Access Port VLAN Setup Post 6.41

alanbrooks · August 16, 2018, 3:36pm

Newbie here wanting to set up a RouterBOARD 3011UiAS with 6.42.6 firmware for two WANs and two LANs and I'm getting stuck on the seemingly simplest thing - LAN and VLAN setup.

ISP 1 is on ether1 getting IP via DHCP client
ISP 2 is on ether2 getting IP via DHCP client
LAN 1 with DHCP 192.168.10.0/24, GW 192.168.10.1, (vlan10) is ethernets 9 and 10
LAN 2 with static hosts, GW 192.168.11.1, (vlan11) is ether6, ether7 and ether8.

The devices on LAN 2 are AoIP devices that are supposed to be set up on VLANs to reduce traffic and that's why I'm trying this. No other devices should be on this VLAN however I was thinking about setting up a firewall rule to allow HTTP access from LAN 1 to control the devices...

I've set up two bridges and assigned respective ports to those bridges, set up a few firewall & NAT rules but when I connect a host to ether10 on LAN 1 at 192.168.10.100 (DHCP) and another to ether6 on LAN 2 at 192.168.11.100 (DHCP), I can ping and RDC each from the other.

I thought that a.) if I set up a host on a different subnet, I shouldn't be able to ping it, let alone RDC to it and b.) I shouldn't be able to connect from one VLAN to another. What am I missing?

Please understand that I'm working on this so the config is incomplete but here's the config:

**# aug/16/2018 11:19:18 by RouterOS 6.42.6

software id = F6UV-R15J

model = RouterBOARD 3011UiAS

/interface bridge
add fast-forward=no name=LAN 1
add fast-forward=no name=LAN 2
/interface ethernet
set [ find default-name=ether1 ] name="1 - WAN - 1"
set [ find default-name=ether3 ] name="3 - WAN - 2"
set [ find default-name=ether6 ] name="6 - LAN 2"
set [ find default-name=ether7 ] name="7 - LAN 2"
set [ find default-name=ether8 ] name="8 - LAN 2"
set [ find default-name=ether9 ] name="9 - LAN 1"
set [ find default-name=ether10 ] name="10 - LAN 1"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.10.100-192.168.10.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN 1 name=dhcp1
/interface bridge port
add bridge=TELOS_LAN interface="6 - LAN 2"
add bridge=TELOS_LAN interface="7 - LAN 2"
add bridge=TELOS_LAN interface="8 - LAN 2"
add bridge=LAN 1 interface="9 - LAN 1"
add bridge=LAN 1 interface="10 - LAN 1"
/interface ethernet switch vlan
add independent-learning=no ports="9 - LAN 1,10 - LAN 1" switch=switch2 vlan-id=10
add independent-learning=no ports="6 - LAN 2,7 - LAN 2, 8 - LAN 2" switch=switch2 vlan-id=11
/ip address
add address=192.168.10.1/24 interface=LAN 1 network=192.168.10.0
add address=192.168.11.1/24 interface=LAN 2 network=192.168.11.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface="1 - WAN - 1"
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface="2 - WAN - 2"
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.1.1,192.168.2.1 gateway=192.168.10.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input comment="Drop !Established !Related" connection-state=!established,related
add action=drop chain=input comment="Disallow weird packets" connection-state=invalid
add action=accept chain=input comment="Allow LAN access to router and Internet (LAN 1)" connection-state=new in-interface=LAN 1
add action=accept chain=input comment="Allow LAN access to router and Internet (LAN 2)" connection-state=new in-interface=LAN 2
add action=accept chain=input comment="Allow connections that originated from LAN" connection-state=established
add action=accept chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=drop chain=input comment="Disallow anything from anywhere on any interface"
add action=drop chain=forward comment="Disallow weird packets" connection-state=invalid
add action=accept chain=forward comment="Allow LAN access to router and Internet LAN 1" connection-state=new in-interface=LAN 1
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set silent-boot=no**

Thank you for any guidance.

CZFan · August 17, 2018, 2:48pm

You should use 1 Bridge and then use VLAN’s to separate the LAN’s/Subnets.
These subnets will then not be able to talk to each other via layer 2, but will via layer 3.
Then add firewall rules to block comms between the IP Subnets on layer 3

pegasus123 · August 21, 2018, 4:36am

Sorry to hijack this post, CZfan can you also point me to any tutorial to creating 2 vlans on 1 bridge?

I want to make the ether2 on 1 vlan which will a dumb switch will be plugged in and the rest of the mikrotik ports will be on the 2nd vlan. Thnx

CZFan · August 21, 2018, 11:14am

https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

alanbrooks · August 21, 2018, 6:51pm

Thanks for your reply CZFan.

I’ve attempted to follow your instructions but am still having trouble with the firewall. I created only one bridge and added ether6-10 to it, created two ip subnets (192.168.10.0/24-VLAN10 & 192.168.11.0/24-VLAN11) and assigned both to the bridge. (Not sure whether this is correct as I wanted to assign one subnet per each VLAN but saw no way to do so. I am creating the VLANs in /interface ethernet switch vlan.) There is one DHCP server (192.168.10.100-200) on the bridge as well and I was also not sure about this setting since I would prefer to assign it to a VLAN instead of bridge.

As you said, with no firewall rules set yet, hosts on one subnet are open via Layer 3 to others so I can RDC and load webpages from/to each other. I set about creating firewall rules to prohibit, then successively open ports between them. The blocking part works but opening TCP ports between them is not working. It seems that no rule I create can overcome the blocking rule. When I disable the blocking rule, traffic between 192.168.10.X and 192.168.11.X is completely open; when I enable the blocking rule, all traffic between 192.168.10.X and 192.168.11.X is completely down and when I create a rule to open port 80 (or anything else) from 192.168.10.X and 192.168.11.X, it has no effect.

Here is the present config:

# model = RouterBOARD 3011UiAS
/interface bridge
add fast-forward=no name=LAN
/interface ethernet
set [ find default-name=ether1 ] name=“1 - WAN - 1”
set [ find default-name=ether3 ] name=“3 - WAN - 2”
set [ find default-name=ether6 ] name=“6 - VLAN 11”
set [ find default-name=ether7 ] name=“7 - VLAN 11”
set [ find default-name=ether8 ] name=“8 - VLAN 11”
set [ find default-name=ether9 ] name=“9 - VLAN 10”
set [ find default-name=ether10 ] name=“10 - VLAN 10”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.10.100-192.168.10.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN name=dhcp1
/interface bridge port
add bridge=LAN interface=“6 - VLAN 11” pvid=11
add bridge=LAN interface=“7 - VLAN 11” pvid=11
add bridge=LAN interface=“8 - VLAN 11” pvid=11
add bridge=LAN interface=“9 - VLAN 10” pvid=10
add bridge=LAN interface=“10 - VLAN 10” pvid=10
/interface ethernet switch vlan
add independent-learning=no ports=“9 - VLAN 10,10 - VLAN 10” switch=switch2 vlan-id=10
add independent-learning=no ports=“6 - VLAN 11,7 - VLAN 11,8 - VLAN 11” switch=switch2 vlan-id=11
/ip address
add address=192.168.10.1/24 interface=LAN network=192.168.10.0
add address=192.168.11.1/24 interface=LAN network=192.168.11.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=“1 - WAN - 1”
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=“3 - WAN - 2”
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.1.1,192.168.2.1 gateway=192.168.10.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward dst-address=192.168.11.0/24 protocol=tcp src-address=192.168.10.0/24 src-port=80
add action=accept chain=forward dst-address=192.168.10.0/24 protocol=tcp src-address=192.168.11.0/24 src-port=80
add action=drop chain=forward dst-address=192.168.11.0/24 src-address=192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set silent-boot=no

Any further direction would be appreciated.
Alan

CZFan · August 21, 2018, 8:59pm

Hi Alan,

As far as the firewall rules go, you need to change from src-port to dst-port and should resolve that. That is how a web server can talk to many clients behind same IP, i.e. Source port from clients will change all the time.

As far as VLAN’s go, I don’t see where the VLAN’s are created in the last config post, you need to create the vlan interfaces, assign them to the bridge, then assign IP’s and DHCP to these VLAN’s, and configure VLAN’s either on the bridge (software) or on the switch (hardware) which the 3011 is capable of doing.

Gave a read through link below and come back if you struggle

https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features