Could someone check this RB750Gr3 VLAN config

jcbhnz · February 11, 2022, 4:40am

Could someone cast a critical eye over this config and point out any omission or unnecessary inclusions.
The config works, wan ether1, ether2 Vlan50, ether3 Vlan100, ether3and and ether4, vlans150, vlan200 and vlan250, as is but would like to know if there are errors in my first attempt.

It based on primarily on

https://github.com/hallzhallz/hallzhallz.github.io/tree/master/2020-04-25%20Mikrotik%20hEX%20S
and numerous other posts, website I've looked at .

Thanks jcbhnz

MikroTik RouterOS 6.49.2 (c) 1999-2021
[admin@MikroTik] > export

feb/11/2022 15:31:40 by RouterOS 6.49.2

software id = UUUR-B38X

model = RB750Gr3

serial number = xxxxxxxxx

/interface bridge
add admin-mac=2C:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=100vlan vlan-id=100
add interface=bridge name=150vlan vlan-id=150
add interface=bridge name=200vlan vlan-id=200
add interface=bridge name=250vlan vlan-id=250
add interface=bridge name=MGNTvlan vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MGNTpool ranges=192.168.50.20-192.168.50.29
add name=150pool ranges=192.168.150.20-192.168.150.54
add name=100pool ranges=192.168.100.20-192.168.100.49
add name=200pool ranges=192.168.200.10-192.168.200.34
add name=250pool ranges=192.168.250.20-192.168.250.29
/ip dhcp-server
add address-pool=MGNTpool disabled=no interface=MGNTvlan name=MGNTdhcp
add address-pool=100pool disabled=no interface=100vlan name=100dhcp
add address-pool=200pool disabled=no interface=200vlan name=200dhcp
add address-pool=150pool disabled=no interface=150vlan name=150dhcp
add address-pool=250pool disabled=no interface=250vlan name=250dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=50
add bridge=bridge comment=defconf interface=ether3 pvid=100
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=50
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=100
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=150
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=200
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=250
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=MGNTvlan list=LAN
add interface=200vlan list=LAN
add interface=100vlan list=LAN
add interface=100vlan list=VLAN
add interface=150vlan list=LAN
add interface=200vlan list=VLAN
add interface=150vlan list=VLAN
add interface=MGNTvlan list=VLAN
add interface=MGNTvlan list=MGMT
add interface=250vlan list=VLAN
add interface=ether1 list=LAN
/ip address
add address=192.168.50.1/24 interface=MGNTvlan network=192.168.50.0
add address=192.168.100.1/24 interface=100vlan network=192.168.100.0
add address=192.168.200.1/24 interface=200vlan network=192.168.200.0
add address=192.168.150.1/24 interface=150vlan network=192.168.150.0
add address=192.168.250.1/24 interface=250vlan network=192.168.250.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.100.0/24 gateway=192.168.100.1
add address=192.168.150.0/24 gateway=192.168.150.1
add address=192.168.200.0/24 gateway=192.168.200.1
add address=192.168.250.0/24 gateway=192.168.250.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.50.1 comment=defconf name=router.lan
add address=192.168.100.1 comment=defconf name=router.lan
add address=192.168.150.1 comment=defconf name=router.lan
add address=192.168.200.1 comment=defconf name=router.lan
add address=192.168.250.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Australia/Sydney
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

anav · February 11, 2022, 2:05pm

I only see two real errors… See points (3+4)

(1) Would modify your bridge ports, assuming no hybrid ports to:
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=50 ingress-filtering=yes frame-types-allowed=only-priority-and-untagged-frames
add bridge=bridge comment=defconf interface=ether3 pvid=100 ingress-filtering=yes frame-types-allowed=only-priority-and-untagged-frames
add bridge=bridge comment=defconf interface=ether4 ingress-filtering=yes

(2) YOu dont need the bridge to be a member of the LAN, you have it covered properly with all the vlans on the bridge.
/interface list member
add comment=defconf interface=bridge list=LAN (can remove this).

(3) Why duplicate your interface list LAN and VLAN? Pick one! The only reason to make a separate list is if there are two or more VLANS identified on a firewall rule and thus its more efficient to identify. This is also leads to error where it became clear that you totally missed assigning vlan 250 to the LAN interface! Attention to detail like having an interface list in order, would have made it easier to spot the missing vlan but when you jumble numbers out of order, harder to make sense of it.

(4) The ether1 has already been associated with the WAN correctly, the last entry needs to be deleted.
add interface=ether1 list=LAN

FROM (combining 3+4)
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=MGNTvlan list=LAN
add interface=200vlan list=LAN
add interface=100vlan list=LAN
add interface=100vlan list=VLAN
add interface=150vlan list=LAN
add interface=200vlan list=VLAN
add interface=150vlan list=VLAN
add interface=MGNTvlan list=VLAN
add interface=MGNTvlan list=MGMT
add interface=250vlan list=VLAN
add interface=ether1 list=LAN

TO
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=MGNTvlan list=LAN
add interface=100vlan list=LAN
add interface=150vlan list=LAN
add interface=200vlan list=LAN
add interface=250vlan list=LAN
add interface=MGNTvlan list=MGMT

(5) Why settings for dns static as you have, simply delete all of them not required.

Just ensure you IP DHCP-SERVER NETWORK looks like
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.50.1
add address=192.168.100.0/24 gateway=192.168.100.1 dns-server=192.168.100.1
add address=192.168.150.0/24 gateway=192.168.150.1 dns-server=192.168.150.1
add address=192.168.200.0/24 gateway=192.168.200.1 dns-server=192.168.200.1
add address=192.168.250.0/24 gateway=192.168.250.1 dns-server=192.168.250.1

(6) The purpose of the neighbours discovery and even more so for mac-winbox tools is to associate with the managed devices.
Thus modify the two rule to reflect MGNTvlan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

As for the tool - mac server plain the preceding rule, that should be set to NONE and not LAN!

jcbhnz · February 11, 2022, 10:57pm

Thanks for your reply anav,

Will make the changes you suggest. I didn’t even notice the that I “totally missed assigning vlan 250 to the LAN interface” error, despite reading over it numerous time.

The other mistakes I, being a complete novice, would have never picked up on, hence my post asking for a “critical eye”.

Thanks again
jcbhnz

anav · February 11, 2022, 11:10pm

Other helpful links.
https://forum.mikrotik.com/viewtopic.php?t=182373

jcbhnz · February 13, 2022, 4:07am

Anav,
Made changes as you as outlined but couldn’t get internet connection working if included,

/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.50.1
etc.

so just used

/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1
and so on.

Does that matter?
Thanks
jcbhnz

anav · February 13, 2022, 1:54pm

Please post latest config after your changes.

jcbhnz · February 14, 2022, 3:12am

Here's the config i'm currently using.

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > export

jan/02/1970 10:08:09 by RouterOS 6.49.2

software id = Uxxxxxx

model = RB750Gr3

serial number = Cxxxxxxxxxx

/interface bridge
add name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=100vlan vlan-id=100
add interface=bridge name=150vlan vlan-id=150
add interface=bridge name=200vlan vlan-id=200
add interface=bridge name=250vlan vlan-id=250
add interface=bridge name=MGNTvlan vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MGNTpool ranges=192.168.50.20-192.168.50.29
add name=150pool ranges=192.168.150.20-192.168.150.54
add name=100pool ranges=192.168.100.20-192.168.100.49
add name=200pool ranges=192.168.200.10-192.168.200.34
add name=250pool ranges=192.168.250.20-192.168.250.29
/ip dhcp-server
add address-pool=MGNTpool disabled=no interface=MGNTvlan name=MGNTdhcp
add address-pool=100pool disabled=no interface=100vlan name=100dhcp
add address-pool=200pool disabled=no interface=200vlan name=200dhcp
add address-pool=150pool disabled=no interface=150vlan name=150dhcp
add address-pool=250pool disabled=no interface=250vlan name=250dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=50
add bridge=bridge comment=defconf interface=ether3 pvid=100
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=50
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=100
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=150
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=200
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=250
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=MGNTvlan list=LAN
add interface=100vlan list=LAN
add interface=150vlan list=LAN
add interface=200vlan list=LAN
add interface=250vlan list=LAN
add interface=MGNTvlan list=MGMT
/ip address
add address=192.168.50.1/24 interface=MGNTvlan network=192.168.50.0
add address=192.168.100.1/24 interface=100vlan network=192.168.100.0
add address=192.168.200.1/24 interface=200vlan network=192.168.200.0
add address=192.168.150.1/24 interface=150vlan network=192.168.150.0
add address=192.168.250.1/24 interface=250vlan network=192.168.250.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.100.0/24 gateway=192.168.100.1
add address=192.168.150.0/24 gateway=192.168.150.1
add address=192.168.200.0/24 gateway=192.168.200.1
add address=192.168.250.0/24 gateway=192.168.250.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Australia/Sydney
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

anav · February 14, 2022, 2:11pm

Can you confirm you have a public IP address (dynamic) and not a static public IP or a private IP?
Also confirm that you have selected in IP DHCP client FOR ADD DEFAULT ROUTE, → Yes, or No ??

Also what are ether4, ether5 connected to, make model etc??

jcbhnz · February 16, 2022, 10:48am

At present private IP but when I get all the equipment configured properly it will be a have a public IP address (dynamic).

IP DHCP client FOR ADD DEFAULT ROUTE is set to “Yes”

Eventually ethers 4 and 5 will be connected to SXTsq5ac sending the vlans to a couple of SXTsq5ac.

One SXTsq5ac will be connect straight into a mANTBox with 3 ssids each using either 200vlan and 250vlan)

A second SXTsq5ac will connect to another RB750Gr3 which in turn will connect to another mANTBox (3 ssids each using either 200vlan and 250vlan).
The third vlan (150vlan) will connect to a router/switch inside for plug in connections.

My eventual aim is to have control on the first RB750Gr3 of all the DHCP servers and more importantly bandwidth control on the vlans at varying levels.

If you have any suggestions about how to achieve this differently (better) please let me know.

Thanks
jcbhnz