Attempting to Setup VLANs on Bridge

It’s been a while since I last posted here…

I’ve been using a bridge as my network setup for a while. But now I have certain services that I want to isolate from others, for security and/or performance reasons. vSphere vMotion, vSAN, Replication, etc. all benefit greatly from having dedicated networks setup for them. In addition to this, I’ve also red stories like these recently:

• http://forum.mikrotik.com/t/rb2011-how-do-i-strip-tagged-vlan-0/94770/1
• https://www.reddit.com/r/frontierfios/comments/w4xwtr/vlan_0_why_your_router_might_not_work_out_of_the/

Where the ISP has their own priority/VLAN tag, and it needs to be stripped for successful DHCP lease. The tag can be stripped by a bridge (or at the interface). In preparation for when I move out (and inevitably get Internet service for my own house), I would like to have something ready for this scenario, among other possible hurdles. I would like to setup VLANs, on a Bridge with VLAN Filtering.

However, I’m extremely new to VLAN setup/configuration. I have an existing network bridge, but am not sure how I should change its configuration to support these changes. The last time I attempted it, I nearly got myself kicked out of my current bridge setup while trying to setup IP address(es) for the VLANs I created. I hadn’t even gotten to enabling or configuring VLAN filtering yet. I’m pretty sure I made a beginner’s mistake in that attempt. I’ve been reviewing these pages for pointers:

• http://forum.mikrotik.com/t/struggling-with-bridge-vlan-configuration/154446/1
• https://miro.co.za/module/ph_simpleblog/module-ph_simpleblog-single?sb_category=technical-tips-guides&rewrite=how-to-set-up-mikrotik-routeros-bridge-vlan-filtering-
• https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table

Are these changes all possible via the GUI in WinBox, or will I need to use the commandline? Should I wipe out everything and start from scratch?

If more information is needed, please let me know. I will do my best to provide it.

Haven’t red all you wrote, any VLAN topic should have at least one link to this great topic:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I have red through that a few times. While a few of the entries in that thread look similar to what I want to setup, the device(s) used don’t appear to be an exact match. Here are the closest matches I found:

• Router-Switch-AP (all in one): I’m using a MikroTik Audience as router. The wireless interfaces are being used to connect to another network. The Ethernet interface is being used to link it to the rest of the current bridge.
• Access Point: While I am using a MikroTik Audience as my router, it won’t be broadcasting usable SSIDs to end user devices.
• Switch with a separate router (RoaS): This is probably the closest match. But, it’s using a base/management VLAN instead of a bridge from what I’ve red.

In order to use the closest match, I may have to wipe out my current network and start fresh. I’m guessing I could have a base/management VLAN span a router and two switches, and then go from there. I’m not sure how I’d setup VLAN filtering on a base/management VLAN though.

I’ve also never worked with .rsc files before. Are those scripts?

RSC files are just a text format of the config.
They are easy to read.
Also one can actually add them to ones config by entering them at the terminal window on winbox so quick!

What you need to do is three fold.
a. provide a network diagram - provides context to internet and devices on LAN and what vlans you want over what ports to what devices etc…
b. user requirements

• identify all users/device, or groups of users/device including admin as a special user
• identify all the traffic flows they need.
  c. provide configs of all MT devices.
  /export file=anynameyouwish ( minus router serial number, any public WANIP information etc. )

Sorry that it took me so long to reply. Still working on part of that request:

1. I’m making the diagram now. But I suck at making them, so it’s gonna take a while
2. I’ll have to provide that that outside of this list. *
3. Device summaries listed below. ** RSC files attached for your review. Please let me know if I need to remove anything (first time using that command)

** The RBD25G-5HPacQD2HPnD currently acts as my router. The only reason it does is because I can’t run an Ethernet cable down to my family’s ISP router. So I had to resort to double-NAT over WiFi. If I could do it now, this thing would go first - in a heartbeat.

• https://mikrotik.com/product/audience

The RB4011iGS+ is part of my current bridge, and provides ten extra RJ45 ports. It’s been overshadowed by another appliance, but the presence of more RJ45 ports isn’t a curse by any means. It’d probably still go, but only because of sits right underneath it…

• https://mikrotik.com/product/rb4011igs_rm

The CRS326-24G-2S+RM smart switch could very easily remove the need for the RB4011iGS+ that sits above it. The only reason I haven’t acted on it is because it hasn’t hurt me to keep around 10 extra RJ45 ports. Also part of the current bridge.

• https://mikrotik.com/product/CRS326-24G-2SplusRM

The CCR2004-1G-12S+2XS is part of the bridge. While laptops and other client devices may have a port on the RB4011iGS+ or CRS326-24G-2S+RM, servers and heavier appliances are to connect to this thing.

• https://mikrotik.com/product/ccr2004_1g_12s_2xs

I’m looking into getting a RB4011iGS+5HacQ2HnD-IN, to replace the RBD25G-5HPacQD2HPnD and RB4011iGS+. My config may end up changing if it comes through.

\

• The current setup is for seven ESXi VMs that provide services to a small group of end users (less than 50), over VPN tunnel. The hypervisor tends to stay online for ~15 hours/day. Current services include (but aren’t limited to):

• e-mail

• VoIP/PBX

• favourites/bookmarks sync

• cloud storage (Nextcloud)

• office/collaboration (OnlyOffice)

• maps navigation/routing (OSRM)

• multimedia streaming (PleX, Nextcloud)

In addition to this, there are backend vSphere services that need to be on their own network - vMotion, vSAN, Provisioning, Replication.

Most end user devices are expected to be smartphones/tablets, laptops, or desktop computers. They are expected to connect via SoftEther VPN client or their OS’s built-in VPN client. There are currently two types of users:

• regular users (just use services)
• admins (administrate and configure backend)

Regular users only need access to services listed above. Admins have access to those, and then tools such as:

• vCenter/ESXi web UI
• LibreNMS
• Wazuh
• Cronicle

I’m not sure if I’ve answered everything for the 2nd bullet point. Please let me know if more info is needed.

EDIT: Removed attachments, due to potentially sensitive info. May replace in the future…

After further review, I’ve decided to make my current setup more-closely resemble one of the basic setups in the tutorial you linked. I purchased a MikroTik RB4011iGS+5HacQ2HnD-IN-US, so that I can try a variation of the guide for the Router-Switch-AP (all in one) scenario. Perhaps that will help to simplify things. But there is still the issue of what to do on server side, since vNICs in vSphere usually get handled by either a vSwitch or Distributed vSwitch before getting sent over one or more physical NICs that act as the vSwitch’s trunk. Might need to have the VM or vSwitch start tagging VM traffic for all I know. But I’m new to this, and probably have it all wrong.

The MT device as a router is not all that different from MT devices acting as AP/switches.
The main difference is that only the router really needs firewall rules and only the router has full dhcp responsibilities.

Here are some of the network diagrams you requested. The current network setup is attached below. Desired network setup coming in a few hours.

The 192.168.1.2/24 is the result of the scenario discussed in a previous thread. I have to hop across one more (unmanaged) network to reach the Internet.

Here are the diagrams (draft) for the desired VLAN setup. Ran out of free shapes near the end, with the online tool I was using.

In the new setup, two of the physical appliances in the previous bridge get replaced by a router/WAP combo.

I dont use capsman thus cannot assist with vlans.
Also I would refrain from using the word bridge unless it pertains to a particular bridge used within a config on the device, your general use of the word is very confusing.
Finally would not do this. vlan-id=1 (anything but 1 )

Thanks for the tips. I’ll see what I can do from here, and document as I go.

So far, I’ve managed to:

• Enable/configure CPE mode
• Create a bridge
• Create VLANs on said bridge
• Configure DNS, DHCP, etc. for each VLAN

ToDo:

• Disable DHCP on bridge and setup static lease (w/ static ARP entries)
• Configure inter-VLAN routing (for services like LibreNMS and Wazuh)
• Test Internet connectivity in all VLANs (except vSphere services)
• SoftEther VPN server testing, create new Virtual Hub for restricted users

All IPv4 addresses below should be local addresses only, and unreachable from the Internet. If anything below looks as though it should be removed, please let me know. I removed the Date/Time, Software ID, and S/N from the very top. RouterOS version is 6.48.6. This config will need more work, and is not finalised.


Also removed the following from RSC below:

• line 3: 'admin-mac=… (MAC address)
• line 7: 'nv2-preshared-key=“…” ' (WiFi PSK),
• and 'nv2-security=enabled ssid=… wireless-protocol=' (WiFi SSID)
• line 41: '“…” wpa2-pre-shared-key=' (WiFi PSK),
• and ‘“…”’ (WiFi PSK again)
  
  
  

# model = RB4011iGS+5HacQ2HnD
/interface bridge
add auto-mac=no comment=defconf name=vbridge0
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac country="united states" \
    disabled=no distance=indoors frequency=auto mode=station-pseudobridge \
    nv2-nstreme-802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="united states" distance=indoors frequency=auto installation=\
    indoor mode=station-pseudobridge ssid=MikroTik-80B221 wireless-protocol=\
    802.11
/interface vlan
add interface=vbridge0 name=IDM vlan-id=51
add interface=vbridge0 name=IVM vlan-id=2
add interface=vbridge0 name=IVP vlan-id=3
add interface=vbridge0 name=IVR vlan-id=4
add interface=vbridge0 name=IVS vlan-id=5
add interface=vbridge0 name=SPM vlan-id=6
add interface=vbridge0 name=SQN vlan-id=7
add interface=vbridge0 name=XAN vlan-id=8
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vbridgePool ranges=12.0.0.17-12.0.0.254
add name=IDMpool ranges=10.0.0.17-10.0.0.127,10.0.0.129-10.0.0.254
add name=IVMpool ranges=10.0.1.2-10.0.1.254
add name=IVPpool ranges=10.0.2.2-10.0.2.254
add name=IVRpool ranges=10.0.3.2-10.0.3.254
add name=IVSpool ranges=10.0.4.2-10.0.4.254
add name=SPMpool ranges=10.12.8.17-10.12.8.254
add name=SQNpool ranges=10.12.7.17-10.12.7.254
add name=XANpool ranges=10.12.6.17-10.12.6.254
/ip dhcp-server
add address-pool=vbridgePool disabled=no interface=vbridge0 name=vbridge-dhcp
add address-pool=IDMpool disabled=no interface=IDM name=IDMdhcp
add address-pool=IVMpool disabled=no interface=IVM name=IVMdhcp
add address-pool=IVPpool disabled=no interface=IVP name=IVPdhcp
add address-pool=IVRpool disabled=no interface=IVR name=IVRdhcp
add address-pool=IVSpool disabled=no interface=IVS name=IVSdhcp
add address-pool=SPMpool disabled=no interface=SPM name=SPMdhcp
add address-pool=SQNpool disabled=no interface=SQN name=SQNdhcp
add address-pool=XANpool disabled=no interface=XAN name=XANdhcp
/interface bridge port
add bridge=vbridge0 comment=defconf interface=ether2
add bridge=vbridge0 comment=defconf interface=ether3
add bridge=vbridge0 comment=defconf interface=ether4
add bridge=vbridge0 comment=defconf interface=ether5
add bridge=vbridge0 comment=defconf interface=ether6
add bridge=vbridge0 comment=defconf interface=ether7
add bridge=vbridge0 comment=defconf interface=ether8
add bridge=vbridge0 comment=defconf interface=ether9
add bridge=vbridge0 comment=defconf interface=ether10
add bridge=vbridge0 comment=defconf interface=sfp-sfpplus1
add bridge=vbridge0 comment=defconf disabled=yes interface=wlan1
add bridge=vbridge0 comment=defconf interface=wlan2
add bridge=vbridge0 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=vbridge0 list=LAN
add interface=wlan1 list=WAN
/ip address
add address=192.168.1.3/24 comment=defconf interface=wlan1 network=\
    192.168.1.0
add address=12.0.0.1/8 interface=vbridge0 network=12.0.0.0
add address=10.0.0.128/24 interface=IDM network=10.0.0.0
add address=10.0.1.1/24 interface=IVM network=10.0.1.0
add address=10.0.2.1/24 interface=IVP network=10.0.2.0
add address=10.0.3.1/24 interface=IVR network=10.0.3.0
add address=10.0.4.1/24 interface=IVS network=10.0.4.0
add address=10.12.8.1/24 interface=SPM network=10.12.8.0
add address=10.12.7.1/24 interface=SQN network=10.12.7.0
add address=10.12.6.1/24 interface=XAN network=10.12.6.0
/ip dhcp-client
add interface=wlan1
/ip dhcp-server lease
add address=12.0.0.7 client-id=1:a0:1d:48:f5:10:c0 mac-address=\
    A0:1D:48:F5:10:C0 server=vbridge-dhcp
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.12.8.2 gateway=\
    10.0.0.128 ntp-server=10.12.8.2
add address=10.0.1.0/24 dns-server=10.12.8.2 gateway=\
    10.0.1.1 ntp-server=10.12.8.2
add address=10.0.2.0/24 dns-server=10.12.8.2 gateway=\
    10.0.2.1 ntp-server=10.12.8.2
add address=10.0.3.0/24 dns-server=10.12.8.2 gateway=\
    10.0.3.1 ntp-server=10.12.8.2
add address=10.0.4.0/24 dns-server=10.12.8.2 gateway=\
    10.0.4.1 ntp-server=10.12.8.2
add address=10.12.6.0/24 dns-server=1.1.1.1 gateway=\
    10.12.6.1
add address=10.12.7.0/24 dns-server=10.12.8.2 gateway=\
    10.12.7.1 ntp-server=10.12.8.2
add address=10.12.8.0/24 dns-server=10.12.8.2 gateway=\
    10.12.8.1 ntp-server=10.12.8.2
add address=12.0.0.0/8 dns-server=10.12.8.2 gateway=\
    12.0.0.1 ntp-server=10.12.8.2
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=12.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=America/New_York
/system identity
set name=DC-wGateway
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=10.12.8.2 server-dns-names=""
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

More changes coming this weekend, when I have time to work on this a bit more. Sorry if this looks underwhelming

All discussion of upcoming changes to my setup are moving to a new thread. Thank you for all of those who contributed to this learning experience thus far…