2 Ports on each VLAN

DMartin · March 27, 2020, 6:26pm

Hi guys !,

I buy recently an hEX s to pull apart my home traffic on 2 VLANs (VLAN10 and VLAN20).
I want to setup this configuration:

ether1 (WAN port), not special configuration needed i think, my ISP use a PPPoE session.
ether2 & ether3 (VLAN10), with independent DHCP server and pool address
ether4 & ether5 (VLAN20), with independent DHCP server and pool address
To avoid InterVLAN routing on VLANs i will use 2 firewalls rules, (forward,drop, all from XX to XX…)

In other words, something like this image, but with 2 port on each VLAN:

So, i try a configuration with bridges:

BridgeVLAN10 - Port members ether2 & ether3
BridgeVLAN20 - Port members ether4 & ether5
Then i create VLANs and assign interface to respective bridge.

But with this configuration VLANs don´t move traffic on stats, only bridges work at all.
I´m lost now, this configuration is ok?, any tip?, this is possible without a switch?.

Thanks, and sorry about the grammar mistakes

anav · March 27, 2020, 6:45pm

One bridge only is needed and there is no gain in your setup to add an extra bridge.
If you add a last rule at the end, all other traffic not allowed will be dropped… So this covers your requirement to drop across vlan traffic at L3 (routing by router) AND any other traffic will also be stopped cold.

forward chain
{default rules - fasttrack, established related, drop invalid}

{user rules}
vlan10 and vlan20 probably need to access the internet.
AdminPC if on vlan10 may wish to be able to access vlan20
Do you have a shared device like a printer for both vlans to access

{default rules - comment=“defconf: drop all from WAN not DSTNATed”}

ADD last rule
add chain=forward action=drop comment=“Drop all else”

DMartin · March 27, 2020, 7:21pm

Hi anav thanks for your reply,

I dont understand, how can i attach ether2&3 to VLAN10 and 4&5 to VLAN20 with one single bridge?
Sorry but i´m very rookie with this devices.

anav · March 28, 2020, 1:23am

Something like this…

/interface ethernet
set [ find default-name=ether1 ] comment=Port1 name=ISP provider_eth1 speed=\
    100Mbps
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=HomeBridge \
    vlan-filtering=yes
/interface vlan
add interface=HomeBridge name=Home-LAN_V10 vlan-id=10
add interface=HomeBridge name=Home-LAN_V20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=HomeBridge list=LAN
/ip pool
add name=dhcp-vlan10 ranges=192.168.10.2-192.168.10.150
add name=dhcp-vlan20 ranges=192.168.20.2-192.168.20.150
/ip dhcp-server
add address-pool=dhcp-vlan10 disabled=no interface=Home-LAN_V10
add address-pool=dhcp-vlan20 disabled=no interface=Home-LAN_V20
/interface bridge port
add bridge=HomeBridge comment=defconf   frame-types=admit-only-untagged-and-priority-tagged  interface=ether2 pvid=10
add bridge=HomeBridge comment=defconf  frame-types=admit-only-untagged-and-priority-tagged  interface=ether3 pvid=10
add bridge=HomeBridge comment=defconf   frame-types=admit-only-untagged-and-priority-tagged  interface=ether4 pvid=20
add bridge=HomeBridge comment=defconf   frame-types=admit-only-untagged-and-priority-tagged  interface=ether5 pvid=20 
/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge untagged=eth2,eth3  vlan-ids=10
add bridge=HomeBridge tagged=HomeBridge untagged=eth4,eth5  vlan-ids=20
/ip address
add address=192.168.10.1/24 interface=Home-LAN_V10 network=192.168.10.0
add address=192.168.20.1/24 interface=Home-LAN_V20 network=192.168.20.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1

DMartin · March 28, 2020, 10:34am

Ok, i try this configuration and now VLANs 10 & 20 move traffic at stats on interface menu, fine.
I have two more questions anav, both VLANs don´t have access to internet, it´s intended?

And about the configuration you give me:
/interface ethernet
set [ find default-name=ether1 ] - What means this? search ether1?

/interface bridge
add admin-mac= auto-mac=no - And this?

Thanks !

anav · March 28, 2020, 1:12pm

Dont worry about those things they are defaults that show up regardless, the rest were the important bits.

If you noticed I put the internet access into the user rules, it was up to you to implement if needed for example,
Three options to add internet and put before the last rule.

(1) Easy and fast. (2 rules) - my third choice
add action=accept chain=forward in-interface=vlan10 out-interface=WAN
add action=accept chain=forward in-interface=vlan20 out-interface=WAN

(2) Learning about firewall addresses and how to use them (single rule) THIS WORKS BEST FOR WHEN using single IPs or a mix of subnets and Single IPs. - my second choice
add action=accept chain=forward source-address-list=Internet out-interface=WAN

Under IP firewall you can create firewall address lists whose entries can consist of individual IP addresses, range of IPs, or a Subnet.
for example
userpcIP=LISTTEST
192.168.2.5-192.168.2.10=LISTEST
192.168.0.0./24=LISTTEST (where 192.168.0.0/24 describes a Lan or Vlan subnet)

So in your case you would create a firewall address list, call it Internet and thus the rule above.
192.168.10.0/24=Internet
192.168.20.0/24=Internet

(3) Use Interface LIST members to idenfity a GROUP of interfaces into a single interface list. This is best for just subnets - my first choice!!
We know we have the defaults interface list entries of WAN and LAN, lets create one called INTernet, for example.
add action=accept chain=forward in-interface-list=INTernet out-interface=WAN

In winbox, at the left hand menu select “interfaces” and then from the pop-up menu, select the top menu selection on interfaces called - “Interface List”
Here you will add the new interface list and identify the members of that list.
The tricky part is that you can ONLY add members to an existing list using the PLUS + button. See that box to the right of the + symbol, the last box with the word Lists in it!
Click on that to create a new LiST (in our case INTernet), ensure the exclude include boxes are blank. Once done you can go back to the + symbol and and add members to that list and in our case, vlan10 and vlan20 to the name.

DMartin · March 28, 2020, 1:57pm

Thanks again anav, a lot.
Im going to try all the config now and tell here results.
About the firewall, i think to keep the default settings of Mikrotik Team + the rules you say me, it’s ok?

One more time, THANKS!

anav · March 28, 2020, 2:03pm

Yes the defaults for the basic setup you have are excellent.
What we added is the ability for the vlans to get to the internet.
The last rule ensures that the vlans cannot talk to each other as well as stopping any other forward traffic that we may not know about.

DMartin · March 28, 2020, 4:11pm

Ok, i tested all configuration (with only default firewall rules)
Now, both VLANs have access to internet, maybe this morning i make an error on configuration…
But… the connectivity between VLANs keeps up, i check with it with simple ping.

anav · March 28, 2020, 5:05pm

Yes with the default firewall rules you will have connectivity.
You will also be able to reach one vlan with the other.

Add the vlan to internet rule of your choice in the forward chain.
THEN add the last rule in the forward chain to block all other traffic (including vlan to vlan traffic)

DMartin · March 28, 2020, 8:24pm

Solved,
I use interface list policy + drop all policy and it works
Thanks for your aid anav !

anav · March 28, 2020, 9:40pm

Awesome. I am going to drink a beer in your honour