40.1 next-server=172.20.40.58
add address=172.20.41.0/24 comment=VLN-Video dns-server=172.20.41.1 gateway=172.20.41.1
add address=172.20.42.0/24 comment=VLN-Users dns-server=172.20.40.8,172.20.40.1 domain=******** gateway=172.20.42.1
add address=172.31.255.0/24 comment=WLAN dns-server=172.31.255.1 gateway=172.31.255.1
/ip firewall filter
add action=passthrough chain=forward
add action=add-src-to-address-list address-list=DM address-list-timeout=1h chain=input log=yes packet-size=783 protocol=icmp
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input dst-port=5060 in-interface-list=WAN protocol=udp src-address=!********
add action=drop chain=input dst-port=161 in-interface-list=WAN protocol=udp src-address=!172.20.40.0/21
add action=drop chain=input src-address-list=dyatli
add action=drop chain=forward dst-address=********
add action=drop chain=forward dst-address=********
add action=drop chain=forward dst-address=********
add action=drop chain=forward dst-address=********
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment=******** connection-mark=********
add action=dst-nat chain=dstnat connection-mark=******** to-addresses=********
add action=dst-nat chain=dstnat layer7-protocol=******** port=53 protocol=udp to-addresses=********
/ip firewall service-port
set sip ports=5060,5061,5062,5063,5064,5065,5066,5067
/ip route
add distance=1 gateway=********
/ip service
set telnet address=172.20.40.0/21
set ftp disabled=yes
set www address=172.20.40.0/21
set ssh address=172.20.40.0/21
set api disabled=yes
set winbox address=********,172.20.40.0/21
set api-ssl disabled=yes
#
# model = 1100AHx2
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2432 name=channel5
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2452 name=channel9
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=channel13
/interface bridge
add name=bridge-lan
add name=bridge-mx
add name=bridge-wlan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN speed=100Mbps
set [ find default-name=ether2 ] loop-protect=on speed=100Mbps
set [ find default-name=ether3 ] loop-protect=on name=ether3-LANmaster speed=100Mbps
set [ find default-name=ether4 ] loop-protect=on speed=100Mbps
set [ find default-name=ether5 ] loop-protect=on
set [ find default-name=ether6 ] loop-protect=on name=ether6 speed=100Mbps
set [ find default-name=ether7 ] loop-protect=on name=ether7 speed=100Mbps
set [ find default-name=ether8 ] loop-protect=on speed=100Mbps
set [ find default-name=ether9 ] loop-protect=on speed=100Mbps
set [ find default-name=ether10 ] loop-protect=on speed=100Mbps
set [ find default-name=ether11 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full loop-protect=on
set [ find default-name=ether12 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether13 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add disabled=yes interface=ether3-LANmaster name=VLNMain vlan-id=1
add disabled=yes interface=ether3-LANmaster name=VLNSIP vlan-id=22
add interface=ether3-LANmaster loop-protect=on loop-protect-disable-time=3m loop-protect-send-interval=3s name=VLNUsers vlan-id=44
add disabled=yes interface=ether3-LANmaster name=VLNVideo vlan-id=33
/caps-man datapath
add bridge=bridge-wlan client-to-client-forwarding=yes local-forwarding=no name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security1 passphrase=********
/caps-man configuration
add country=russia datapath=datapath1 mode=ap name=cfg1 rx-chains=0,1,2 security=security1 ssid=******** tx-chains=0,1,2
/caps-man interface
add channel=channel1 configuration=cfg1 disabled=yes l2mtu=1600 mac-address=******** master-interface=none name=cap1-admin radio-mac=********
add channel=channel5 configuration=cfg1 disabled=no l2mtu=1600 mac-address=******** master-interface=none name=cap2-of radio-mac=********
add channel=channel9 configuration=cfg1 disabled=no l2mtu=1600 mac-address=******** master-interface=none name=cap3-in radio-mac=********
add channel=channel13 configuration=cfg1 disabled=no l2mtu=1600 mac-address=******** master-interface=none name=cap4-pv radio-mac=********
/interface ethernet switch
set 0 mirror-source=ether3-LANmaster mirror-target=ether2
/interface ethernet switch port
set 2 default-vlan-id=1
set 5 default-vlan-id=0 vlan-mode=fallback
set 6 default-vlan-id=0 vlan-mode=fallback
set 7 default-vlan-id=0 vlan-mode=fallback
set 8 default-vlan-id=0 vlan-mode=fallback
set 9 default-vlan-id=0 vlan-mode=fallback
set 10 default-vlan-id=0 vlan-mode=fallback
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=3 name=GW-0 value="'172.20.40.57'"
add code=6 name=PDC-DNS value="'172.20.40.8'"
add code=121 name=Kerio value=0x10c0a8ac14280100ac142839
add code=3 name=NOGW value="' '"
add code=66 name=pxe value="'172.20.40.53'"
/ip dhcp-server option sets
add name=set1 options=PDC-DNS,Kerio,GW-0
/ip firewall layer7-protocol
add name=******** regexp=********
/ip pool
add name=LAN-Main ranges=172.20.40.2-172.20.40.200
add name=WLAN ranges=172.31.255.2-172.31.255.100
add name=VLN-Video ranges=172.20.41.2-172.20.41.254
add name=VLN-SIP ranges=172.20.40.130-172.20.40.254
add name=VLN-Users ranges=172.20.42.2-172.20.42.254
/ip dhcp-server
add address-pool=WLAN disabled=no interface=bridge-wlan lease-time=12h name=WLAN
add add-arp=yes address-pool=LAN-Main disabled=no interface=bridge-lan lease-time=1d name=LAN-Main
add address-pool=VLN-Video interface=VLNVideo lease-time=12h name=VLN-Video
add address-pool=VLN-SIP interface=VLNSIP lease-time=12h name=VLN-SIP
add add-arp=yes address-pool=VLN-Users disabled=no interface=VLNUsers lease-time=12h name=VLN-Users
/interface bridge port
add bridge=bridge-lan interface=ether3-LANmaster
add bridge=bridge-mx disabled=yes interface=ether1-WAN
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether2
add bridge=bridge-wlan interface=cap2-of
add bridge=bridge-wlan interface=cap3-in
add bridge=bridge-wlan interface=cap4-pv
/interface ethernet switch vlan
add independent-learning=yes ports=ether3-LANmaster switch=switch2 vlan-id=1
add independent-learning=yes ports=ether3-LANmaster switch=switch2 vlan-id=22
add independent-learning=yes ports=ether3-LANmaster switch=switch2 vlan-id=33
add independent-learning=yes ports=ether3-LANmaster switch=switch2 vlan-id=44
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge-mx list=WAN
add interface=bridge-lan list=LAN
add interface=city list=LAN
add interface=ether10 list=LAN
/ip address
add address=172.31.255.1/24 comment=WLAN interface=bridge-wlan network=172.31.255.0
add address=172.20.40.1/23 comment=LAN-Main interface=bridge-lan network=172.20.40.0
add address=******** comment=WAN interface=ether1-WAN network=********
add address=172.20.41.1/24 comment=VLN-Video disabled=yes interface=VLNVideo network=172.20.41.0
add address=172.20.40.129/25 comment=VLN-SIP disabled=yes interface=VLNSIP network=172.20.40.128
add address=172.20.42.1/24 comment=VLN-Users interface=VLNUsers network=172.20.42.0
/ip dhcp-server network
add address=172.20.40.0/23 boot-file-name=boot.wim comment=LAN-Main dns-server=172.20.40.8,172.20.40.1 domain=******** gateway=172.20.40.1 next-server=172.20.40.58
add address=172.20.41.0/24 comment=VLN-Video dns-server=172.20.41.1 gateway=172.20.41.1
add address=172.20.42.0/24 comment=VLN-Users dns-server=172.20.40.8,172.20.40.1 domain=******** gateway=172.20.42.1
add address=172.31.255.0/24 comment=WLAN dns-server=172.31.255.1 gateway=172.31.255.1
/ip firewall filter
add action=passthrough chain=forward
add action=add-src-to-address-list address-list=DM address-list-timeout=1h chain=input log=yes packet-size=783 protocol=icmp
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input dst-port=5060 in-interface-list=WAN protocol=udp src-address=!********
add action=drop chain=input dst-port=161 in-interface-list=WAN protocol=udp src-address=!172.20.40.0/21
add action=drop chain=input src-address-list=dyatli
add action=drop chain=forward dst-address=********
add action=drop chain=forward dst-address=********
add action=drop chain=forward dst-address=********
add action=drop chain=forward dst-address=********
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment=******** connection-mark=********
add action=dst-nat chain=dstnat connection-mark=******** to-addresses=********
add action=dst-nat chain=dstnat layer7-protocol=******** port=53 protocol=udp to-addresses=********
/ip firewall service-port
set sip ports=5060,5061,5062,5063,5064,5065,5066,5067
/ip route
add distance=1 gateway=********
/ip service
set telnet address=172.20.40.0/21
set ftp disabled=yes
set www address=172.20.40.0/21
set ssh address=172.20.40.0/21
set api disabled=yes
set winbox address=********,172.20.40.0/21
set api-ssl disabled=yes
В теме виланов я новичок-самоучка, поэтому особо прошу не ругаться
Заранее благодарю за любую помощь.