Hi,
I am new to RoS and networking but not to computers. I own a rb4011 and uploaded a script to have the following services at home: ipTV, voIP and Internet. All of them are working but I need to customize my network.
I get a public dynamic address from the telecom company. I have 1 lan. I have 1 bridge (includes ether2 till ether10). In ether10 I connect my AP ACLite.
I want to isolate ether10 (ACLite) from my lan. What is the best approach to do it?
Rgds
After further research I found this post: http://forum.mikrotik.com/t/how-to-isolate-networks/112409/1
I will try to set it up in this way leaving apart that I do not have a second router. Will report back.
Ok, I reached my knowledge limit.
I attach a pic with some data of fw, lan, … and the desired lan setup.
I have been reading here:
http://forum.mikrotik.com/t/how-to-isolate-networks/112409/1
http://forum.mikrotik.com/t/isolating-physical-lan-interfaces/117712/1
But since I start from a config (included firewall) to make ipTV work I guess there are some rules that don´t work with all I tried.
Maybe you can have a look at it and help me out which direction should I follow.
Rgds
Post full configuration as shown by running command /export hide-sensitive from a terminal window … when posting config, put it into [__code] .. [/__code] environment. Combined that with the network schematics we might have an idea or two.
/interface bridge
add comment=ISP igmp-snooping=yes name=bridge1
add comment=lan2 name=bridge2
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-WAN
set [ find default-name=ether2 ] comment=LAN1
set [ find default-name=ether10 ] comment=LAN2
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether1-WAN name=vlan2 vlan-id=2
add interface=ether1-WAN name=vlan3 vlan-id=3
add interface=ether1-WAN name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan6 keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=pppoe-out1 use-peer-dns=yes user=xxxxxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=clientes
/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=dhcp_pool_LAN1 ranges=192.168.1.220-192.168.1.230
add name=dhcp_pool_LAN2 ranges=172.16.24.100-172.16.24.110
/ip dhcp-server
add address-pool=dhcp_pool_LAN1 bootp-support=dynamic disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool_LAN2 disabled=no interface=bridge2 name=dhcp2
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 disabled=yes interface=ether6
add bridge=bridge1 disabled=yes interface=ether7
add bridge=bridge1 disabled=yes interface=ether8
add bridge=bridge1 disabled=yes interface=ether9
add bridge=bridge2 interface=ether10
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge2 list=clientes
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1 network=192.168.1.0
add address=192.168.100.10/24 interface=ether1-WAN network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.24.1/24 comment=LAN2 interface=ether10 network=172.16.24.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=decozyxel dhcp-option=option_para_deco server=dhcp1
add address=192.168.1.40 client-id=1:40:16:7e:20:90:4a server=dhcp1
add address=192.168.1.50 client-id=1:0:e:c6:fa:6e:b4 server=dhcp1
/ip dhcp-server network
add address=172.16.24.0/24 gateway=172.16.24.1 netmask=24
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
/ip dns
set servers=80.58.61.250,80.58.61.254
/ip firewall address-list
add address=172.16.24.100-172.16.24.110 list=client
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward in-interface-list=clientes out-interface-list=clientes
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-WAN
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=udp to-addresses=192.168.1.200
/ip route
add distance=255 gateway=255.255.255.255
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan2 upstream=yes
add interface=bridge1
/routing rip interface
add interface=vlan3 passive=yes receive=v2
add interface=vlan2 passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8
add network=172.26.0.0/16
/system clock
set time-zone-autodetect=no time-zone-name=Europe/London
/system ntp client
set enabled=yes primary-ntp=193.145.15.15 secondary-ntp=147.156.7.26
/system ntp server
set broadcast=yes enabled=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
I did some tests, here are the results attached.
update of diagram..
Nothing much points out to me as wrong in your configuration. One thing, that might affect how things behave: LAN2 IP address should be bount do interface bridge2 - now it’s bound to it’s slave interface ether10.
Im’ not sure you really need these set to yes:
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
They only work if intra-LAN traffic passes bridge … which in your layout might if ACLite sends traffic between wireless clients to the main router instead of forwarding it locally. You don’t need those settings if traffic between different subnets has to pass router’s IP interface … The way things are configured now, you don’t need
use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
enabled, none of those should really pass any bridge from one port to another.
If you want to block traffic between LAN and LAN2, you need a pair of firewall rules similar to this:
/ip firewall filter
add action=drop chain=forward in-interface=bridge2 out-interface=bridge1
add action=drop chain=forward in-interface=bridge1 out-interface=bridge2
added to the end of your current firewall rules.
As they say, there are many ways to skin the sheep … many forum users will argue that firewall filter rules as configured now are sub-optimal (myself included). The example rules I wrote above are supplementing what is currently configured …
Hi,
Thx for help. I did both:
LAN2 IP address should be bount do interface bridge2 - now it’s bound to it’s slave interface ether10.
and
If you want to block traffic between LAN and LAN2, you need a pair of firewall rules similar to this:
C
I rechecked and the rule was working as intended.
But I checked the setup of the Ubiquity AP and it was not correct. It was assigning to the connected devices IP´s in the range 172.16.24.xx BUT the AP itself was connected to 192.168.1.1. Once I tried to modified that in the Ubiquity software I was not allowed and the AP inmmediatly lost connection.
So I am now back to the original setup: 1 wan, 1bridge (ether2 till ether10), 1lan (192.168.1.0/24), 1 ip pool (192.168.1.210-250), AP connected to ether10.
Now that I can start from scratch, how would you recommend to design it in the optimal way? I want to isolate:
1)all the devices connected to the AP from a) each other and b) from the rest of the lan
2)some devices of the lan from the rest of the devices of the lan
Then I would like to create a vpn to connect to some devices in my lan from windows devices/android.
Basically that´s was I am looking for.
Rgds.
I use vlans for all subnets.
By their nature all vlans do not talk on layer 2
Thus all I do in the forward chain is state what I wish to allow, ie LAN to WAN for whatever vlans,
then Drop ALL as the last rule which kills any L3 routing between the vlans.
Done!
Looks a clean way to do it. Will read about vlans and come back if I have any doubt. Thx.
Well, was starting to read about vlans and found this post: http://forum.mikrotik.com/t/two-seperate-lan-networks-behind-one-rb750/103426/1
Forget VLANs. They are great when you want to have multiple separate networks on one cable, but you also need either a managed switch or end device (server) specifically configured for VLAN.
In your case, simply split router’s switch into separae ports and assign a subnet to each one. Then use firewall to allow traffic from each LAN to internet and block the rest, i.e. communucation between LANs
After further looking into the options of RoS and the rb4011, I found “switch”. In the case of the rb4011 it has 2 switches and each 5 ports assigned. There is an option called “port isolation” which allows to forward a port to any of the other ports or switches (not bridges).
How can I “split router’s switch into separate ports and assign a subnet to each one”? After further reading this post, he mentions:
Thank you so much for your reply. Today I have been working with different subnets and for now it seems to work somehow.
ETH1=WAN (Address: Public Static IP)
ETH2=LAN (Address: 192.168.1.1/24 Network: 192.168.1.0 Subnet: 255.255.255.0)
ETH3=DISABLED
ETH4=DISABLED
ETH5=SERVER (Address 192.168.5.1/30 Network: 192.168.5.0 Subnet: 255.255.255.252)
All ETH ports are not linked and only acting as stand-alone ports.
Since I have bridge1 configured (includes ether2-ether10), should I create a new bridge2 and assign eth10 for my AP or just take eth10 out of bridge1? How can I make eth10 to be a stand alone port?
Still a bit confused which way to go.
EDIT1: also, can I run only VLANS using my rb4011 without using a switch?
Hi anav!
Do I need a switch + my rb4011 for setting up the vlans? I read the realteck chip does not support vlan tables.
Rgds.
No, you don’t need anything special to set-up VLANs on RB4011, they are dealt by router’s CPU. The price for that functionality is performance hit for traffic between different ethernet ports carrying same VLAN, which would be carried by switch chip if switch chip was at least half-decent. In your case with single ether port dedicated for second LAN performance won’t degrade (all traffic will have to pass CPU anyways), but makes use of VLANs just for subnet separation meaningless.
N.b.: using VLANs seem to be answer to all questions for my buddy @anav 
My guess is that you actually were on the right track, I just don’t understand details of the problem you described with the following paragraph:
But I checked the setup of the Ubiquity AP and it was not correct. It was assigning to the connected devices IP´s in the range 172.16.24.xx > BUT the AP itself was connected to 192.168.1.1> . Once I tried to modified that in the Ubiquity software I was not allowed and the AP inmmediatly lost connection.
(specially the highlited part)?
I have been playing with vlans and I like them. I will keep an eye on them but before I want to finish what we were trying to setup.
I reverted to the last step I showed you. The problem is the AP is not working on bridge2. I attach a pic.
Also, where is this in winbox?
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
Let me know if you need a print.
Rgds
I don’t know where in winbox that is, in webfig it’s in bridge->settings
I can’t see any picture.
Haha MKX, you know vlans are like catheters, you may not think you need them now but just wait a bit longer!!
I must misunderstanding some basics. I have everything up and running except isolating the traffic from the clients connected to the Access Point from the rest of the LAN. Basically (and not taking vlans into account ) I want to learn how to isolate some clients from others. I know there are several ways of doing it but I need to understand the basics. Let me explain what I tried so far:
I created bridge-ISP (includes all ether ports).
I connected to ether10 the access point. I configured the AP to have a static Ip (192.168.1.45).
I created 1 dhcp server in bridge-isp:
“dhcp1_LAN” and it uses “pool1_LAN (192.168.1.70-192.168.1.80)”.
I created another pool for guests using wifi (dhcp_pool2_guests) us.ing 192.168.1.229-192.168.1.249
When I tried to create a 2nd dhcp server to assign “dhcp_pool2_guests” it tells me I can´t create it on bridge-isp neither on ether10 (since it is a slave of brigde-isp).
How can I do it?
I wanted then to create in Firewall>address list a “guests list” (with users onlyusing the ip pool of the access point).
Rgds.
Sigh… one can lead a horse to water… A ‘sob’ story for sure!! 
I started off using bridges and quickly discovered that one was limited in that the bridge could only be assigned one subnet.
In addition one starts loading the bridge to do everything and it just gets in the way in the long run.
Assign your vlans to the bridge, assign subnets to the vlans (with the required dhcp pools etc) and then all you need is firewall rules that are appropriate.
{forward chain}
Anav, I tried to config the vlans. I did not post it before because I realised today that they did not work due to the lack proper firewall rules. I even tested yesterday a TP-SG108PE I had around.
I had to ask … but I thought that would be the answer.
I have already 3 vlans running on ether1(WAN): each one for IPTV, VOIP and Internet (PPPoe on vlan6).
Can I still create the new vlans on the bridge (instead of ether1)?
Rgds
I have my internet coming in on vlanxx on my ether1 (bell fiber). IT HAS NOTHING TO DO WITH MY BRIDGES OR VLANS ON MY NETWORK.
You may have a more complicated setup?