Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

VLAN question

Post Reply
 
jwa
newbie
Topic Author
Posts: 26
Joined: Thu Jan 11, 2024 12:36 am

VLAN question

Sun Jan 28, 2024 1:13 am

Hello,

I am trying to setup router according to this example:

https://help.mikrotik.com/docs/display/ ... rewall/NAT

In one of untagged ports (ether1) I have switch (just bridge over all ports, nothing else). Do I need to setup vlan also on this switch, or it will work, since port is untagged? It does not work in my case (i am not able to ping gateway - 192.168.88.1), but I want to know theory first, to be able to better find cause (wrong router configuration or switch configuration).

This is code for bridge/vlan I am trying this configuration. I have two bridges ony my router and I want to merge them into one, so first I want to prototype setup on one bridge and once it is working move ports of the second there and add other vlan (production router, cant afford longer downtime):


Code: Select all

/interface list member
add interface=ether1 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=sfp-sfpplus1-LAN list=LAN

/interface bridge
add name=bridge-home-88 vlan-filtering=yes

/interface bridge port
add bridge=bridge-home-88 interface=ether1 pvid=88
add bridge=bridge-home-88 interface=ether11 pvid=88
add bridge=bridge-home-88 interface=ether12 pvid=88
add bridge=bridge-home-88 interface=sfp-sfpplus1-LAN pvid=88

/interface bridge vlan
add bridge=bridge-home-88 tagged=bridge-home-88 untagged=ether1,ether11,ether12,sfp-sfpplus1-LAN vlan-ids=88

/interface vlan
add interface=bridge-home-88 name=vlan-home-88 vlan-id=88

/ip address
add address=192.168.88.1/24 interface=vlan-home-88 network=192.168.88.0

there is also DHCP on interface=vlan-home-88

and 

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
 
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
If I do this:

/ip address
add address=192.168.88.1/24 interface=bridge-home-88 network=192.168.88.0 and do same with dhcp, it will start working, but this is not result I want.


I am also curious, why they are using in example 17 in last octet, any specific reason? add address=192.168.30.17/24 interface=vlan30 network=192.168.30.0

Thanks.
Last edited by jwa on Sun Jan 28, 2024 1:49 am, edited 3 times in total.
Top
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1500
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:
Contact k6ccc

Re: VLAN question

Sun Jan 28, 2024 1:41 am

In one of untagged ports I have switch (just bridge over all ports, nothing else). Do I need to setup vlan also on this switch, or it will work, since port is untagged? It does not work in my case, but I want to know theory first, to be able to better find cause (wrong router configuration or switch configuration).

If you mean that on an untagged port of the router, you are putting a downstream switch. No, that switch does not need to be programmed for VLANs - or even be capable of VLAN operation.

I am also curious, why they are using 17 in last octet, any specific reason? add address=192.168.30.17/24 interface=vlan30 network=192.168.30.0

Not sure I understand why the question - it's a perfectly valid IP address. Although x.y.z.1 is certainly common for a router, it is not required. Personally my primary router is .251, the second router is .252 and the third is .253
Top
 
jwa
newbie
Topic Author
Posts: 26
Joined: Thu Jan 11, 2024 12:36 am

Re: VLAN question

Sun Jan 28, 2024 1:51 am

If you mean that on an untagged port of the router, you are putting a downstream switch. No, that switch does not need to be programmed for VLANs - or even be capable of VLAN operation.
Ok, I thought so. So I am doing something wrong on router side.
Not sure I understand why the question - it's a perfectly valid IP address. Although x.y.z.1 is certainly common for a router, it is not required. Personally my primary router is .251, the second router is .252 and the third is .253
Ok, so no reason. Thanks.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11646
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN question

Sun Jan 28, 2024 11:33 am

You have interface lists in the setup part you posted (LAN with several members, configured wrongly, and WAN with no apparent member). What's the story about them? Posted config doesn't seem to be complete and reason for setup not working according to your wishes can be anywhere.
Top
 
jwa
newbie
Topic Author
Posts: 26
Joined: Thu Jan 11, 2024 12:36 am

Re: VLAN question

Sun Jan 28, 2024 1:57 pm

You have interface lists in the setup part you posted (LAN with several members, configured wrongly, and WAN with no apparent member). What's the story about them? Posted config doesn't seem to be complete and reason for setup not working according to your wishes can be anywhere.
In WAN is ppoe connection and physical port with ppoe. What is wrong with configuration of LAN members? It is similar as example on the web: /interface list member
add interface=sfp-sfpplus1 list=LAN, there is nothing else except list a and interface. It should be copy of example on the website. Well, maybe I am missing something.

Yes, there is other bridge (bridge-servers-78) configured with "production" network, where interface in addresses is bridge itself, not VLAN (add address=192.168.78.1/24 interface=bridge-servers-78 network=192.168.78.0). I am configuring this second bridge where main difference is, that interface in addreses is VLAN (as in the example on the web - add address=192.168.88.1/24 interface=vlan-home-88 network=192.168.88.0). Once this will work, I will move production network (ports...) to this bridge and separation will be done by vlans, not by bridges - to have only one, which is my goal. This is unfortunatally not working, I am not able to even ping gateway (192.168.88.1). I was checking filtering settings, but there is nothing realated to bridge, I am filtering based on groups LAN/WAN and ports from this second bridge are members of LAN, so filtering shouldnt be cause. I want to avoid reseting configuration and starting from zero, unless there is no other reasonable way.

Thanks.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11646
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN question

Sun Jan 28, 2024 4:07 pm

What is wrong with configuration of LAN members?
Interface is L2 entity (ethernet pirt, pppoe interface, etc) with IP address.
In your (partial) example there are ether1, ether11, ether12, sfp-sfpplus1-LAN and bridge (yes, this one as well) ports and bridge interface. IP firewall sees bridge interface as in-interface (or out-interface), other ports are hidded because tgey are L2 entities (unless you use ip-firewall for bridge traffic, but AFAIK that's not the case here). So instead of all those ports you should add bridge interface to LAN interface list.

I was asking about the rest of config because every single line of config can affect how router behaves for traffic you're looking into in this exercise. And it might not be obvious. If you don't show all of it, we can only guess what might be wrong (the config you showed seems fine to me BTW).

Sometimes when configuration may touch L2 hardware it's necessary to reboot device before changed config is properly applied. Yup, it smells like a bug, but very hard to diagnose and hence hard to fix. And yes, rebooting production switch doesn't sound like an attractive option.
Top
 
jwa
newbie
Topic Author
Posts: 26
Joined: Thu Jan 11, 2024 12:36 am

Re: VLAN question

Sun Jan 28, 2024 7:23 pm

This is my current configuration, which works (vlans probably not, there is no traffic, but I have two networks each with own bridge and dhcp). Code above are attempts to merge bridges into one according to that example on microtic site (https://help.mikrotik.com/docs/display/ ... rewall/NAT). Not applied in this code:
Code: Select all
# model = CCR2116-12G-4S+
# serial number = censored
/interface bridge
add fast-forward=no name=bridge-home-88
add arp=proxy-arp fast-forward=no name=bridge-servers-78
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-LAN
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus2-WAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus2-WAN max-mru=1492 \
    max-mtu=1492 mrru=1500 name=pppoe-out1 user=\
    censored_user
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge-home-88 name=vlan-home-88 vlan-id=88
add interface=bridge-servers-78 name=vlan-servers-78 vlan-id=78
/interface list
add comment=defconf name=LAN
add comment=defconf name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.78.2-192.168.78.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-home-88 lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=bridge-servers-78 lease-time=1d name=\
    dhcp2
/port
set 0 name=serial0
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.78.1 name=L2TP remote-address=\
    dhcp_pool1
/system logging action
add name=remotekiwi remote=192.168.78.27 target=remote
/interface bridge port
add bridge=bridge-servers-78 interface=ether2 pvid=78
add bridge=bridge-servers-78 interface=ether3 pvid=78
add bridge=bridge-servers-78 interface=ether4 pvid=78
add bridge=bridge-servers-78 interface=ether5 pvid=78
add bridge=bridge-servers-78 interface=ether6 pvid=78
add bridge=bridge-servers-78 interface=ether7 pvid=78
add bridge=bridge-servers-78 interface=ether8 pvid=78
add bridge=bridge-servers-78 interface=ether9 pvid=78
add bridge=bridge-servers-78 interface=ether10 pvid=78
add bridge=bridge-home-88 interface=ether11 pvid=88
add bridge=bridge-home-88 interface=ether12 pvid=88
add bridge=bridge-home-88 interface=sfp-sfpplus1-LAN pvid=88
add bridge=bridge-home-88 interface=ether1 pvid=88
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-unacked-timeout=1m udp-stream-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=loose tcp-syncookies=yes
/interface l2tp-server server
set allow-fast-path=yes use-ipsec=required
/interface list member
add interface=bridge-home-88 list=LAN
add interface=bridge-servers-78 list=LAN
add interface=sfp-sfpplus2-WAN list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=192.168.68.150/32 disabled=yes interface=wireguard1 \
    public-key="aaaaaaaaaaaaaaaaa"
/ip address
add address=192.168.88.1/24 interface=bridge-home-88 network=192.168.88.0
add address=192.168.78.1/24 interface=bridge-servers-78 network=192.168.78.0
add address=192.168.68.1/24 disabled=yes interface=wireguard1 network=\
    192.168.68.0
/ip dhcp-server lease
add address=192.168.88.19 client-id=1:9c:6b:0:b:95:15 comment=aaaa \
    mac-address=9C:6B:00:0B:95:15 server=dhcp1
add address=192.168.78.253 client-id=1:9c:6b:0:b:92:1e comment=aaa \
    mac-address=9C:6B:00:0B:92:1E server=dhcp2
add address=192.168.78.21 client-id=1:0:c:29:77:75:cb comment=aaaa \
    mac-address=00:0C:29:77:75:CB server=dhcp2
add address=192.168.78.15 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:f3:d9:d1:53:f4:c6:2b:ed comment=\
    aaaaaaa mac-address=00:0C:29:81:4A:91 server=dhcp2
add address=192.168.78.250 client-id=1:0:c:29:13:ef:cf comment=aaa \
    mac-address=00:0C:29:13:EF:CF server=dhcp2
add address=192.168.78.249 client-id=\
    ff:29:c9:f5:c7:0:1:0:1:2c:bd:10:cf:0:c:29:c9:f5:c7 comment=aaaaa \
    mac-address=00:0C:29:C9:F5:C7 server=dhcp2
add address=192.168.78.27 client-id=1:0:c:29:dd:fa:e6 comment=aaaa \
    mac-address=00:0C:29:DD:FA:E6 server=dhcp2
add address=192.168.78.31 client-id=1:0:c:29:75:c9:1d comment=\
    Cermi_workstation mac-address=00:0C:29:75:C9:1D server=dhcp2
add address=192.168.88.5 client-id=1:8:d1:f9:2d:4e:ef comment=\
    "Tasmota bridge" mac-address=08:D1:F9:2D:4E:EF server=dhcp1
add address=192.168.88.16 client-id=1:20:f8:3b:0:2e:fe comment=\
    "home assistant" mac-address=20:F8:3B:00:2E:FE server=dhcp1
/ip dhcp-server network
add address=192.168.78.0/24 dns-server=192.168.78.1 gateway=192.168.78.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=185.227.171.225 comment=aaaae list=allowed_people
add address=90.180.18.73 comment=aaaa list=allowed_people
add address=109.81.170.106 comment=aaaa list=allowed_people
add address=46.16.123.71 comment=aaaa list=allowed_people
add address=217.75.215.155 comment=aaaa list=allowed_people
add address=46.13.165.115 comment=aaaa list=allowed_people
add address=86.49.230.14 comment=aaa list=allowed_people
add address=89.187.144.87 comment=aaaa list=allowed_people
add address=89.103.155.29 comment=aaaa list=allowed_people
add address=109.81.91.239 comment=aaaa list=allowed_people
add address=46.23.60.179 comment=aaa list=allowed_people
add address=178.143.69.99 comment=aaaa list=allowed_people
add address=86.49.112.197 comment=aaaa list=allowed_people
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=144.217.157.4 comment="aaaaa" list=secure
add address=70.32.23.81 comment="aaaaaa" list=secure
add address=88.212.6.0/24 comment=aaaaa list=allowed_people
add address=1.1.1.1 list=secure_dns
add address=8.8.8.8 list=secure_dns
add address=212.111.4.206 comment=aaaaa list=allowed_people
add address=94.228.83.136 comment=aaaaa list=allowed_people
add list=bad_attempts
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter
add action=accept chain=input comment=\
    "Accepting established, related, untracked connections" connection-state=\
    established,related,untracked
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=L2TP disabled=yes dst-port=\
    500,1701,4500 protocol=udp
add action=accept chain=input comment="accept local" in-interface-list=LAN
add action=accept chain=forward in-interface-list=LAN
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=jump chain=forward comment="All new jump to detect-ddos" \
    connection-state=new jump-target=detect-ddos src-address=!192.168.0.0/16
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=25m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=25m chain=detect-ddos
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
    new jump-target=SYN-Protect protocol=tcp src-address=!192.168.0.0/16 \
    tcp-flags=syn
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" disabled=yes \
    dst-address-list=not_in_internet in-interface=bridge-home-88 \
    out-interface=!bridge-home-88
add action=add-src-to-address-list address-list=port:aaaa \
    address-list-timeout=1m chain=input comment="Start of port knocking" \
    dst-port=aaaa log=yes log-prefix=_endor_knock protocol=tcp
add action=add-src-to-address-list address-list=port:bbbb \
    address-list-timeout=1m chain=input dst-port=bbbb log=yes log-prefix=\
    _endor_knock protocol=tcp src-address-list=port:aaaa
add action=add-src-to-address-list address-list=bad_attempts \
    address-list-timeout=none-dynamic chain=input dst-port=bbbb log=yes \
    log-prefix=_endor_bad_knock protocol=tcp src-address-list=!port:aaaa
add action=add-src-to-address-list address-list=bad_attempts \
    address-list-timeout=none-dynamic chain=input dst-port=eeee log=yes \
    log-prefix=_endor_bad_knock protocol=tcp src-address-list=!port:bbbb
add action=add-src-to-address-list address-list=port:eeee \
    address-list-timeout=1m chain=input dst-port=eeee log=yes log-prefix=\
    _endor_knock protocol=tcp src-address-list=port:bbbb
add action=add-src-to-address-list address-list=bad_attempts \
    address-list-timeout=none-dynamic chain=input dst-port=dddd log=yes \
    log-prefix=_endor_bad_knock_last protocol=tcp src-address-list=!port:eeee
add action=add-src-to-address-list address-list=secure address-list-timeout=\
    1m chain=input dst-port=dddd log=yes log-prefix=_endor_knock_last \
    protocol=tcp src-address-list=port:eeee
add action=accept chain=forward comment="Accepting POL just to be sure" \
    dst-port=cccc protocol=tcp
add action=accept chain=input dst-port=cccc protocol=tcp
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward in-interface-list=!LAN
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=SYN-Protect connection-state=new limit=150,5:packet \
    protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
    tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=censored dst-port=cccc \
    in-interface=pppoe-out1 protocol=tcp src-address-list=secure \
    to-addresses=192.168.78.21 to-ports=cccc
add action=dst-nat chain=dstnat comment=censored dst-port=ffff \
    in-interface=pppoe-out1 protocol=tcp src-address-list=secure \
    to-addresses=192.168.78.21 to-ports=cccc
add action=dst-nat chain=dstnat comment=censored dst-port=kkkk \
    in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
    to-addresses=192.168.78.21 to-ports=3389
add action=dst-nat chain=dstnat comment=censored dst-port=13003 \
    in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
    to-addresses=192.168.78.21 to-ports=3306
add action=dst-nat chain=dstnat comment="az bude neco treba" disabled=yes \
    dst-port=13004 in-interface=pppoe-out1 protocol=tcp src-address-list=\
    allowed_people to-addresses=192.168.78.21 to-ports=23
add action=dst-nat chain=dstnat comment=censored dst-port=jjjj \
    in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
    to-addresses=192.168.78.21 to-ports=2597
add action=dst-nat chain=dstnat comment=censored_shadow dst-port=\
    kkkk in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
    to-addresses=192.168.78.21 to-ports=2598
add action=dst-nat chain=dstnat comment=censored dst-port=mmmm \
    in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
    to-addresses=192.168.78.21 to-ports=23
add action=dst-nat chain=dstnat comment=censored dst-port=nnnn \
    in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
    to-addresses=192.168.78.27 to-ports=24
add action=dst-nat chain=dstnat comment=censored dst-port=gggg \
    in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
    to-addresses=192.168.78.27 to-ports=3389
add action=dst-nat chain=dstnat comment=censored dst-port=hhhh \
    in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
    to-addresses=192.168.78.27 to-ports=8080
add action=dst-nat chain=dstnat comment=censored dst-port=hhhh \
    in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
    to-addresses=192.168.78.31 to-ports=3389
add action=dst-nat chain=dstnat comment=censored dst-port=iiii\
    in-interface=pppoe-out1 protocol=tcp src-address-list=secure \
    to-addresses=192.168.78.31 to-ports=5010
add action=dst-nat chain=dstnat comment=censored dst-address=\
    mypublicip dst-port=80 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.78.15 to-ports=80
/ip firewall raw
add action=drop chain=prerouting src-address-list=ddos-attackers
add action=drop chain=prerouting dst-port=65372 protocol=tcp
add action=accept chain=prerouting comment=\
    "accept only google and cloudfare DNS" protocol=udp src-address-list=\
    secure_dns src-port=53
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    disabled=yes dst-address=255.255.255.255 dst-port=67 in-interface-list=\
    LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment=wireguard dst-port=13231 protocol=\
    udp
add action=accept chain=prerouting comment=L2TP disabled=yes dst-port=\
    500,1701,4500 protocol=udp
add action=drop chain=prerouting comment="drop DNS (UDP) krome zevnitr" \
    in-interface-list=!LAN protocol=udp
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface=pppoe-out1 src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.0.0/16 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.0.0/16 src-address-list=""
add action=jump chain=prerouting comment="jump to TCP chain" disabled=yes \
    jump-target=tcp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to bad TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=tcp protocol=tcp src-address-list=allowed_people
add action=accept chain=tcp dst-port=80 protocol=tcp
add action=accept chain=tcp dst-port=443 protocol=tcp
add action=accept chain=tcp dst-port=aaaa protocol=tcp
add action=accept chain=tcp dst-port=eeee protocol=tcp
add action=accept chain=tcp dst-port=dddd protocol=tcp
add action=accept chain=tcp dst-port=bbbb protocol=tcp
add action=accept chain=tcp dst-port=ffff protocol=tcp
add action=accept chain=tcp dst-port=iiiiprotocol=tcp
add action=accept chain=tcp dst-port=cccc protocol=tcp
add action=accept chain=tcp dst-address=192.168.0.0/16 in-interface=\
    pppoe-out1
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=demostenes profile=L2TP service=l2tp
/system clock
set time-zone-name=Europe/Prague
/system logging
add action=remotekiwi topics=info
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing
set store-every=24hours
/tool graphing interface
add allow-address=192.168.0.0/16 interface=pppoe-out1
add allow-address=192.168.0.0/16 interface=bridge-servers-78
/tool graphing queue
add allow-address=192.168.0.0/16
/tool graphing resource
add allow-address=192.168.0.0/16
Goal is to have one bridge and 2 VLANS, each with own dhcp, to have only one bridge on chip and be able to properly use l2 and l3 hw offloading. I started with bridge 88:
Code: Select all
adding interfaces to LAN list:

/interface list member
add interface=ether1 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=sfp-sfpplus1-LAN list=LAN

adding tagged untagged ports:
/interface bridge vlan
add bridge=bridge-home-88 tagged=bridge-home-88 untagged=ether1,ether11,ether12,sfp-sfpplus1-LAN vlan-ids=88

changing interface from bridge-home-88  to vlan-home-88 (now network 88 stops working)

/ip address
add address=192.168.88.1/24 interface=vlan-home-88 network=192.168.88.0

turning on vlan filtering
/interface bridge
add name=bridge-home-88 vlan-filtering=yes 

there is also change of DHCP  from bridge-home-88  to interface=vlan-home-88 and removing bridge-home-88 from lan interfaces, to be on par with that example on web.
Once I put VLAN as interface (add address=192.168.88.1/24 interface=vlan-home-88 network=192.168.88.0), it stops working. But according to that microtic example it should work. Does it mean, that that example is not complete? Why does that example does not have bridge in LAN interfaces list? Idea is to make one VLAN working, than add second and move productions ports to it with minimal donwtime.

Thanks for your help.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11646
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN question

Mon Jan 29, 2024 8:55 am

The full config you posted shows that VLAN-filtering is not enabled on bridge-home-88 ... without it, pvid settings don't work and hence ingress traffic via ether1, ether11, ether12 and sfp-sfpplus-1 don't get tagged.
Top
 
jwa
newbie
Topic Author
Posts: 26
Joined: Thu Jan 11, 2024 12:36 am

Re: VLAN question

Mon Jan 29, 2024 9:52 pm

The full config you posted shows that VLAN-filtering is not enabled on bridge-home-88 ... without it, pvid settings don't work and hence ingress traffic via ether1, ether11, ether12 and sfp-sfpplus-1 don't get tagged.
Yes, modifications including turning VLAN filtering are turned on in that second part.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11646
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN question

Mon Jan 29, 2024 10:00 pm

As I already wrote: I'm affraid that your "lab test" on "production" hardware won't succeed without disturbance to your "production" networks. Because, like I wrote, you may have to reboot your device to get config actually applied.
Top
 
jwa
newbie
Topic Author
Posts: 26
Joined: Thu Jan 11, 2024 12:36 am

Re: VLAN question

Tue Jan 30, 2024 1:31 am

As I already wrote: I'm affraid that your "lab test" on "production" hardware won't succeed without disturbance to your "production" networks. Because, like I wrote, you may have to reboot your device to get config actually applied.
Thats what I was afraid of. Thanks.
Top
 
jwa
newbie
Topic Author
Posts: 26
Joined: Thu Jan 11, 2024 12:36 am

Re: VLAN question

Sun Feb 04, 2024 3:15 am

So I ve made complete clean and restart. Made just simple configuration, but it still didnt work. Traffic is going through both vlans, but I am not able to ping gateway (or anything else). It should be exactly according to example on the web:
Code: Select all
/interface bridge
add name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan-home-88 vlan-id=88
add interface=bridge name=vlan-servers-78 vlan-id=78
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1-88 ranges=192.168.88.2-192.168.88.254
add name=pool2-78 ranges=192.168.78.2-192.168.78.254
/ip dhcp-server
add address-pool=pool1-88 interface=vlan-home-88 name=dhcp1
add address-pool=pool2-78 interface=vlan-servers-78 name=dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=ether1 pvid=88
add bridge=bridge interface=ether2 pvid=78
add bridge=bridge interface=ether3 pvid=78
add bridge=bridge interface=ether4 pvid=78
add bridge=bridge interface=ether5 pvid=78
add bridge=bridge interface=ether6 pvid=78
add bridge=bridge interface=ether7 pvid=78
add bridge=bridge interface=ether8 pvid=78
add bridge=bridge interface=ether9 pvid=78
add bridge=bridge interface=ether10 pvid=78
add bridge=bridge interface=ether11 pvid=88
add bridge=bridge interface=ether12 pvid=88
add bridge=bridge interface=sfp-sfpplus1 pvid=78
add bridge=bridge interface=sfp-sfpplus3 pvid=88
add bridge=bridge interface=sfp-sfpplus4 pvid=88
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge untagged="ether2,ether3,ether4,ether5,ether6,e\
    ther7,ether8,ether9,ether10,ether11,ether12,sfp-sfpplus1" vlan-ids=78
add bridge=bridge tagged=bridge untagged=ether1,sfp-sfpplus3,sfp-sfpplus4 \
    vlan-ids=88
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=MGMT
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=WAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN

/ip address
add address=192.168.78.17/24 interface=vlan-servers-78 network=192.168.78.0
add address=192.168.88.17/24 interface=vlan-home-88 network=192.168.88.0
add address=192.168.58.1/24 interface=ether13 network=192.168.58.0
/ip dhcp-server network
add address=192.168.78.0/24 dns-server=192.168.78.1 gateway=192.168.78.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
Thanks for any insights!
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: VLAN question

Sun Feb 04, 2024 4:42 am

Interface list members for the LAN are only the two vlans you have. You decide if it should also include ether13
/interface list member
add interface=sfp-sfpplus2 list=WAN
add interface=vlan-home-88 list=LAN
add interface=vlan-servers-78 list=LAN
add interface=vlan-home-88 list=MGMT { only if you access router from home network as well }
add interface=ether13 list=MGMT
Top
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 16 guests
  4. RouterOS
  5. Beginner Basics