guest networtk

yourboss · March 23, 2019, 1:51pm

Hello,
I’m trying to configure a guest network on my home router (RB4011iGS+) but after I struggle few hours trying to figure out how can I do that I finally give up and search for help here.
First I explain what I am trying to do:
192.168.1.1 is my default network for all the devices
192.168.2.1 is the guest network that can not access 192.168.1.1 but can access the internet

List interface:
eth 1 - WAN
eth 2 - default network
eth 3 - default network and guest network
eth 4 - default network
eth 5 - default network
eth 6 - default network
eth 7 - only guest network
eth 8 - default network

What I have done until now:
/interface bridge
add name=br-vlan10
add name=br-vlan20
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=I*****03
/interface vlan
add interface=br-vlan10 name=vlan10 vlan-id=10
add interface=br-vlan20 name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp10 ranges=192.168.1.10-192.168.1.254
add name=dhcp20 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp10 disabled=no interface=br-vlan10 name=defconf
add address-pool=dhcp20 disabled=no interface=br-vlan20 name=dhcp20
/interface bridge port
add bridge=br-vlan10 comment=defconf interface=ether2
add bridge=br-vlan10 comment=defconf interface=ether3
add bridge=br-vlan10 comment=defconf interface=ether4
add bridge=br-vlan10 comment=defconf interface=ether5
add bridge=br-vlan10 comment=defconf interface=ether6
add bridge=br-vlan20 comment=defconf interface=ether7
add bridge=br-vlan10 comment=defconf interface=ether8
add bridge=br-vlan10 comment=defconf interface=ether9
add bridge=br-vlan10 comment=defconf interface=ether10
add bridge=br-vlan10 comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=br-vlan10 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=br-vlan20 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=192.168.2.1/24 interface=br-vlan20 network=192.168.2.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1Can you tell me what I’m missing?

Sob · March 23, 2019, 3:21pm

Firewall rules.

yourboss · March 23, 2019, 3:29pm

/ip firewall filter
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Open VPN” dst-port=1194
in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.106 to-ports=
1194

Sob · March 23, 2019, 3:50pm

Also some description what exactly does and doesn’t work wouldn’t hurt. Do you just need to block access from guest LAN to main LAN, or is there more?

yourboss · March 24, 2019, 6:57am

On eth 3 I want to have the default network and guest network. Now I can only add only one network I don’t know how to give access to both

anav · March 24, 2019, 5:00pm

(1) Yes, conflict in your setup.
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0

Should be
/ip address
add address=192.168.1.1/24 interface=br-vlan10 network=192.168.1.0

(2) Missing Items.

bridge interface vlan rules
(the bridge ports handle ingress vlan traffic, the bridge interface vlans handle egress of traffic)
See 3 for more info*****!!

(3) Yes, two potential conflict in your setup that I cannot come to grips with. You wish to have a VLAN running on two different bridges? I am not sure if that is legal?
The conflict I see arising is that you have associated a VLAN to a particular bridge which is correct. However if you do so then I am not sure how the heck the vlan will also get on another bridge?
Furthermore I am bamboozled by the fact that in bridge ports we assign ethernet interfaces to bridges. I have no clue if in an ethernet interface can belong to two bridges, which would be the way to have a vlan on more than one bridge.

Recommendation: Unless some smart wizard has cool ideas is the following.
Merge br-vlan10 and br-vlan20 and just call it, bridge_vlans
Changes
-Basic vlan interface settings would point all to the same bridge
-Bridge port settings would be all to the same bridge
-Interface list member would only have one bridge list=LAN
***** We can now construct bridge interface vlan rules, something like
/bridge interface vlans
add bridge=bridge_vlans tagged=bridge_vlans,eth2,eth3,eth4,eth5,eth6,eth7,eth8,eth9,eth10,sfp1 vlan-ids=10
add bridge=bridge_vlans tagged=bridge_vlans,eth3,eth7 vlan-ids=20

(3) In terms of Firewall rules.
a. Typically I add drop all rules at the end of my input chain and forward chain. Up to you if you wish to do the same but not required.
b. In your case you wish to allow, at layer3, the following:

add chain=forward action=accept in-interface-list=LAN
out-interface=pppoe-out
{last rule of forward chain}
add chain=forward action=drop comment=“drop all else”

That’s it, unless you specifically allow LAN to guest or guest to LAN (VLAN10 to VLAN20 or vice versa) traffic it will be blocked already.
For example lets say the guest network need access to a shared printer on the home LAN
add chain=forward action=accept dst-address=printerLANIP \ (where printer lanip=192.168.1.50 for example)
in-interface=vlan20
… you could narrow it down to protocol and port if need be!

For example lets say you wanted as admin, to be able to access vlan20 (your pC is lanip 192.168.1.36)
add chain=forward action=accept src-address=192.168.1.36
out-interface=vlan20

You can use in-interface, out-interface or dst-address or src-address or source address lists or destination address lists etc…
heck you can identify a whole subnet in a source or destination address. I generally avoid using bridge interfaces in rules but that is possible too.
What I dont have is a guide that says in this scenario use one or the other - basically because I have no clue what I am doing.

Sob · March 24, 2019, 5:23pm

Few notes… Official manual has some nice and relatively easy to understand examples for bridge and vlans (https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering). Decide how exactly you want it, what should be tagged and what not. Once you configure it, you’ll have separate L2 subnets, but router will be happy to route between them. In order to prevent that, if you don’t want to make too much changes, you can start with just one additional rule at the end of your current firewall:

/ip firewall filter
add action=reject chain=forward connection-state=new in-interface=<guest vlan> out-interface-list=!WAN reject-with=icmp-admin-prohibited

yourboss · March 24, 2019, 6:28pm

Thank you for the clarification. Please take a look at the new export code and confirm me if I understand well what you told me.
Firewall rules I will add them at the end when is working.

if I do not ask too much, please tell me what I should choose on interface from address-pool=dhcp20. Vlan10 I want to use the address-pool=dhcp10 and vlan20 I want to use the address-pool=dhcp20

add address-pool=dhcp10 disabled=no interface=bridge_def name=dhcp10
add address-pool=dhcp20 disabled=no interface=vlan20 name=dhcp20

/interface bridge
add auto-mac=no name=bridge_def
/interface vlan
add interface=bridge_def name=vlan10 vlan-id=10
add interface=bridge_def name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp10 ranges=192.168.1.10-192.168.1.254
add name=dhcp20 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp10 disabled=no interface=bridge_def name=dhcp10
add address-pool=dhcp20 disabled=no interface=vlan20 name=dhcp20
/interface bridge port
add bridge=bridge_def comment=defconf interface=ether2
add bridge=bridge_def comment=defconf interface=ether3
add bridge=bridge_def comment=defconf interface=ether4
add bridge=bridge_def comment=defconf interface=ether5
add bridge=bridge_def comment=defconf interface=ether6
add bridge=bridge_def comment=defconf interface=ether7
add bridge=bridge_def comment=defconf interface=ether8
add bridge=bridge_def comment=defconf interface=ether9
add bridge=bridge_def comment=defconf interface=ether10
add bridge=bridge_def comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge_def tagged="bridge_def,ether2,ether3,ether4,ether5,ether6,et\
    her7,ether8,ether9,ether10,sfp-sfpplus1,vlan10" vlan-ids=10
add bridge=bridge_def tagged=bridge_def,ether3,ether7 vlan-ids=20 
/interface list member
add comment=defconf interface=bridge_def list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add list=LAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge_def network=\
    192.168.1.0
add address=192.168.2.1/24 interface=bridge_def network=192.168.2.0

anav · March 24, 2019, 6:44pm

The dhcp-pool interface should match the IP address interface setting…

add address-pool=dhcp10 disabled=no interface=bridge_def name=dhcp10
add address-pool=dhcp20 disabled=no interface=vlan20 name=dhcp20
It should be…
add address-pool=dhcp10 disabled=no interface=vlan10 name=dhcp10
add address-pool=dhcp20 disabled=no interface=vlan20 name=dhcp20

/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge_def network=
192.168.1.0
add address=192.168.2.1/24 interface=bridge_def network=192.168.2.0

Should be
/ip address
add address=192.168.1.1/24 comment=defconf interface=vlan10 network=
192.168.1.0
add address=192.168.2.1/24 interface=vlan20 network=192.168.2.0

/interface bridge vlan
add bridge=bridge_def tagged=“bridge_def,ether2,ether3,ether4,ether5,ether6,et
her7,ether8,ether9,ether10,sfp-sfpplus1**,vlan10**” vlan-ids=10
Get rid of vlan10 in the above rule, its already properly identified under vlan-ids!!

Highly suggest you read this excellent link!!
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

yourboss · March 25, 2019, 5:55pm

First of all I want to thank you for your patience and your time allocated to help me. I really appreciate, thank you!

I am sure that I am really close to solve the problem but until then I have some issue.

After I change interface from bridge_vlans to vlan10 and vlan20 I was left without internet on my station

I change
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge_vlans network=192.168.1.0
add address=192.168.2.1/24 interface=bridge_vlans network=192.168.2.0

to:
/ip address
add address=192.168.1.1/24 comment=defconf interface=vlan10 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan20 network=192.168.2.0

After that internet was gone! and I thought that I need to add vlan10 and vlan20 to bridge_vlans, but unfortunately it was the same result

/interface bridge port
add bridge=bridge_vlans comment=defconf interface=ether2
add bridge=bridge_vlans comment=defconf interface=ether3
add bridge=bridge_vlans comment=defconf interface=ether4
add bridge=bridge_vlans comment=defconf interface=ether5
add bridge=bridge_vlans comment=defconf interface=ether6
add bridge=bridge_vlans comment=defconf interface=ether7
add bridge=bridge_vlans comment=defconf interface=ether8
add bridge=bridge_vlans comment=defconf interface=ether9
add bridge=bridge_vlans comment=defconf interface=ether10
add bridge=bridge_vlans comment=defconf interface=sfp-sfpplus1
add bridge=bridge_vlans interface=vlan10
add bridge=bridge_vlans interface=vlan20

anav · March 25, 2019, 6:39pm

Nope one does not add vlans to the bridge port settings.
Dont forget to read that link I gave you its all in there!!

By the way you should not have connection to the internet from the VLANS unless you allow it in the forward chain.

{forward chain}
accept established, related
++++++++++
drop all else

So where the ++++++ is where you put want you want to allow.
for example
add action=accept chain=forward in=interface=vlan10 out-interface=ether1-wan

yourboss · March 25, 2019, 6:47pm

Related to what i write in the above post, this is the default configuration

And this is when I try to change the interface:

anav · March 25, 2019, 7:43pm

If you are relying on quicket to configure your router, you are beyond help LOL.
Get back into the normal section of winbox and use the link provided.
If you wish to post your latest complete config, that would be fine.
/export hide-sensitive file=yourconfigtoday

yourboss · March 25, 2019, 8:26pm

I used “Router-Switch-AP (all in one)” as an example from http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
But when I change interface from “/ip address add address=192.168.1.1/24 interface=BR1 network=192.168.1.0” to “/ip address add address=192.168.1.1/24 interface=BASE_VLAN network=192.168.1.0” my network goes down

if I gather all the hours I have spent so far, then I will gather one day only until now. It is pretty much for a configuration which, in my opinion, is basic home config. I understood from the beginning that these devices are advanced and not so easy to customize but at this moment I am very close to the point of giving up.

# mar/25/2019 22:03:17 by RouterOS 6.44.1
# software id = 3W7Z-NAK7
#
# model = RB4011iGS+
# serial number = 968A09B555B7
/interface bridge
add admin-mac=B8:69:F4:99:B1:62 auto-mac=no name=BR1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=IF229319803
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=VLAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp20 ranges=192.168.2.2-192.168.2.254
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=BR1 name=DEF_DHCP
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP
/interface bridge port
add bridge=BR1 comment=defconf interface=ether2 pvid=10
add bridge=BR1 comment=defconf interface=ether3 pvid=10
add bridge=BR1 comment=defconf interface=ether4 pvid=10
add bridge=BR1 comment=defconf interface=ether5 pvid=10
add bridge=BR1 comment=defconf interface=ether6 pvid=20
add bridge=BR1 comment=defconf interface=ether7 pvid=10
add bridge=BR1 comment=defconf interface=ether8 pvid=10
add bridge=BR1 comment=defconf interface=ether9 pvid=10
add bridge=BR1 comment=defconf interface=ether10 pvid=10
add bridge=BR1 comment=defconf interface=sfp-sfpplus1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether8 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=\
    ether2,ether3,ether4,ether5,ether6,ether7,ether9 vlan-ids=10
/interface list member
add disabled=yes interface=BR1 list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
/ip address
add address=192.168.1.1/24 interface=BR1 network=192.168.1.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.1.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.1.1 gateway=10.0.20.1
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Open VPN" dst-port=1194 \
    in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.106 to-ports=\
    1194
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes
/system clock
set time-zone-name=Europe/Bucharest
/system leds
set 0 disabled=yes
/system logging
add action=email topics=critical,error,warning
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · March 25, 2019, 9:09pm

No time to give up LOL.
There are several issues with the config.
Overall your DNS settings are all over the map.
Suggest you dont make peer DNS enabled on the client, at least for now, so disable that checkbox.
Also get rid of the static IP DNS setting that is a left over from quickset. (this one /ip dns static
add address=192.168.1.1 name=router.lan)
You can find it at the IP DNS winbox setting by clicking on the right hand tab called static (just above the cache tab and below the apply tab).

Okay with that cleaned up lets go to the meat of the issues.
There is a lack of consistent subnet construction (a bit of a mess).
Once we have cleaned that up, remember your last step is to enable VLAN filtering on the /interface bridge rule!

If I take your /interface vlan setup as truth, then you have three subnets, base(99), blue(10) and green(20)
The first thing I notice is four IP Pools…
My recommendation is to remove the dhcp20 pool as it seems out of place and confuses the issue.

/ip dhcp-server
add address-pool=dhcp disabled=no interface=BR1 name=DEF_DHCP has to change to.
add address-pool=dhcp disabled=no interface=BASE_VLAN name=DEF_DHCP
Similarly
/ip address
add address=192.168.1.1/24 interface=BR1 network=192.168.1.0
should be
/ip address
add address=192.168.1.1/24 interface=BASE_VLAN network=192.168.1.0

Now the reason you probably lose connectivity is that you have all access ports setup and thus don’t use your Base VLAN on your network???
Lets say you don’t, then you should add a rule for the vlan anyway.
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=99

You have your etherports 6, and 8 mixed reversed in your config…
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether8 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=
ether2,ether3,ether4,ether5,ether6,ether7,ether9 vlan-ids=10
should be
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether6 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=
ether2,ether3,ether4,ether5,ether7,ether8,ether9 vlan-ids=10

Get rid of this, not used..
ip address
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1

This rule seems to be entered twice…
/ip firewall filter
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related

I would add drop rules as the last rule in input chain and also forward chain.

I am assuming you want both vlans to be able to reach the internet??
add action=accept chain=forward in-interface-list=VLAN out-interface=pppoe-out1

Finally, before anything else, lets discuss where you are going to use 192.168.1.0 network? (Vlan 99)
Its not used for any ports on your router. I thought you had a normal lan (which could be vlan10) and a guest vlan (which could be your vlan20).
In other words you may only need two vlans.
If this is the case you have two of everything (two ip pools, two vlans, two addresses, two servers, two networks etc…)

anav · March 26, 2019, 12:55am

I thought about it somemore as I was confused as to BASE-VLAN or Management VLAN etc…
For me the BASE VLAN is my core home vlan and all my IT devices that get IPs (APs, managed switches get IPs from this vlan).
If I wanted to have all my devices on a management LAN, thats perhaps when I would use a VLAN99.
That way no one is on the same vlan as the devices themselves (non-used vlan for traffic) but as an admin
I would make firewall rules such that my PC or laptops would have access to the devices for config purposes.
THus in your case, keeping it to two vlans would be clean and simple but if you wanted to add vlan99, it can be done.

yourboss · March 26, 2019, 4:35pm

Hello,

Today after a system reset I notice that eth2 has stop working. I check the cable on another port and is ok but when I plug in on eth2 is not working.

anav · March 26, 2019, 5:09pm

Bad port?

yourboss · March 26, 2019, 6:08pm

It has no link, but the cable is plug in and I am sure that is working, if I plug in on another port is working. I’ll take the router to the warranty, I have no other idea. Unfortunately I have suffered this after the system reset:

“1) unplug the device from power
2) press and hold the button right after applying power
3) release the button to clear configuration.”

After that:

[admin@MikroTik] > interface ethernet cable-test ether2
name: ether2
status: no-link
cable-pairs: shorted:0,open:0,open:0,open:0
– [Q quit|D dump|C-z pause]

Same cable ;

[admin@MikroTik] > interface ethernet cable-test ether3
name: ether3
status: link-ok
– [Q quit|D dump|C-z pause]