Networking avanzato con MikroTik: VLAN, firewall e Cloudflare Tunnel
2026-02-17T10:00:00.000Z
Il mio setup di rete
Internet
│
▼
MikroTik RB5009 (Router/Firewall)
│
├── VLAN 10 (Server) ── 192.168.10.0/24
│ ├── Proxmox (192.168.10.10)
│ ├── NAS Synology (192.168.10.20)
│ └── Ollama GPU (192.168.10.30)
│
├── VLAN 20 (Client) ── 192.168.20.0/24
│ ├── PC Windows
│ └── MacBook
│
├── VLAN 30 (IoT) ── 192.168.30.0/24
│ ├── Smart TV
│ └── Telecamere IP
│
└── VLAN 99 (Management) ── 192.168.99.0/24
└── Accesso switch/AP
Configurazione VLAN su MikroTik
Crea bridge e VLAN
# RouterOS - Configurazione base
/interface bridge
add name=bridge1 vlan-filtering=yes comment="Main Bridge"
/interface bridge port
add bridge=bridge1 interface=ether2 comment="Server port"
add bridge=bridge1 interface=ether3 comment="Client port"
add bridge=bridge1 interface=ether4 comment="IoT port"
# Definisci VLAN
/interface bridge vlan
add bridge=bridge1 vlan-ids=10 tagged=bridge1 untagged=ether2
add bridge=bridge1 vlan-ids=20 tagged=bridge1 untagged=ether3
add bridge=bridge1 vlan-ids=30 tagged=bridge1 untagged=ether4
add bridge=bridge1 vlan-ids=99 tagged=bridge1
# IP per ogni VLAN
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
/ip address
add address=192.168.10.1/24 interface=vlan10
add address=192.168.20.1/24 interface=vlan20
add address=192.168.30.1/24 interface=vlan30
DHCP per ogni VLAN
# Pool DHCP
/ip pool
add name=pool-server ranges=192.168.10.100-192.168.10.200
add name=pool-client ranges=192.168.20.100-192.168.20.200
add name=pool-iot ranges=192.168.30.100-192.168.30.200
# Server DHCP
/ip dhcp-server
add address-pool=pool-server interface=vlan10 name=dhcp-server
add address-pool=pool-client interface=vlan20 name=dhcp-client
add address-pool=pool-iot interface=vlan30 name=dhcp-iot
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=1.1.1.1
Firewall Rules
Blocco IoT → LAN
# IoT non può accedere alle altre VLAN
/ip firewall filter
add chain=forward in-interface=vlan30 out-interface=vlan10 action=drop \
comment="IoT cannot access Server VLAN"
add chain=forward in-interface=vlan30 out-interface=vlan20 action=drop \
comment="IoT cannot access Client VLAN"
# Server può accedere a internet ma non a client
add chain=forward in-interface=vlan10 out-interface=vlan20 action=drop \
comment="Servers cannot initiate to Client VLAN"
# Permetti traffico stabilito
add chain=forward connection-state=established,related action=accept \
comment="Allow established connections"
Rate limiting anti-DDoS
# Limita connessioni per IP
/ip firewall filter
add chain=input protocol=tcp connection-limit=100,32 action=drop \
comment="Block too many connections per IP"
# Limita tentativi SSH
add chain=input protocol=tcp dst-port=22 connection-rate=5/1m action=drop \
comment="SSH brute-force protection"
DNS over HTTPS (DoH)
Protegge le query DNS da intercettazioni:
# Configura DoH su MikroTik
/ip dns
set use-doh-server=https://cloudflare-dns.com/dns-query \
verify-doh-cert=yes \
allow-remote-requests=yes \
servers=1.1.1.1,1.0.0.1
# Blocca DNS esterni (forza tutti a usare il router)
/ip firewall filter
add chain=forward protocol=udp dst-port=53 \
dst-address=!192.168.10.1 action=drop \
comment="Force DNS through router"
add chain=forward protocol=tcp dst-port=53 \
dst-address=!192.168.10.1 action=drop \
comment="Force DNS-TCP through router"
Cloudflare Tunnel per accesso remoto
Alternativa sicura alla VPN per esporre servizi interni:
# Sul server da esporre (Proxmox o VM dedicata)
# Installa cloudflared
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb
# Login
cloudflared tunnel login
# Crea tunnel
cloudflared tunnel create homelab-tunnel
# Configura /etc/cloudflared/config.yml
tunnel: <ID-tunnel>
credentials-file: /root/.cloudflared/<ID>.json
ingress:
- hostname: proxmox.tuodominio.com
service: https://192.168.10.10:8006
originRequest:
noTLSVerify: true
- hostname: nas.tuodominio.com
service: http://192.168.10.20:5000
- hostname: ollama.tuodominio.com
service: http://192.168.10.30:11434
- service: http_status:404
# Installa come servizio
cloudflared service install
systemctl start cloudflared
WireGuard VPN (alternativa per clienti fidati)
# Server WireGuard su MikroTik
/interface wireguard
add listen-port=51820 name=wg0 \
private-key="<GENERA CON: wg genkey>"
/ip address
add address=10.10.0.1/24 interface=wg0
# Aggiungi peer (es. smartphone)
/interface wireguard peers
add interface=wg0 \
public-key="<PUBLIC KEY SMARTPHONE>" \
allowed-address=10.10.0.2/32 \
persistent-keepalive=25
# Configura client (file .conf per l'app WireGuard)
[Interface]
PrivateKey = <PRIVATE KEY CLIENT>
Address = 10.10.0.2/24
DNS = 192.168.10.1
[Peer]
PublicKey = <PUBLIC KEY SERVER>
Endpoint = tuo-ip-pubblico:51820
AllowedIPs = 192.168.10.0/24, 192.168.20.0/24
PersistentKeepalive = 25
Monitoring con SNMP
# Abilita SNMP su MikroTik
/snmp
set enabled=yes community=public
# Integra con Grafana + Prometheus
# Usa mikrotik-exporter per raccogliere metriche
docker run -d \
-p 9436:9436 \
ghcr.io/akpw/mikrotik-prometheus-exporter:latest \
-address 192.168.10.1 \
-username admin \
-password password
Best Practice sicurezza MikroTik
# Disabilita servizi non necessari
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
# Limita accesso SSH e Winbox solo da VLAN management
/ip service
set ssh address=192.168.99.0/24 port=22
set winbox address=192.168.99.0/24
# Aggiorna RouterOS regolarmente
/system package update check-for-updates
/system package update install