Bind Webfig and ssh to a vlan

randel · September 19, 2021, 8:22pm

Hi there,
with a lot help of two users here I got my wifi connected to my vlans.
Now I want to bring the management-services of my MikroTik in a VLAN.

Backgroud:

Mikrotik is only wifi-AP (DNS, DHCP, etc are served by a separate opnsense-installation)
Mikrotik is conntected with one ethernet-port (ether2) with a Trunk.
vlan90 should be the management-vlan.
PVID is defaulted to 1 (and should not be used after migration)

I don’t find out how to bring webfig and ssh where I want…
What I tried:

Adding a vlan-interface to the bridge with vlan-tag 90
adding ether2 as tagged device for vlan90 to the bridge
setting a correponding ip to the vlan (10.10.90.99)

But I can’t even ping the ip set.

I could not find a way to set the listening interface/ip for the services www, ssh…

Searching the web and especially the Manual brought no help.

Here is my /export:

# sep/19/2021 22:20:41 by RouterOS 6.48.4
# software id = P3XP-NN1L
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 673706DFA5C2
/interface bridge
add admin-mac=6C:3B:6B:12:03:89 auto-mac=no fast-forward=no name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=Wandhydrant station-roaming=enabled vlan-id=10 vlan-mode=\
    use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=germany default-forwarding=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Wandhydrant station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan60 vlan-id=60
add interface=bridge name=vlan90 vlan-id=90
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Profil_Gast supplicant-identity=MikroTik
/interface wireless
add default-forwarding=no disabled=no mac-address=6E:3B:6B:12:03:8F \
    master-interface=wlan1 name=GuestWLAN security-profile=Profil_Gast ssid=\
    Forrest vlan-id=60 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=\
    disabled
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=vlan10
add bridge=bridge interface=GuestWLAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=ether2-master,wlan1 vlan-ids=10
add bridge=bridge tagged=GuestWLAN,ether2-master vlan-ids=60
add bridge=bridge tagged=ether2-master vlan-ids=90
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add list=discover
add list=discover
add list=discover
add interface=bridge list=mac-winbox
add interface=wlan2 list=mactel
add interface=ether2-master list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
add interface=ether1
add interface=bridge list=LAN
/ip address
add address=192.168.2.99/16 interface=ether2-master network=192.168.0.0
add address=10.10.90.99 interface=bridge network=10.10.90.99
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.26
/ip dns static
add address=192.168.2.99 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip route
add distance=1 gateway=192.168.2.1
/ip service
set www-ssl disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Sched_WLAN_aus on-event=WLAN_Aus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2017 start-time=23:00:00
add interval=1d name=Sched_WLAN_an on-event=WLAN_An policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/24/2017 start-time=06:00:00
/system script
add dont-require-permissions=no name=WLAN_Aus owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=yes;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=yes;"
add dont-require-permissions=no name=WLAN_An owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=no;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=no;"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox[code]

joegoldman · September 19, 2021, 11:55pm

The services bind to 0.0.0.0 - meaning any IP address locally on the device (sans IP’s in different VRF - which is annoying but totally separate issue)

Your problem here appears to be two-fold - in the current export you’ve provided, you only have 2 IP addresses:

/ip address
add address=192.168.2.99/16 interface=ether2-master network=192.168.0.0
add address=10.10.90.99 interface=bridge network=10.10.90.99

So all services will be listening on those IPs (and yikes, a /16 broadcast domain is not good)

then you have:

/ip firewall filter
add action=drop chain=input in-interface-list=!LAN

This says drop any packets to the input chain (which would cover management services) if the interface is not in the interface-list LAN

/interface list member
add interface=ether2-master list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
add interface=bridge list=LAN

So to access management on a new interface (VLAN on a bridge for instance)

Create VLAN interface
Add VLAN interface to LAN list
Add IP to VLAN interface
Connect a client to VLAN
Access Mikrotik Router

There are multiple other ways to do it, such as reconfiguring the firewall rules or your interface hierarchy but the steps above are probably the quickest solution to what you already have configured.

sindy · September 20, 2021, 5:14am

vlan90 is not a member of interface list LAN, so chain input of /ip firewall filter drops incoming traffic from it
on the row of /interface bridge vlan for vlan-ids=90, bridge is not on the tagged list, so frames tagged with VID 90 are not allowed to egress through the virtual port of the virtual switch (have a look here for details).

randel · September 20, 2021, 5:32am

Yeah! It’s working
What was missing at last was the vlan-Interface in the lan-list (so the firewall blocked it).
Thanks a lot!

I just did it without connecting the vlan90-interface to the bridge. It is working, but is it the right way? As there is no other interface connected to the vlan I thought a bridge would not be necessary, but it might be the “wrong way”. If that’s the way I’d try to change it like @sindy said.

Thanks!

# sep/20/2021 07:48:57 by RouterOS 6.48.4
# software id = P3XP-NN1L
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 673706DFA5C2
/interface bridge
add admin-mac=6C:3B:6B:12:03:89 auto-mac=no fast-forward=no name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=Wandhydrant station-roaming=enabled vlan-id=10 vlan-mode=\
    use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=germany default-forwarding=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Wandhydrant station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan60 vlan-id=60
add interface=ether2-master name=vlan90 vlan-id=90
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Profil_Gast supplicant-identity=MikroTik
/interface wireless
add default-forwarding=no disabled=no mac-address=6E:3B:6B:12:03:8F \
    master-interface=wlan1 name=GuestWLAN security-profile=Profil_Gast ssid=\
    Forrest vlan-id=60 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=\
    disabled
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=ether2-master
add bridge=bridge hw=no interface=sfp1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=GuestWLAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=ether2-master,wlan1 vlan-ids=10
add bridge=bridge tagged=GuestWLAN,ether2-master vlan-ids=60
add bridge=bridge tagged=ether2-master,vlan90 vlan-ids=90
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=bridge list=mac-winbox
add interface=wlan2 list=mactel
add interface=ether2-master list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
add interface=ether1
add interface=bridge list=LAN
add interface=vlan90 list=LAN
/ip address
add address=10.10.90.99/24 interface=vlan90 network=10.10.90.0
/ip dns
set allow-remote-requests=yes servers=192.168.2.26
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip route
add distance=1 gateway=10.10.90.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Sched_WLAN_aus on-event=WLAN_Aus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2017 start-time=23:00:00
add interval=1d name=Sched_WLAN_an on-event=WLAN_An policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/24/2017 start-time=06:00:00
/system script
add dont-require-permissions=no name=WLAN_Aus owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=yes;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=yes;"
add dont-require-permissions=no name=WLAN_An owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=no;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=no;"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

edit: cleand the config a little

sindy · September 20, 2021, 6:09am

The documentation explicitly prohibits attaching an /interface vlan to an underlying interface which is also a member port of a bridge. There are a few other similar cases where RouterOS accepts such an incorrect setting and it even works most of the time, but some weird effects occur in some packet flow scenarios.

mkx · September 20, 2021, 6:10am

As mentioned in your other thread, your L2 (bridge and VLAN) setup is wrong. While it might work for you, it’s bound to create problems sooner or later. So it’s up to you to either invest some time to study ROS (yes, learning curve is very steep from beginning) and do it right (we’ll help you learning it) or you can leave things as they are and pray nothing goes wrong.

anav · September 20, 2021, 11:59am

This is a really good guide to vlans
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

randel · September 20, 2021, 6:15pm

Hey, I hope i got it now

I used the examples of the linked thread. I did not understand that the bridge itself can be part of the vlan-tagging. I really hope this is it

# sep/20/2021 20:12:35 by RouterOS 6.48.4
# software id = P3XP-NN1L
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 673706DFA5C2
/interface bridge
add admin-mac=6C:3B:6B:12:03:89 auto-mac=no fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=Wandhydrant station-roaming=enabled vlan-id=10 vlan-mode=\
    use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=germany default-forwarding=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Wandhydrant station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan60 vlan-id=60
add interface=bridge name=vlan90 vlan-id=90
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Profil_Gast supplicant-identity=MikroTik
/interface wireless
add default-forwarding=no disabled=no mac-address=6E:3B:6B:12:03:8F \
    master-interface=wlan1 name=GuestWLAN security-profile=Profil_Gast ssid=\
    Forrest vlan-id=60 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=\
    disabled
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=ether2-master
add bridge=bridge hw=no interface=sfp1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=GuestWLAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=ether2-master,wlan1 vlan-ids=10
add bridge=bridge tagged=GuestWLAN,ether2-master vlan-ids=60
add bridge=bridge tagged=bridge,ether2-master vlan-ids=90
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=bridge list=mac-winbox
add interface=wlan2 list=mactel
add interface=ether2-master list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
add interface=ether1
add interface=bridge list=LAN
add interface=vlan90 list=LAN
/ip address
add address=10.10.90.99/24 interface=vlan90 network=10.10.90.0
/ip dns
set allow-remote-requests=yes servers=192.168.2.26
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip route
add distance=1 gateway=10.10.90.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Sched_WLAN_aus on-event=WLAN_Aus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2017 start-time=23:00:00
add interval=1d name=Sched_WLAN_an on-event=WLAN_An policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/24/2017 start-time=06:00:00
/system script
add dont-require-permissions=no name=WLAN_Aus owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=yes;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=yes;"
add dont-require-permissions=no name=WLAN_An owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=no;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=no;"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

sindy · September 20, 2021, 6:36pm

The “bridge” object in RouterOS actually consists of three distinct components, as I’ve explained in the topic I’ve linked in my previous post. So here, the “bridge itself” you mention is actually the virtual port of the virtual switch.

Zacharias · September 20, 2021, 7:19pm

Don’t use the ethernet interface, but the Bridge instead

add interface=BRIDGE name=vlan90 vlan-id=90

Set as tagged member the Bridge as well NOT the vlan90

add bridge=bridge tagged=BRIDGE,ether2-master vlan-ids=90

anav · September 20, 2021, 7:44pm

I provided the full config on this thread to manage your hapac…
http://forum.mikrotik.com/t/accesspoint-only-with-vlans/151974/1

It also addresses the mess you made on your config post above and simplifies it down to what is required.
That gets you winbox access very easily.

If you want to access the hapac from an external WANIP, then I suggest you vpn into the main router
and then use winbox to access the hapac ( also can come in from smartphone via vpn and MT app).
wireguard works well here…

Not clear what ssh or winconfig are for??

randel · September 21, 2021, 5:56am

Oh wow… thanks a lot! That is great. I’ll try to implement it this evening.