Router R1 — MikroTik CCR2004 / hAP ax³¶
Model: E62iUGS-2axD5axT
RouterOS: 7.22.1
Serial: HKD0ARBX2SG
Role: Edge router / main gateway
WAN: Claro GPON (PPPoE)
Location: Santo Domingo, DR
Port Mapping¶
| Port | Role | VLAN | Notes |
|---|---|---|---|
| SFP1 | WAN uplink | 100 (Claro Internet) | ONT access on native VLAN 1 (192.168.1.0/24) |
| Ether1 | CCTV | 50 (pvid 50) | Untagged, camera network |
| Ether2 | MGMT | 99 (pvid 99) | Untagged, management access |
| Ether3 | MGMT | 99 (pvid 99) | Untagged secondary MGMT |
| Ether4 | HOME | 10 (pvid 10) | Untagged, main home LAN |
| Ether5 | Trunk | Tagged (10,20,40,50,99,300) | Inter-switch trunk to rest of network |
VLAN Layout¶
| VLAN | Name | Subnet | DHCP | Purpose |
|---|---|---|---|---|
| 1 | Native | — | — | ONT / default bridge native |
| 10 | HOME | 10.0.10.0/24 |
Router (pool: .100-.250) | Main home devices |
| 20 | LAB | 10.0.20.0/24 |
External (disabled on R1) | Servers, homelab |
| 40 | IoT | 10.0.40.0/24 |
Router (pool: .100-.250) | IoT devices, rate-limited 1Mbps |
| 50 | CCTV | 10.0.50.0/24 |
Router (pool: .100-.250) | Cameras |
| 60 | DEV | 10.0.60.0/24 |
Not active | Reserved for development |
| 99 | MGMT | 10.0.99.0/24 |
Router (pool: .100-.250) | Management interfaces |
| 100 | WAN | — | — | Claro Internet (PPPoE on vlan100) |
| 300 | VoIP | — | — | Claro VoIP → Proxmox via trunk |
Bridge¶
- bridge-trunk — main switch bridge with VLAN filtering enabled
- containers — separate bridge for container veth interfaces
VLAN assignment on bridge¶
10 → ether4 (untagged), bridge-trunk + ether5 (tagged)
20 → bridge-trunk + ether5 + ether3 (tagged)
40 → bridge-trunk + ether5 (tagged)
50 → bridge-trunk + ether5 (tagged)
99 → ether2 (untagged), bridge-trunk + ether5 (tagged)
300 → bridge-trunk + sfp1 + ether5 (tagged)
1 → sfp1 + bridge-trunk (untagged)
Wi-Fi¶
Hardware radios: wifi1 (2.4GHz), wifi2 (5GHz)
Virtual APs¶
| Interface | SSID | VLAN | Security | Band |
|---|---|---|---|---|
| wifi1-home | CAROLAM.- | 10 | WPA2-PSK | 2.4GHz |
| wifi2-home | CAROLAM.- | 10 | WPA2-PSK | 5GHz |
| wifi1-iot | IoT | 40 | WPA2-PSK | 2.4GHz |
| wifi1-cctv | GS | 50 | WPA2-PSK | 2.4GHz (hidden) |
| wifi1-mgmt | GNTECH-MGMT-2G | 99 | WPA2-PSK | 2.4GHz (hidden) |
| wifi2-mgmt | GNTECH-MGMT | 99 | WPA2-PSK | 5GHz |
A master SSID R1-MASTER-2G / R1-MASTER-5G exists but is hidden — it serves as the configuration template origin.
Internet Connection¶
- ISP: Clardo (Claro República Dominicana)
- Type: GPON FTTH
- Encapsulation: PPPoE on VLAN 100
- Interface:
pppoe-out1onvlan100-wan(SFP1) - IPv6: DHCPv6-PD via pppoe-out1 → delegated to all VLANs
- DDNS: MikroTik Cloud DDNS via
back-to-home-vpn
IPv6¶
- DHCPv6 client on
pppoe-out1requests prefix - Prefix pool:
ipv6-pd - Each VLAN gets a
/64subnet viafrom-pool=ipv6-pd - ND enabled on all VLAN interfaces
Firewall Summary¶
IPv4 Forward Rules (ordered)¶
| # | Action | Match | Purpose |
|---|---|---|---|
| 1 | accept | established/related | Allow return traffic |
| 2 | drop | invalid | Drop invalid states |
| 3 | accept | in=LAN out=WAN | Each VLAN → Internet |
| 4 | accept | in=vlan-mgmt out=LAN | MGMT → all VLANs |
| 5 | accept | dst=10.0.20.10,10.0.20.30 | All VLANs → servers |
| 6 | accept | src=10.0.20.15,10.0.20.30 dst=10.0.50.0/24 | Frigate hosts → CCTV |
| 7 | accept | in=back-to-home-vpn | VPN → Internet + LAN |
| 8 | accept | dport=53 out=WAN | Allow DNS outgoing |
| 9 | accept | src=LAN dst=172.31.255.0/24 | LAN → containers |
| 10 | accept | MGMT→Asterisk SIP/RTP | VoIP rules |
| 11 | reject | dport=853 from LAN | Block DNS-over-TLS |
| 12 | drop | * | Default drop inter-VLAN |
IPv6 Forward Rules¶
Mirrors IPv4 logic with ICMPv6 allowed.
Containers¶
Router hosts containers via veth pairs on bridge containers (172.31.255.0/24):
| Container | IP | Image | Purpose |
|---|---|---|---|
| docker-cloudflared | 172.31.255.2 | ghcr.io/shmick/docker-cloudflared |
Cloudflare Tunnel |
| veth1 | 172.31.255.2 | — | Cloudflared interface |
| veth2 | 172.31.255.3 | — | Reserved |
Containers have Internet access and can reach:
- LAB VLAN (10.0.20.0/24) — full access
- MGMT VLAN (10.0.99.2-10.0.99.10) — limited hosts via cloudflared-mgmt-allowed list
Registry: registry-1.docker.io (no auth), tmpdir: /usb1/tmp
Services¶
| Service | Status | Allowed Sources |
|---|---|---|
| SSH | Enabled | 10.0.99.0/24 |
| WinBox | Enabled | 10.0.99.0/24 |
| WebFig (HTTP) | Enabled (port 8080) | 10.0.99.0/24, 172.31.255.2 |
| WebFig (HTTPS) | Enabled | 10.0.99.0/24, 172.31.255.2 |
| FTP | Disabled | — |
| Telnet | Disabled | — |
| API | Disabled | — |
| API-SSL | Disabled | — |
| DNS | Enabled (recursive) | All LAN (ad-block upstream: 1.1.1.1, 8.8.8.8) |
| DHCP | Enabled (HOME, IoT, CCTV, MGMT) | Per-VLAN pools |
| LEDs | All disabled (dark) | — |
Rate Limiting¶
- IoT VLAN (10.0.40.0/24) → 1Mbps limit via
limit-iot-1msimple queue
VPN¶
- WireGuard:
back-to-home-vpnon port 46209, MTU 1420 - DDNS: MikroTik Cloud enables
back-to-home-vpnDDNS (updates every 10 min) - Allowed: VPN → Internet + all LAN VLANs
Notes¶
- All LED indicators disabled for silent/dark operation
- ONT accessible at 192.168.1.x from MGMT VLAN (SNAT'd)
- DNS-over-TLS (port 853) blocked from LAN to prevent DHCP DNS bypass
- VoIP VLAN 300 passed transparently to Proxmox via trunk
- hAP ac² (R2) has a reserved MGMT lease at 10.0.99.2