Assign ethernet port to VLAN

RouterOS General
1

I have an RB4011, and have set up 3 working VLANs on my network. I want to assign one of the free ethernet ports to one of these VLANs (30). Currently I use an old RB941 set up as a simple switch, and have successfully assigned Eth1 to VLAN30. The 941 is connected to a free port on my main 4011 router, and I can connect successfully to device on Eth1 on the 941 (VLAN30). I’d like to do the same thing on my 4011, ie: Assign a free ethernet port to VLAN 30. I’ve tried duplicating the 941 steps to the 4011, without success. I realize the 4011 cannot assign VLANs at the switch level. I have CPU cycles to spare, so VLAN assignment at the bridge level is fine. I’ve tried many approaches to this, looked at YouTube help videos and other online resources, all without success.

Let me restate, the VLANs are setup on the 4011, and are working perfectly. I just want to assign a free ethernet port to one of them. Both my 941 and 4011 configs are attached.

Any help is appreciated. Thanks to all in advance.

Best Regards,
Dave
RB941_Working_Eth1VLAN30.rsc (1.3 KB)
RB4011_Want_Eth2VLAN30.rsc (18.9 KB)

2

on rb941 I see no definition of this vlan…
Is dhcp handled elsewhere…
Without a network diagram too many possibilities to ask about.

Where is pvid on ether2 on RB4011
Where is /interface bridge vlans on RB4011

3

@ ANAV: Please excuse the lack of clarity in my original post.

All the VLANS are defined and managed on the RB4011. All the VLAN networks are defined there, as well as all the DHCP servers and address pools, for each VLAN. The 4011 is also the CAPsMan manager, provisioning these VLANs to 2 mikrotik APs. The 941 is simply a switch with all ethernet ports on the bridge, no DHCP. I assigned an IP address from my main network address space to the bridge for access to the 941. The 941 (acting as a switch) is plugged into the 4011. I have a machine, with a static IP address in the VLAN30 address space, which I need to access from my main network. Currently this machine is plugged into port 1 on the 941, and I used the Bridge configuration commands to assign Eth1 to VLAN 30. The 941 (acting as a switch) is plugged into my 4011. This works well, and I can access the machine with the VLAN IP address from my main network. I have several empty ethernet ports on my 4011 ( currently PVID = 1) which I’d like to use and plug the VLAN 30 machine into directly. This will simplify my layout, save a bit of room in my server space, and free up an electrical outlet. I tried using the same bridge commands to assign an empty 4011 ethernet port to VLAN 30, but without success.

The relevant config on the 941 is:
/interface bridge
add name=bridge1 vlan-filtering=yes

/interface ethernet switch
set 0 cpu-flow-control=no

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether4 pvid=30
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether4 vlan-ids=30

/ip address
add address=192.168.60.9/24 interface=bridge1 network=192.168.60.0
add address=10.10.1.0/24 interface=ether4 network=10.10.1.0

Duplicating this on the 4011 does not work for me. I’m missing something, maybe something’s backwards, maybe something basic, but I can’t see it.

Thanks for any help,
Dave

4

Currently your 4011 has a non-VLAN-aware bridge so all tagged and untagged traffic appears on every port.

You should be able to create /interface bridge vlan entries with appropriate membership for the ports, and if done correctly everything should still work when you set vlan-filtering=yes on the bridge (using safe mode is a good plan).

Then change the PVID of whichever port you wish to become the new access port.

5

Okay one thing you do is mix bridge and vlans. Once I implement vlans, I dont use the bridge for anything but bridging, all DHCP etc is consistently done via vlans.
SO replacing bridge traffic with vlanEATON LOL.

Why are you using capsman its like half your config and not required. Why make life so complex ??

Its not clear what the heck you are doing with vlans in the RB4011, as has been noted none are assigned…
NO /interface bridge vlan settings AND vlan filtering not even turned on as part of the bridge configuration.
SO personally I dont see how your config is working at all.

It looks like most ports are connected to smart devices (switches and AP) so all trunk ports!
The only ports not being used looks like ether2,3??

You can get rid of this default dns setting that hides well.
/ip dns static
add address=192.168.60.1 comment=defconf name=router.lan

Firewall rules are not organized as chains are split apart and the order of rules is WHACK.

I also dont understand why you want the IOT network to have full ACCESS to the eaton/home/trusted subnet??
The IOT devices security wise should not be able to initiate connections to trusted users ???
I can see wanting the home users having access to IOT device but not the reverse…
If you still do, then ask yourself the question, why have two separate subnets then??

Then you have a bunch of rules equally confusing, that are disabled.

Followed by two more rules that have the same ridonkulous patter, have one set of addresses have full access to another set of addresses followed by the reverse
In other words, there is no point in having separate addresses they should be all one subnet LOL.

Also have a bunch of firewall address lists defined and not used???
Below find that I have made an assumption.
That the trusted network should have access to all other networks
That all networks need WAN access.
DONE.
If you have other requirements you should articulate them, prior to config time, vice the spaghetti mess you were concocting. :slight_smile:
Think of firewalls as a one way street. If users on subnet A, require access to subnet B, then all you need is one direction rule.
(return traffic will be allowed as its return traffic not traffic originated by users on subnet B)

So get rid of all your firewall address lists for now, much tidier…
In general use interface lists for whole subnets, and firewall address for groups of user, less than a subnet or from various subnets or any combination that includes those PLUS a whole subnet.

As for as masquerade rules, not sure about hotspot so left that there as is, plus the default rule, what you were doing with vlanEaton (old bridge) partial subnet , I dont know>?

KEY POINT: all smart devices ( other end of trunk port ) gets an IP from the trusted vlan vlanEaton, 192.168.60.0/0 subnet!

(noise left out just major changes indicated)

# model = RB4011iGS+
/interface bridge
add admin-mac=B8:69:F4:88:0E:03 arp=proxy-arp auto-mac=no comment=defconf
name=bridge vlan-filtering=yes ( as your last step ))
/interface ethernet
set [ find default-name=ether1 ] comment=“Connection to AT&T”
set [ find default-name=ether2 ] comment=‘to machine’
set [ find default-name=ether3 ] comment=spare
set [ find default-name=ether4 ] comment=“Master Bedroom Switch”
set [ find default-name=ether5 ] comment=“Basement Switch”
set [ find default-name=ether6 ] comment=NAS
set [ find default-name=ether7 ] comment=“Dave Office Switch”
set [ find default-name=ether8 ] comment=“Dining Room AP (POE)”
set [ find default-name=ether9 ] comment=
“hAP Switch w/ VLAN to Home Assistant”
set [ find default-name=ether10 ] comment=“Family Room Switch (POE)”
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=
“T-Mobile HotSpot” speed=1Gbps
/interface vlan
add interface=bridge name=“VLAN Guest” vlan-id=10
add interface=bridge name=“VLAN HotSpot” vlan-id=20
add interface=bridge name=“VLAN IOT” vlan-id=30
add interface=bridge name=“vlanEaton” vlan-id=60


/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/ip dhcp-server
add address-pool=“dhcp Eaton” interface=vlanEaton lease-time=3d name=
“DHCP Eaton”
add address-pool=“pool Guest” interface=“VLAN Guest” lease-time=1d10m name=
“DHCP Guest”
add address-pool=“pool HotSpot” interface=“VLAN HotSpot” lease-time=1h10m
name=“DHCP Hotspot”
add address-pool=“pool IOT” interface=“VLAN IOT” lease-time=3d name=
“DHCP IOT”
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=30 { to machine })
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=60 {spare home port}
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4 {trunk}
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5 {trunk}
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6 pvid=60 { NAS }
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether7 {trunk}
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether8 {trunk}
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9 {trunk}
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10 {trunk}
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus1 pvid=20

/interface bridge vlans
add bridge=bridge tagged=bridge,ether4,ether5,ether7,ether8,ether9,ether10 untagged=ether3,ether6 vlan-id=60
add bridge=bridge tagged=bridge untagged=ether2 vlan-id=30
add bridge=bridge tagged=bridge,ether4,ether5,ether7,ether8,ether9,ether10 untagged=sfp-sfpplus1 vlan-id=20
add bridge=bridge tagged=bridge,ether4,ether5,ether7,ether8,ether9,ether10 vlan-id=10


/interface list members
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=vlanEaton list=LAN
add interface=“VLAN Guest” list=LAN
add interface=“VLAN IOT” list=LAN
add interface=“VLAN HotSpot” list=LAN
add interface=vlanEATON list=MANAGE
add interface=wireguard1 list=MANAGE
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/ip address
add address=192.168.60.1/24 comment=defconf interface=vlanEaton network=
192.168.60.0
add address=172.16.0.1/24 interface=“VLAN Guest” network=172.16.0.0
add address=10.10.1.1/24 interface=“VLAN IOT” network=10.10.1.0
add address=10.10.0.1/24 interface=“VLAN HotSpot” network=10.10.0.0
add address=172.22.0.1/24 comment=WireGuard interface=wireguard1 network=
172.22.0.0
/ip firewall address
add ip-address=192.168.60.XX list=AdminAccess { admin desktop }
add ip-address=192.168.60.RT list=AdminAccess { admin laptop }
add ip-address=192.168.60.XX list=AdminAccess { admin iphone/ipad}
add ip-address=172.22.0.3 list=AdminAccess { admin laptop remote }
add ip-address=172.22.0.Y list=AdminAccess { admin iphone/ipad remote }


/ip firewall
{INPUT Chain}
(default rules)
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=input comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
(admin rules)
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=acept chain=input in-interface-list=MANAGE src-address-list=AdminAccess
add action=accept chain=input in-interface-list=LAN dst-port=53,123 protocol=udp {dns and ntp services rule}
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp {dns services rule}
add action=drop chain=input comment=“drop all else”
{FORWARD Chain}
(default rules)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related,untracked”
connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Trusted to all subnets” in-interface=vlanEaton
out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat {disable or remove if not required}
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
src-address=10.10.0.0/24


/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

6

Thank you @tdw for your reply, and thanks to @ANAV for taking the time for your extensive reply. I’ve been helped many times on this forum and appreciate any help. Let me give some more background that may be relevant. Not as excuses for what i have done, but to inform you about my Mikrotik journey.

7 years ago, my church upgraded our IT infrastructure to Mikrotik, based on the recommendation of the IT consultant we’ve used for many years. He set up our primary network, and 2 VLANs for members and visitors. These VLANs are exclusively accessed over WiFi. I pulled the cables to the 3 APs we started with, and setup the VLANs / Virtual APs on the AP devices. They work well, and obtain IP addresses from the correct IP address space. At the same time, I bought an RB2011 and 2 RB951 APS for use in my home, so I could learn about Mikrotik hardware and RouterOS. Our church wireless network has expanded to 14 APS in 3 buildings, so I decided to learn CAPsMAN, learning, provisioning and testing the APs at home, before rolling it out at Church. The Mikrotik Hardware and Software has proven to be extremely reliable. One question I’ve always had pertains to isolation of the VLANs from each other and from the main network. Are they isolated by their fundamental nature, or do I need firewall rules to isolate them? I hope this explains why I’m using CAPsMan for only 2 APs, and why I have a bunch abandoned firewall rules and unused firewall address lists. I want to isolate all these networks from each other. I’ve accessed this forum and plenty of YouTube videos for help, and have appreciated all the responses and what I’ve learned.

Now back to my home situation. I have a separate wireless VLAN for my IOT devices. (TP-Link Kasa, if that is important). All these devices are setup and controlled over WiFi. I set up a Home Assistant server on a Raspberry Pi to access and control these devices. I assigned a static IP to this RPi so It could see and control the IOT devices. I plug a monitor and keyboard into the RPi to access the Home Assistant server, and It works well. I want to be able to access this single, static IP address from my home network. This is where I used an old RB941, which I setup as a switch. I assigned a port on the 941 the IOT VLAN ID plugged the switch into my RB4011 router, added firewall rules to allow access from the 192.168.60.XX main network to the IOT server static 10.10.1.201 IP address, and I CAN access the RPi server, and control the IOT devices.

This is a ‘kludge’ and obviously can be done more simply and elegantly. Possibly the main VLAN configuration done 7 years ago is not best practice, but it does work, and it’s what I based my home configuration on. I guess my 3 main things I’s like to learn are:

  1. How to isolate all networks and VLANs from each other in a simple, non ‘kludge’ fashion
  2. Allow traffic from my main 60.XX network to a single wired, static IP address on my RPi which is directly connected by ethernet to my RB4011 router.
  3. What is ‘assigning’ a VLAN? Mine are all wireless. Now I want to assign one ethernet port to a VLAN. Is this want’s being referred to?

Thanks and Best Regards,
Dave

7

Thank you @tdw for your reply, and thanks to @ANAV for taking the time for your extensive reply. I’ve been helped many times on this forum and appreciate any help. Let me give some more background that may be relevant. Not as excuses for what i have done, but to inform you about my Mikrotik journey.

7 years ago, my church upgraded our IT infrastructure to Mikrotik, based on the recommendation of the IT consultant we’ve used for many years. He set up our primary network, and 2 VLANs for members and visitors. These VLANs are exclusively accessed over WiFi. I pulled the cables to the 3 APs we started with, and setup the VLANs / Virtual APs on the AP devices. They work well, and obtain IP addresses from the correct IP address space. At the same time, I bought an RB2011 and 2 RB951 APS for use in my home, so I could learn about Mikrotik hardware and RouterOS. Our church wireless network has expanded to 14 APS in 3 buildings, so I decided to learn CAPsMAN, learning, provisioning and testing the APs at home, before rolling it out at Church. The Mikrotik Hardware and Software has proven to be extremely reliable. One question I’ve always had pertains to isolation of the VLANs from each other and from the main network. Are they isolated by their fundamental nature, or do I need firewall rules to isolate them? I hope this explains why I’m using CAPsMan for only 2 APs, and why I have a bunch abandoned firewall rules and unused firewall address lists. I want to isolate all these networks from each other. I’ve accessed this forum and plenty of YouTube videos for help, and have appreciated all the responses and what I’ve learned.

Now back to my home situation. I have a separate wireless VLAN for my IOT devices. (TP-Link Kasa, if that is important). All these devices are setup and controlled over WiFi. I set up a Home Assistant server on a Raspberry Pi to access and control these devices. I assigned a static IP to this RPi so It could see and control the IOT devices. I plug a monitor and keyboard into the RPi to access the Home Assistant server, and It works well. I want to be able to access this single, static IP address from my home network. This is where I used an old RB941, which I setup as a switch. I assigned a port on the 941 the IOT VLAN ID plugged the switch into my RB4011 router, added firewall rules to allow access from the 192.168.60.XX main network to the IOT server static 10.10.1.201 IP address, and I CAN access the RPi server, and control the IOT devices.

This is a ‘kludge’ and obviously can be done more simply and elegantly. Possibly the main VLAN configuration done 7 years ago is not best practice, but it does work, and it’s what I based my home configuration on. I guess my 3 main things I’s like to learn are:

  1. How to isolate all networks and VLANs from each other in a simple, non ‘kludge’ fashion
  2. Allow traffic from my main 60.XX network to a single wired, static IP address on my RPi which is directly connected by ethernet to my RB4011 router.
  3. What is ‘assigning’ a VLAN? Mine are all wireless. Now I want to assign one ethernet port to a VLAN. Is this what’s being referred to?

Thanks and Best Regards,
Dave

8

The easy way to isolate vlans, is already half done. The subnets are isolated from each other at layer2, mac addresses by virtue of being in vlans.
The other half is to prevent the router to route between them because the router knows they exist ( aka at layer3 by IP address)
SO
In the forward chain of firewall rules we ensure ONLY traffic flows that is desired, we dont worry about what shouldnt flow because tis too numerous with many possibilities.
The easy approach is to ensure that the router DROP all traffic! DONE!!!
We just ensure whats before the DROP rule is traffic we want, beside the usual default rules…

Default rules
( )
Admin rules
add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment=“port forwarding” connection-nat-state=dstnat
add chain=forward action=drop comment=“drop all else”

DONE!!!

As for the other concerns, draw a diagram to show what you want to accomplish for easy understanding…then config to the diagram.