Can't find VLAN device

I bought few days ago Router MikroTik hAP ac3 (RBD53IG-5HACD2HND). https://mikrotik.com/product/hap_ac3

I want to have 2 separated networks:

1. main wifi (PC, phone)
2. IoT wifi (wifi speaker etc)

I followed this tutorial and created vlan for IoT:
https://youtu.be/1ZJ-pM89N7o?t=421

The problem:
I want to run spotify from my phone (main wifi) and select wifi speaker by phone app but… the speaker is placed in IoT wifi so I can’t find it
If I connect to IoT wifi by phone, then I can find and select speaker.

Is it possible to find speaker from main wifi by this router?

I would be grateful for any advices

/export hide-sensitive file=anynameyouwish

Post it here and we can have a look,
The best guide for vlans is here.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I think the best possible scenario is to have 3 separated wifi (please correct me if I’m wrong):

1. main wifi - PC, phone

• should be possible to “find” speakers or chromecast or raspberry from “IoT wifi”

2. IoT wifi - speakers, chromecast, raspberry:

• allowed connection to the internet
  
  
  
• shouldn’t be able to see devices from main wifi (one directional)
  
  
  
• should be able to find devices from “untrusted IoT devices”

3. untrusted IoT devices - bulbs, kettle, fridge etc:

• disabled connection to the internet
  
  
  
• only local network (disable outgoing traffic)

The main goal is to be secured in the world of IoT
Can I do this with my router?

If you are worried about security, why do you not have any firewall rules?
Read the link please
(hint only one bridge required)

Ok so I used this RouterSwitchAP.rsc from http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I’m very happy to see that I can select speaker from another network.

I used original names from RouterSwitchAP.src so in my case:

• main wifi (pc, phone) - BLUE [can find a wifi speaker from another wifi - it’s ok] - DONE (btw I disabled 2 firewall rules from original post to make it working, maybe I shouldn’t?)
  
  
  
• IoT wifi - GREEN - [shouldn’t see main wifi devices] - TODO
  
  
  
• untrusted IoT - RED [disable connection with internet - work only on local network, shouldn’t see devices from GREEN and BLUE] - TODO
  
  
  
• personal stuff (laptop) - BLACK [totally isolated, don’t see other devices, invisible for other devices) - TODO

Could you help me set firewall rules? And check my .src if there are some unsecure settings?

Sure, read below, but dont make changes until you read this part ************ first.

(1) ONE BRIDGE
(2) ALL 5 VLANS should have their interface as the Bridge (not a WLAN)
(3) DHCP first entry should be BASE VLAN not the bridge for interface…
(4) Same same for IP Address entry not the bridge but BASE VLAN
NOTE: BaseVLAN is your most trusted subnet and in my case at home is my HOMELAN (dont have a separate base vlan)
NOTE: ALL smart devices attached to the router are trunked over the ports and will carry at least the base vlan and the device will get an IP on the base vlan subnet.

(5) very confusing…
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0 needs to be removed eventually unlless you need a sixth vlan ???
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0

MADE CONFUSING BECAUSE CHECK OUT YOUR IP POOLS, have one for bridge but not BASE>>>>>>>

What the heck is the purpose of the this bridge address? Bridges dont need addresses and they dont need to be giving out DHCP.
Suggesting as per the link example their purpose is strictly as a bridge ***********

(6) Change your interface list member called VLAN back to LAN, only create interface lists (two or more interfaces) for a purpose, the exception being the base or management list member for control purposes. for example if you had 10 vlans, 8 with internet and 2 without, I would create an interface list called VLANwINT for example.
ONE vlan can always be described as a subnet address and thus really interface lists are for groups of subnets, in general.
The reason to change back to LAN is because many of the associated router rules use LAN as a default, to easy to keep it all the same.

(7) Set neighbours discovery IP neighbours only to the BASE (trusted interface).
/ip neighbor discovery-settings
set discover-interface-list=LAN (BASE)

(8) Ensure mac server is set to none, and mac server winbmac server is set to BASE
/tool mac-server
set allowed-interface-list=LAN (NONE)
/tool mac-server mac-winbox
set allowed-interface-list=LAN (BASE)

(9) Interface members list,
remove bridge
change all vlans back to LAN (and the extra one for BASE keep).

(10) Only need one masquerade (source nat rule)
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=“Default masquerade”
out-interface-list=WAN remove this one.

(11) Bridge ports
/interface bridge port
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=
ether2 (MISSING PVID ???)
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=
ether3 (MISSING PVID???)
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=
ether4 (MISSING PVID???)
add bridge=bridge comment=defconf interface=ether5 To be removed temporarily see below ***********
add bridge=bridge comment=defconf interface=wlan1 missing PVID
add bridge=bridge comment=defconf disabled=yes interface=wlan2
add bridge=bridge interface=wlan3_base pvid=99
add bridge=bridge interface=wlan4_green pvid=20
add bridge=bridge interface=wlan5_red pvid=30
add bridge=bridge interface=wlan6_black pvid=40

(12 Bridge vlans
I note you have none but not to worry. THe router creates bridge vlan settings automatically/dynamically when traffic flows through them for all ACCESS PORTS ( bridge port settings with pvid), all ports going to dumb devices.
Thus if none of the ports are connected to a smart managed switch or a separate AP that acan read vlans, none is necessary.

I would put one in manually to show the bridge vlan settings all the time but not required, as a config export wont show them if not being used at the moment and I like to double check my settings between the two.

(13) The firewall rules you have are OKAY for now (but not long term) , and we wont touch them until the rest of the config is peachy. Otherwise one could easily step on oneself trying to do to much.



************ BEFORE making any changes recommend you configure the router outside of the bridge as if their are hicckups you are less likely to get locked out.

Take lets say ether5, rename it to ether5-access
Remove ether5 from bridge
give it an IP address of 192.168.5**.2** network 192.168.5.0
Add it to the interface list member of BASE

Now plug in your desktop/laptop to ethernet port 5 and set an ipv4 address on the pc of lets say 192.168.5.5 gateway 192.168.5.1 netmask 255.255.255.0
and then you should be able to access winbox but not from on the bridge.

THEN start to make the other changes above.
The last thing you need to do is enable bridge vlan filtering = yes on the bridge itself!

I probably missed something here. Plugged ether5 to desktop but can’t log in via winbox.
Just to be sure - I should type 192.168.5.2 in winbox?

What should I type in these MISSING PVIDs?

The steps are enter winbox,
Change name of ether5 to ether5-access
Then go to IP addresses and assign the Ip address to ether5-access as 192.168.5.2 with network of 192.168.5.0
Ensure ether5-access is an interface list member of BASE
then plug in your desktop/laptop into ether5 on the router and on the PC set IpV4 settings to fixed IP of 192.168.5.5 with gateway of 192.168.5.1 netmask 255.255.255.0
Then start winbox and login as you do normally. (I normally by the way never use iP address just the mac address to identify the device for logging in - easier for me as I always change the default winbox port and when identifying by mac, dont have to remember it or enter it)

Looks like I did the steps however I can connect to winbox only using wifi by mac address. But connection via ethernet5 doesn’t work.

Who told you to assign vlan 99 to ether5 ???
/interface vlan
add interface=ether5-access name=BASE_VLAN vlan-id=99

All vlans should be assigned to the bridge…

Why is the BASE VLAN not also a member of the interface list BASE ??

Its like you dropped the idea of a base vlan 99???
If that is the case whatever your trusted VLAN is… red, blue black etc… should also be a BASE interface list member

Your firewall rules have turned into a mess…

Lots of duplicate crap and more easily seen when one KEEPs CHAINS TOGETHER, order within a chain is alsoimportant.
Just remove the stuff in orange below and keep the rest.
Once we have a working config with vlans we will focus on adjusting the firewall rules further.


/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

add action=accept chain=input comment=“Allow Estab & Related”
connection-state=established,related
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=accept chain=input comment=“Allow Base_Vlan Full Access”
in-interface=BASE_VLAN
add action=drop chain=input comment=Drop disabled=yes

add action=accept chain=forward comment=“Allow Estab & Related”
connection-state=established,related
add action=accept chain=forward comment=“VLAN Internet Access only”
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop disabled=yes

It wasn’t intentionally

Good news! I can connect with ethernet5 by IP (mac not working yet, but i’m happy to be able to log in)
To make this working I had to disable one more rule on firewall:

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

It’s not a big deal but I don’t have internet connection now on eth5 and all wifi

From my perspective access to winbox could be even offline only through eth5. Is it good idea?
If yes, should I do below 3 steps from previous reply or aren’t they needed?

(3) DHCP first entry should be BASE VLAN not the bridge for interface…
(4) Same same for IP Address entry not the bridge but BASE VLAN
(5) add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0

And one more question:

(11) Bridge ports

What should I type in these MISSING PVIDs?

Router configuration in my hands is like letting a child steering a spaceship but I really really appreciate your help!

Hey JF,
No worries, lets get the config working and then lets work on your understanding of the config…

I am confused why are you using the ethernet address for ethernet5 in a VLAN.
again never requested?

Send me an email attached to my signa, as I would prefer to skype chat or talk this out, in order to save time.
You keep doing things that are not asked for which means you are not quite sure of what you need for your own network.
If not clear on requirements its not the time to even put down a config.