First time setup (almost) complete, sanity check please?

n0rmand · September 4, 2023, 9:55am

Hi all,

I have just ‘migrated’ to Mikrotik from my Edgerouter. I am really enjoying the Mikrotik so far after spending my weekend learning how to essentially ‘mirror’ my configuration, but i do have some questions as i did run into a couple of issues, specifically with VLANs and firewall rules.

Setup is/should be as follows:
main LAN - 192.168.1.1/24 - default VLAN / VLAN ID 1
Secondary LAN - 192.168.3.1/24 - VLAN ID 3
Guest/home LAN - 192.168.110.1/24 - VLAN ID 100

eth 2-4 is bridged, eth5 has PVID of 3 because i want the device connected to this port to be part of VLAN 3.

/interface bridge
add admin-mac=48:A9:8A* auto-mac=no comment=defconf name=bridge-1-5 vlan-filtering=yes
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=MikroTik-662BC5 \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=MikroTik-662BC6 \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=\
    ***
/interface vlan
add comment=pi interface=bridge-1-5 name=vlan-3 vlan-id=3
add comment=home interface=bridge-1-5 name=vlan-100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool1 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool2 ranges=192.168.110.2-192.168.110.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-1-5 lease-time=10m name=dhcp-.1.
add address-pool=dhcp_pool1 interface=vlan-3 name=dhcp-.3.
add address-pool=dhcp_pool2 interface=vlan-100 name=dhcp-.110.
/interface bridge port
add bridge=bridge-1-5 comment=defconf interface=ether2
add bridge=bridge-1-5 comment=defconf interface=ether3
add bridge=bridge-1-5 comment=defconf interface=ether4
add bridge=bridge-1-5 comment=defconf interface=ether5 pvid=3
add bridge=bridge-1-5 comment=defconf disabled=yes interface=wifi1
add bridge=bridge-1-5 comment=defconf disabled=yes interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
[b]add bridge=bridge-1-5 tagged=ether2,bridge-1-5 vlan-ids=100
add bridge=bridge-1-5 tagged=bridge-1-5 untagged=ether5 vlan-ids=3[/b]
/interface list member
add comment=defconf interface=bridge-1-5 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=my-net interface=bridge-1-5 network=192.168.1.0
add address=192.168.3.1/24 comment=pi-net interface=vlan-3 network=192.168.3.0
add address=192.168.110.1/24 comment=home-net interface=vlan-100 network=192.168.110.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.3.11 gateway=192.168.1.1 netmask=24
add address=192.168.3.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.3.1
add address=192.168.110.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.110.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment=\
    "defconf: drop all not coming from LAN (interface list). this drops VLANS automatically from accessing router" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
[b]add action=drop chain=forward comment="Drop Internal - VLAN100 to LAN" connection-state="" dst-address=192.168.1.0/24 \
    src-address=192.168.110.0/24
add action=drop chain=forward comment="Drop Internal - VLAN100 to VLAN3" connection-state="" dst-address=\
    192.168.3.0/24 src-address=192.168.110.0/24[/b]
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="port fwd to WG server tcp" dst-port=51822 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.96 to-ports=51822
add action=dst-nat chain=dstnat comment="port fwd to WG server udp" dst-port=51822 in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.96 to-ports=51822
/ip service
set telnet disabled=yes
set ftp disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

So, I have hopefully made it so that anything plugged into eth5 will be assigned to VLAN3, and eth2 is looking for tagged packets and assigning devices to VLAN100 accordingly. From my testing this is working fine, hopefully the configuration is correct/acceptable method of achieving what i require.

What i am stuck on is firewall rules. I want to make it so that default LAN/VLAN1 can access VLAN100, but VLAN100 should not be able to access VLAN1.

As an example, VLAN100 has an IP phone with the IP address 192.168.110.100. I would like to access the webUI of 192.168.110.100 from VLAN1, but i dont want a device on VLAN100 to be able to see or communicate with my server on VLAN1. You can see that i have a firewall rule in place blocking src192.168.110.1/24 to dest192.168.1.1/24, but this blocks all traffic from both sides.

Is anyone able to help with a firewall rule that would make this possible?

Thank you!

erlinden · September 4, 2023, 11:14am

While you have the chance: use VLAN ID’s above 1 (also for the home/corporate/whatever network).

In regards to your question:
On the forward chain make all allowed traffic explicit (by adding allow filter rules) and end the forward chain with block all. The same for the input chain (be aware that access to the MikroTik is handled correctly).

Have you seen this topic:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

anav · September 4, 2023, 11:34am

(1) dont use vlan id 1 for data vlans and once you start using vlans just use the bridge for bridging not dhcp etc…

/interface vlan
add interface=bridge-1-5 name=vlan-11 vlan-id=11
/ip dhcp-server
add address-pool=dhcp interface=vlan-11 lease-time=10m name=dhcp-.1.
/ip address
add address=192.168.1.1/24 comment=my-net interface=vlan-11 network=192.168.1.0

(2) Interface list members should be
/interface list member
add interface=vlan-11 list=LAN
add interface=vlan-3 list=LAN
add interface=vlan-100 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

(3) firewall rules in forward chain…

/ip firewall address-list
add address=admin1-IP list=Admin comment=“admin desktop”
add address=admin2-IP list=Admin comment=“admin laptop”
add address=admin3-IP list=Admin comment=“admin smartphone”
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN src-address-list=Admin
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“V11 to V100” in-interface=vlan-11 out-interface=vlan-100
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(4) Bridge ports
/interface bridge port
add bridge=bridge-1-5 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge-1-5 ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ether3 pvid=11
add bridge=bridge-1-5 ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ether4 pvid=11
add bridge=bridge-1-5 ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ether5 pvid=3
add bridge=bridge-1-5 disabled=yes ingress-filtering=yes frame-types=admit-untagged-and-priority interface=wifi1 pvid=11
add bridge=bridge-1-5 disabled=yes ingress-filtering=yes frame-types=admit-untagged-and-priority interface=wifi2 pvid=11

(5) Bridge vlans
/interface bridge vlan
add bridge=bridge-1-5 tagged=brodge-1-5,ether2 vlan-ids=100
add bridge=bridge-1-5 tagged=bridge-1-5 untagged=ether5 vlan-ids=3
add bridge=bridge-1-5 tagged=bridge-1-5 untagged=ether3,ether4,wifi1,wifi2 vlan-ids=11

n0rmand · September 4, 2023, 11:57am

Hi, thank you for your reply. Do you mean instead of VLAN ID 1/default i should be using a vlan tag for my main LAN too? I will have a good read of the VLAN topic, thanks.

Im not sure i understood what you mean regarding the firewall rule. I have tried adding an accept rule before the drop rule, and i can see that there are bytes and packets flowing in the accept rule but the connection is still being dropped. this is what i added.

 9    ;;; Allow LAN to VLAN100
      chain=forward action=accept connection-state="" src-address=192.168.1.0/24 dst-address=192.168.110.0/24 log=no log-prefix=""

10    ;;; Drop VLAN100 to LAN
      chain=forward action=drop connection-state="" src-address=192.168.110.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""

n0rmand · September 4, 2023, 12:06pm

(1) dont use vlan id 1 for data vlans and once you start using vlans just use the bridge for bridging not dhcp etc…

/interface vlan
add interface=bridge-1-5 name=vlan-11 vlan-id=11
/ip dhcp-server
add address-pool=dhcp interface=vlan-11 lease-time=10m name=dhcp-.1.
/ip address
add address=192.168.1.1/24 comment=my-net interface=vlan-11 network=192.168.1.0

(2) Interface list members should be
/interface list member
add interface=vlan-11 list=LAN
add interface=vlan-3 list=LAN
add interface=vlan-100 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

(3) firewall rules in forward chain…

/ip firewall address-list
add address=admin1-IP list=Admin comment=“admin desktop”
add address=admin2-IP list=Admin comment=“admin laptop”
add address=admin3-IP list=Admin comment=“admin smartphone”
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN src-address-list=Admin
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“V11 to V100” in-interface=vlan-11 out-interface=vlan-100
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(4) Bridge ports
/interface bridge port
add bridge=bridge-1-5 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge-1-5 ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ether3 pvid=11
add bridge=bridge-1-5 ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ether4 pvid=11
add bridge=bridge-1-5 ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ether5 pvid=3
add bridge=bridge-1-5 disabled=yes ingress-filtering=yes frame-types=admit-untagged-and-priority interface=wifi1 pvid=11
add bridge=bridge-1-5 disabled=yes ingress-filtering=yes frame-types=admit-untagged-and-priority interface=wifi2 pvid=11

(5) Bridge vlans
/interface bridge vlan
add bridge=bridge-1-5 tagged=brodge-1-5,ether2 vlan-ids=100
add bridge=bridge-1-5 tagged=bridge-1-5 untagged=ether5 vlan-ids=3
add bridge=bridge-1-5 tagged=bridge-1-5 untagged=ether3,ether4,wifi1,wifi2 vlan-ids=11

Thank you for this, i will have a go at this later today.

once you start using vlans just use the bridge for bridging not dhcp etc

Im not sure i understand. I do need the VLANs to be on different subnets. I will have a look through the config to see if i can figure out what you mean by this exactly.

Edit: ah, so you are recommending i get rid of

add address-pool=dhcp interface=bridge-1-5

and add the address to the new VLAN/VLAN11 instead. Got it, thanks!

n0rmand · September 4, 2023, 3:05pm

ah, so moving the default accept rule (below) to before my drop VLAN to LAN rule allows one way traffic. But i dont quite understand why my ‘allow LAN to VLAN’ rule didnt achieve the same, even after applying the same connection state rules as the default rule.

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked

i think i have some reading/learning to do on firewalls

anav · September 4, 2023, 3:20pm

https://forum.mikrotik.com/viewtopic.php?t=180838
https://www.youtube.com/watch?v=6boYA7xdjZY&t=1376s
https://forum.mikrotik.com/viewtopic.php?t=191442

n0rmand · September 4, 2023, 4:55pm

This is great, thank you. The first link has helped me understand the firewall much better. Now that I have a better understanding, im going to start from scratch using VLAN IDs 3,11,100, and using “(2A) NOVICE+ MODIFIED SETUP” as a guide for the firewall, though i think i get it now. I am glad to see the information on the connection states too and will have a good read of that in the future.

Thanks for your help!

i4ko · September 5, 2023, 6:05am

Long time ago for me dhcp server would not work reliably if it was assigned to a subordinate port in a bridge (there was unreliable broadcast packet forwarding), so I had to assign the dhcp server to the root of the bridge. Since then I have mostly been using vlan subinterfaces on the Ethernet interfaces and putting them in separate bridges when needed, then operating on those bridges. Also the routeros didn’t like IPs assigned to subinterfaces in a bridge, and not the root of the bridge(if you are only switching traffic and not running dhcp it was not an issue). This is supposedly fixed now.
This is not the proper way to do it, it has many drawbacks if you need to switch traffic on the vlan between two ethernet ports, but where I use this the traffic is just limited to and from the router and off the vlans, so the performance loss and added overhead are not that much. You can try to set like this, just to make sure there isn’t something else conceptually wrong with the config, but it’s not really the best config around. It does have some advantage that you pass that packets though the ip firewall, but you can tell the bridge to do it anyway now.
Adding bridge filters and ip filters with explicit accept and drop (explicit drop first, then accept what makes sense, then drop default anything that wasn’t matched in the prior two categories) add extra log from the filter and a unique log prefix and then looking at the router log can help identify what packets are not making though. Torch is harder to read usually.

n0rmand · September 6, 2023, 5:08pm

So i have tried moving to all VLANs instead of using the default PVID1 for my main LAN but i am not having any success. This is made harder by the fact that my switch is a Unifi switch and managed via a cloud controller, so if i lose access, i cant simply plug in and ssh into the switch. Also, whenever i do try to make changes, and fail, i am taking the whole home network down which is starting to annoy others

I dont know if my unifi switch is playing up, but my cloud controller is definitely behaving differently to others that i have access to. For example, i create a new VLAN network, add it to a switch port profile, add tagged networks and save. After 30 seconds or so, the tagged networks disappear. I think I have a lack of understanding with regard to how VLANs work on Unifi and in general, but what i have tried is.

Port 1 on unifi is the link port. There is no default network/PVID and the tagged networks are 10 and 110. 10 is my LAN 110 is the guest LAN and these VLANS are assigned to switch ports accordingly. This doesnt seem to work, i lost access to the switch when i apply my mikrotik config below.
I have also tried setting default network/PVID to 10 on unifi which also didnt work.

/interface bridge port
add bridge=bridge.2-5 comment=defconf interface=ether2 pvid=10
add bridge=bridge.2-5 comment=defconf interface=ether3
add bridge=bridge.2-5 comment=defconf interface=ether4 pvid=10
add bridge=bridge.2-5 comment=defconf interface=ether5 pvid=3

/interface/bridge/vlan
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 untagged=ether4 vlan-ids=10
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=110
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=200
add bridge=bridge.2-5 tagged=bridge.2-5 untagged=ether5 vlan-ids=3

full config

/interface bridge
add admin-mac=48:A9 auto-mac=no comment=defconf name=bridge.2-5 vlan-filtering=yes
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=MikroTik-662BC5 \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid="" \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=\
    
/interface vlan
add comment=pi interface=bridge.2-5 name=vlan-3 vlan-id=3
add comment=myLAN interface=bridge.2-5 name=vlan-10 vlan-id=10
add comment=homeLAN interface=bridge.2-5 name=vlan-110 vlan-id=110
add comment=iOT interface=bridge.2-5 name=vlan-200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254 (to be removed once i get the config working...)
add name=dhcp1 ranges=192.168.1.10-192.168.1.254
add name=dhcp3 ranges=192.168.3.2-192.168.3.254
add name=dhcp110 ranges=192.168.110.2-192.168.110.254
add name=dhcp200 ranges=192.168.200.2-192.168.200.20
/ip dhcp-server
add address-pool=default-dhcp interface=bridge.2-5 lease-time=10m name=defconf (to be removed once i get the config working...)
add address-pool=dhcp1 interface=vlan-10 name=dhcp1
add address-pool=dhcp3 interface=vlan-3 name=dhcp3
add address-pool=dhcp110 interface=vlan-110 name=dhcp110
add address-pool=dhcp200 interface=vlan-200 name=dhcp200
/interface bridge port
add bridge=bridge.2-5 comment=defconf interface=ether2 pvid=10
add bridge=bridge.2-5 comment=defconf interface=ether3
add bridge=bridge.2-5 comment=defconf interface=ether4 pvid=10
add bridge=bridge.2-5 comment=defconf interface=ether5 pvid=3
add bridge=bridge.2-5 comment=defconf interface=wifi1
add bridge=bridge.2-5 comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 untagged=ether4 vlan-ids=10
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=110
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=200
add bridge=bridge.2-5 tagged=bridge.2-5 untagged=ether5 vlan-ids=3
/interface list member
add comment=defconf interface=bridge.2-5 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan-10 list=LAN
add interface=vlan-3 list=LAN
add interface=vlan-110 list=LAN
add interface=vlan-200 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge.2-5 network=192.168.88.0
add address=192.168.1.1/24 comment=myLAN interface=vlan-10 network=192.168.1.0
add address=192.168.3.1/24 comment=piLAN interface=vlan-3 network=192.168.3.0
add address=192.168.110.1/24 comment=homeLAN interface=vlan-110 network=192.168.110.0
add address=192.168.200.1/24 comment=IOT interface=vlan-200 network=192.168.200.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.1.1
add address=192.168.3.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.3.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.110.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.110.1
add address=192.168.200.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

My switch is plugged into port 2 and VLAN-10, VLAN-110 and VLAN-200 should flow through it. The unifi switch has some ports set as access ports and one port has an access point with a VLAN tagged SSID. Other router ports are access ports and have PVID’s assigned accordingly.

I know my config in the OP isnt ideal because i am using VLANs and the Bridge to handle DHCP, and i am using VLAN1, but i think its going to have to stay like this for a while until VLAN configuration really ‘clicks’ for me… I still dont truly understand when and why tagged or untagged should be used. I guess i got lucky to have my current config work haha

anav · September 6, 2023, 8:33pm

All your config should be done off bridge.
For this take one port off bridge give it an IP address only and then you can access the router and change bridge without losing any sleep.
https://forum.mikrotik.com/viewtopic.php?t=181718

As far as unifi, I detest their default setup which requires the trusted LAN to them be untagged while all the data vlans are tagged. Thus a hybrid port is required.

So whatever port is going to the switch.
add bridge=bridge interface=etherX pvid=trustedvlan#

add bridge=bridge tagged=bridge,********* untagged=etherX vlan-ids=trustedvlan#

where ******* is any other ethernet ports where the trusted vlan is tagged (trunk type port)

anav · September 6, 2023, 8:39pm

It looks like your close…the problem may by your unifi but your vlan setting below is WRONG>…
/interface bridge port
add bridge=bridge.2-5 comment=defconf interface=ether2 pvid=10
add bridge=bridge.2-5 comment=defconf interface=ether3
add bridge=bridge.2-5 comment=defconf interface=ether4 pvid=10
add bridge=bridge.2-5 comment=defconf interface=ether5 pvid=3

/interface/bridge/vlan
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 untagged=ether4 vlan-ids=10
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=110
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=200
add bridge=bridge.2-5 tagged=bridge.2-5 untagged=ether5 vlan-ids=3

If the unif is expecting the trusted subnet untagged then you need.

/interface bridge port
add bridge=bridge.2-5 comment=defconf interface=ether2 pvid=10

/interface/bridge/vlan
add bridge=bridge.2-5 tagged=bridge.2-5 [/color] untagged=ether2,ether4 vlan-ids=10
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=110,200
add bridge=bridge.2-5 tagged=bridge.2-5 untagged=ether5 vlan-ids=3

If the unifi has been modified to accept all vlans on the trunk port then you need.

/interface bridge port
add bridge=bridge.2-5 comment=defconf interface=ether2

/interface/bridge/vlan
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 untagged=ether4 vlan-ids=10
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=110,200
add bridge=bridge.2-5 tagged=bridge.2-5 untagged=ether5 vlan-ids=3

So there are two possiblities that can exist, you have jumbled them into one config and it doesn’t compute!.
++++++++++++++++++++++++++++++++++++++++

In concert you need the unifi side its associated incoming port to match the scenario.
If its a hybrid port it need to accept 10 untagged and the vlans 110,200 tagged.
If its a trunk port if needs to accept 10,110,200 as tagged vlans

n0rmand · September 15, 2023, 6:48pm

It looks like your close…the problem may by your unifi but your vlan setting below is WRONG>…
/interface bridge port
add bridge=bridge.2-5 comment=defconf interface=ether2 pvid=10
add bridge=bridge.2-5 comment=defconf interface=ether3
add bridge=bridge.2-5 comment=defconf interface=ether4 pvid=10
add bridge=bridge.2-5 comment=defconf interface=ether5 pvid=3

/interface/bridge/vlan
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 untagged=ether4 vlan-ids=10
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=110
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=200
add bridge=bridge.2-5 tagged=bridge.2-5 untagged=ether5 vlan-ids=3

If the unif is expecting the trusted subnet untagged then you need.

/interface bridge port
add bridge=bridge.2-5 comment=defconf interface=ether2 pvid=10

/interface/bridge/vlan
add bridge=bridge.2-5 tagged=bridge.2-5 [/color] untagged=ether2,ether4 vlan-ids=10
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=110,200
add bridge=bridge.2-5 tagged=bridge.2-5 untagged=ether5 vlan-ids=3

If the unifi has been modified to accept all vlans on the trunk port then you need.

/interface bridge port
add bridge=bridge.2-5 comment=defconf interface=ether2

/interface/bridge/vlan
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 untagged=ether4 vlan-ids=10
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=110,200
add bridge=bridge.2-5 tagged=bridge.2-5 untagged=ether5 vlan-ids=3

So there are two possiblities that can exist, you have jumbled them into one config and it doesn’t compute!.
++++++++++++++++++++++++++++++++++++++++

In concert you need the unifi side its associated incoming port to match the scenario.
If its a hybrid port it need to accept 10 untagged and the vlans 110,200 tagged.
If its a trunk port if needs to accept 10,110,200 as tagged vlans

I appreciate your help anav.

I finally got round to having another go. I think the Ubiquiti switch is making it harder than it needs to be… im sure there is a bug on my controller because my switch port settings just keep disappearing.

I discovered a different setting for ‘management VLAN’ on the unifi controller, which from what i understand sets the default PVID (which will always be 1 with this not set). What i dont understand is why it wouldnt just let me do this on the port profile, where you should be able to set a default (untagged/PVID) and tagged networks where required. It appears to give the option to do that but i just couldnt get it working.

From what i understand, if the switch link port has a PVID of 11, the VLAN tag sent from switch to router (on the link port) will be 11, so the MikroTik needs to accept tagged 11 on the link port of the router (eth2). Any untagged devices connected to the switch would be tagged 11. Whether or not that is correct, that is how i have built the network, and it appears to be working…

So, I have set the management VLAN to 11. My ubiquiti AP switch ports are set to default VLAN11 and tagged 10 and 110. my primary SSID is set to VLAN 10 and guest/home to 110. Access ports on the switch are tagged where required.

for reference, ‘Guest’ = anyone in the house that is not technical and i dont want their devices to be able to communicate with my devices or the network.

So i think i have setup what i needed. VLAN110 cannot see or talk to VLAN10, which is the main goal. Now i can start locking down further. The management LAN for example can probably be heavily restricted.

/interface bridge
add admin-mac=48:A9:8A auto-mac=no comment=defconf name=bridge.2-5 vlan-filtering=yes
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=MikroTik-662BC5 \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=MikroTik-662BC6 \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=
/interface vlan
add interface=bridge.2-5 name=3-pilan vlan-id=3
add interface=bridge.2-5 name=10-mylan vlan-id=10
add interface=bridge.2-5 name=11-mngt vlan-id=11
add interface=bridge.2-5 name=110-guestlan vlan-id=110
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254 - [b]i guess i can delete this now[/b]
add name=dhcp_pool1 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool2 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool3 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool4 ranges=192.168.110.2-192.168.110.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=3-pilan name=dhcp1
add address-pool=dhcp_pool2 interface=10-mylan name=dhcp2
add address-pool=dhcp_pool3 interface=11-mngt name=dhcp3
add address-pool=dhcp_pool4 interface=110-guestlan name=dhcp4
/interface bridge port
add bridge=bridge.2-5 comment=defconf frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge.2-5 comment=defconf interface=ether3 pvid=10 [b]need to add admit only untagged[/b]
add bridge=bridge.2-5 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge.2-5 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=3
add bridge=bridge.2-5 comment=defconf interface=wifi1
add bridge=bridge.2-5 comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 untagged=ether4 vlan-ids=10 [b]add untagged ether3[/b]
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=11
add bridge=bridge.2-5 tagged=bridge.2-5 untagged=ether3 vlan-ids=3
add bridge=bridge.2-5 tagged=bridge.2-5,ether2 vlan-ids=110
/interface list member
add comment=defconf interface=bridge.2-5 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=10-mylan list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge.2-5 network=192.168.88.0 [b]to remove[/b]
add address=192.168.1.1/24 interface=10-mylan network=192.168.1.0
add address=192.168.11.1/24 interface=11-mngt network=192.168.11.0
add address=192.168.3.1/24 interface=3-pilan network=192.168.3.0
add address=192.168.110.1/24 interface=110-guestlan network=192.168.110.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.1.1
add address=192.168.3.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.3.1
add address=192.168.11.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.11.1
add address=192.168.110.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.110.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan [b]remove[/b]
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.110.0/24
add action=drop chain=forward dst-address=192.168.110.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="port fwd to WG server udp" dst-port=51822 in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.96 to-ports=51822
add action=dst-nat chain=dstnat comment="port fwd to WG server tcp" dst-port=51822 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.96 to-ports=51822
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Needs a bit of tidying but hopefully should be stable for now. Next on my list is to learn Queues