Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Mikrotik has internet via PPPoE tagged on VLAN10
- # LAN A 192.168.3.0/24 is primary LAN
- # LAN B 192.168.2.0/24 is another LAN with a printer at IP 192.168.2.152
- # LAN B's switch is connected with a patch cable to ethernet port 3 on Mikrotik
- # The goal is to allow workstations on LAN A to use the printer on LAN B
- #
- /interface ethernet
- set [ find default-name=ether2 ] comment="ether2 LAN" name=LAN
- set [ find default-name=ether1 ] comment="ether1 WAN port" name=WAN
- set [ find default-name=ether3 ] comment="printer on LAN B"
- set [ find default-name=ether4 ] arp=disabled comment=spare master-port=LAN
- set [ find default-name=ether5 ] arp=disabled comment=spare master-port=LAN
- /ip neighbor discovery
- set LAN comment="ether2 LAN A"
- set WAN comment="ether1 WAN port internet"
- set ether3 comment="printer LAN B"
- set ether4 comment=spare
- set ether5 comment=spare
- /interface vlan
- add interface=WAN name=VLAN10 vlan-id=10
- /interface pppoe-client
- add add-default-route=yes comment="ISP PPPoE client WAN" disabled=no
- interface=VLAN10 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out1
- password=xxxxxxxxxx use-peer-dns=yes user=yyy@zzz
- /ip neighbor discovery
- set pppoe-out1 comment="ISP PPPoE client WAN"
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- /ip pool
- add name=dhcp ranges=192.168.3.50-192.168.3.150 comment="DHCP pool for LAN A"
- /ip dhcp-server
- add address-pool=dhcp disabled=no interface=LAN lease-time=1d name=dhcp1
- /ip neighbor discovery settings
- set default=no
- /ip address
- add address=192.168.3.254/24 comment="LAN A" interface=LAN network=
- 192.168.3.0
- add address=192.168.2.250/24 comment=
- "Mikrotik's ethernet#3 port has 192.168.2.250 IP on LAN B" interface=ether3
- network=192.168.2.0
- /ip dhcp-client
- add dhcp-options=hostname,clientid disabled=no interface=WAN
- /ip dhcp-server network
- add address=192.168.3.0/24 comment="DHCP to LAN" gateway=192.168.3.254
- /ip dns
- set allow-remote-requests=yes
- /ip firewall address-list
- add address=xx.xx.xx.xx comment="management IP" list="Allowed IPs"
- add address=192.168.3.0/24 comment="allow management from LAN A" list="Allowed IPs"
- add address= xx.xx.xx.xx comment="management IP" list="Allowed IPs"
- /ip firewall filter
- add action=accept chain=input comment="allow ping from LAN B" disabled=
- yes dst-address=192.168.2.250 protocol=icmp src-address=192.168.2.0/24
- add action=accept chain=forward comment=
- "allow traffic from LAN A 192.168.3.0 to printer IP 192.168.2.152 on LAN B" dst-address=
- 192.168.2.152 src-address=192.168.3.0/24
- add action=accept chain=forward comment=
- "allow traffic from LAN B printer IP 192.168.2.152 to LAN A" dst-address=
- 192.168.3.0/24 src-address=192.168.2.152
- add action=drop chain=forward comment=
- "drop all other traffic from LAN B 192.168.2.0/24" dst-address=
- 192.168.3.0/24 src-address=192.168.2.0/24
- add action=accept chain=input comment="winbox admin from WAN" dst-port=8291
- protocol=tcp
- add action=accept chain=input comment=
- "Accept connections TO router from allowed IPs" src-address-list=
- "Allowed IPs"
- add action=drop chain=forward comment="Drop invalid packets THROUGH router"
- connection-state=invalid
- add action=accept chain=forward comment="Accept new connections from LAN"
- connection-state=new in-interface=pppoe-out1
- add action=accept chain=forward comment="Allow related connections"
- connection-state=related
- add action=accept chain=forward comment="Allow established connections"
- connection-state=established
- add action=drop chain=forward comment=
- "Drop all other traffic THROUGH the router" disabled=yes
- add action=accept chain=input comment=
- "Allow etablished connections to the router" connection-state=established
- add action=accept chain=input comment=
- "Allow related connections to the router" connection-state=related
- add action=drop chain=input comment="Drop all other traffic TO the router"
- add action=drop chain=forward comment="Drop invalid packets TO router"
- connection-state=invalid
- /ip firewall nat
- add action=masquerade chain=srcnat comment="Allow outgoing traffic"
- dst-address=0.0.0.0/0 out-interface=pppoe-out1
- /ip service
- set telnet disabled=yes
- set www-ssl disabled=no
- set api disabled=yes
- set api-ssl disabled=yes
- /system identity
- set name="MikroTik"
- /system note
- set note=
- "Authorised administrators only. Access to this device is monitored."
- /system ntp client
- set enabled=yes server-dns-names=us.pool.ntp.org,pool.ntp.org
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement