Guest VLAN help required

Hi,

I’m hoping someone here will be able to help me set up my new router. Just before Christmas, I bought a RouterBOARD 3011UiAS-RM and two TP-Link EAP225 wireless access points to replace my struggling Airport-based setup. Since then, I’ve been looking through the many examples of how to set up a guest network using a VLAN. I’ve failed to find enough consistency between some of the examples to feel confident about how to go about this, though I have learnt a few things along the way.

My setup and requirements are fairly simple:

• I have a Virgin cable router running in ‘dumb’ modem mode, which will connect to the RouterBoard’s ether1. External IP address comes from DHCP.
• My Home (wired) network will all connect via a 3rd party switch plugged into any of ether6-10 using the 192.168.111.0 network.
• Guest (wired) ethernet will connect to ether2 using the 192.168.222.0 network (this is VLAN ID 99).
• Access points will both connect (via a separate 3rd party PoE switch) to ether3. The access points have two SSIDs (one for Home, one for Guest). The Guest SSID is assigned to VLAN ID 99.

I realise I’m a bit weird, but I’m using 192.168.xxx.2 for the gateway.

Amongst many other threads, I read through this one: http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/1 which was somewhat mind-blowing for a beginner such as myself! It seems there has recently been a software change that means my guest vlan requirement can be satisfied within a single bridge. If I understand correctly, this is simpler but not necessarily better in all cases due to hardware limitations. However, as far as I can tell my router has hardware that is capable of handling ‘bridge VLAN filtering’ (QCA8337). If so, I would like to take this approach. I suspect one of the reasons I have found some inconsistency between examples is because some take the single bridge approach but many others show the older multi-bridge approach. Another factor I’ve struggled with is that most examples utilise on-board radio, which is not this case for me.

I have worked out some of the simple bits:

/ip pool
add name=default-dhcp ranges=192.168.111.120-192.168.111.179
add name=Guest-dhcp ranges=192.168.222.10-192.168.222.254

/ip dhcp-server network
add address=192.168.111.0/24 comment=Home dns-server=194.168.4.100,194.168.8.100 gateway=192.168.111.2 netmask=24
add address=192.168.222.0/24 comment=Guest dns-server=194.168.4.100,194.168.8.100 gateway=192.168.222.2 netmask=24

/ip route rule
add src-address=192.168.222.0/24 dst-address=192.168.111.0/24 action=drop

I don’t think I can fill in the interface field here until the bridge/vlan/interfaces have been defined:

/ip address
add address=192.168.111.2/24 comment="Home gateway" interface=[PLEASE HELP] network=192.168.111.0
add address=192.168.222.2/24 comment="Guest gateway" interface=[PLEASE HELP] network=192.168.222.0

I’m pretty sure I accepted the default setup when I first setup the router, so I’m left with things like this which may need changing?:

/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10

Any help would be gratefully received!

Thank you.

A diagram will help of course.
The router should have no problem handling the input from the cable “modem”/
There should be no issues with using the default (transparent ) vlan1 for the home network and the explicity vlan99 for the guest network.
Where I cannot help is what happens at the TP link units.

Suffice to say your setup is out of whack for many reasons.
What i dont understand is the dumb modem when its giving you a private iP address??
It should be assigning you a public IP ???

What I would do…

/interface vlan
add interface=homeBridge name=Guest_Access99 vlan-id=99

/ip pool
add name=default-dhcp ranges=192.168.111.120-192.168.111.179
add name=Guest-dhcp ranges=192.168.222.10-192.168.222.254

/ip dhcp-server network
add address=192.168.111.0/24 comment=Home dns-server=192.168.111.1 gateway=192.168.111.1
add address=192.168.222.0/24 comment=Guest dns-server=192.168.222.1 gateway=192.168.222.1

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=homeBridge lease-time=1d
name=HoMeLAN
add address-pool=Guest-dhcp disabled=no interface=Guest_Access99
lease-time=1d name=“Guests_Server”

/IP addresses for DHCP client are filled in by the router upon being bounded, getting a connection.

/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname,clientid
disabled=no interface=Virgin_eth1 use-peer-dns=no use-peer-ntp=no

/ip dns
set allow-remote-requests=yes servers=
8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222

/ip route rule
add distance=2 destination IP= 0.0.0.0/0 gateway IP=gatewayIP of Provider

(dont forget to define bridgename, lets say homebridge
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=homebridge
protocol-mode=none vlan-filtering=yes

/interface bridge port (dont add ports if not used in general)
add bridge=homebridge comment=defconf interface=ether6
add bridge=homebridge comment=defconf interface=ether7
add bridge=homebridge comment=defconf interface=ether8
add bridge=homebridge comment=defconf interface=ether9
add bridge=homebridge comment=defconf interface=ether10
add bridge=homebridge comment=defconf interface=ether2 frame-types=admit-only-vlan-tagged ingress-filtering=yes
add bridge=homebridge comment=defconf interface=ether3 frame-types=admit-only-vlan-tagged ingress-filtering=yes

/interface bridge vlan
add bridge=homebridge tagged=homebridge, eth2,eth3 vlan-ids=99

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add comment=defconf interface=virgin_eth1 list=WAN
add comment=defconf interface=homebridge list=LAN
add interface=Guest_Access99 list=LAN

Hi,

Thanks very much for taking the time to help me - I really do appreciate it. Apologies for the delay in respoding - there were a few things I needed to get my head around!

A lot of your suggestions are making sense, but I do have a few little queries…

In several setup commands, you have referred to ‘homebridge’ and in others ‘homeBridge’. I had been assuming that names were case sensitive. So either they aren’t, or you intended these to be different things, or it’s a typo?

I had a couple of (incomplete) setup lines that I intended would define the IP address of the router from within the home LAN and the guest LAN:

/ip address
add address=192.168.111.2/24 comment="LAN gateway" network=192.168.111.0
add address=192.168.222.2/24 comment="Guest gateway" network=192.168.222.0

If I do not need these, then I’d like to understand how the router gets its IP address that clients would use as their gateway?
If I do need them, to which interface do I assign them? The ‘homebridge’?

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222

Presumably I could add my provider’s DNS to this list?

/ip route rule
add distance=2 destination IP= 0.0.0.0/0 gateway IP=gatewayIP of Provider

Is this a better way of blocking traffic between the home and guest network, or something else?
Also, wouldn’t the router be getting my provider’s ‘gatewayIP’ via DHCP?

I do like that you’ve put the DNS caching service of the RouterBoard to use.

Suffice to say your setup is out of whack for many reasons.

This statement concerns me. Though everyone’s setup is at least a little different, I didn’t suspect I was doing anything particularly unconventional. I would prefer to have a setup that would be seen as (mostly) sensible by those who know their stuff. I am very open to any suggestions that you have for changes.

What i dont understand is the dumb modem when its giving you a private iP address??
It should be assigning you a public IP ???

I’ll check this again when I get home. I also think it should give me a public IP address using DHCP.

Thanks again for helping me out!

My tone is not always the best and my sense of humour whacky.

1. Typos to the first question they should all be spelled and with the same case (me just lazy or paying attention to detail on that one).

2. Entries corrected:

/ip address
add address=192.168.111.2/24 comment=“LAN gateway” interface=homebridge network=192.168.111.0
add address=192.168.222.2/24 comment=“Guest gateway” interface=Guest_Access99 network=192.168.222.0

3. Yes, they can be added. If you want even tighter control over DNS requests by users, then in your IP Firewall NAT rules, do the following…
   /ip firewall nat
   add action=redirect chain=dstnat comment=
   “Force Users to Router for DNS - TCP” disabled=yes dst-port=53 protocol=
   tcp src-address-list=LAN
   add action=redirect chain=dstnat comment=
   “Force Users to Router for DNS - UDP” disabled=yes dst-port=53 protocol=
   udp src-address-list=LAN

A nuance to this is that you might not care to control DNS to that extent for guest users, who only have access to the internet, but are more concerned with authorized home users (assuming with access to all home devices on the home lan) to ensure they don’t stray to other DNS sources… then simply change the above rules for this bit:
src-address-list=LAN to src-address=homebridge (for TCP, UDP).

4. Nope, everything is done separately on the mikrotik. A default route is created on your IP DHCP Client entry. If you want to accept the default route which works well in the simple case of a single WAN connection you don’t need to create a rule (already done). I fell its better to start learning about routes as early as possible.

/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname,clientid
disabled=no interface=Eastlink_eth1 use-peer-dns=no use-peer-ntp=no

By the way IP Routes as nothing to do with blocking traffic between the guest lan and home lan. That is accomplished by firewall rules.
In our case, we only allow vlan to WAN traffic and everything else is dropped including vlan to homelan and homelan to vlan traffic!!!

Yes, the router gets the DHCP client info but that does not tell the router where to route the information, you have to connect the dots LOL.
Also NAT rules dont route the information they simply tell the router which public IP for example to give to private IPs when going outbound to the internet…

Hi,

Thanks for all your clarifications. I might take this a step at a time and not jump straight into the firewall suggestions until I have things up and running!

I presume the default firewall rules will also give both the home network and the guest network some basic protection from the outside world?

BTW, I checked the IP address that my existing router has acquired from my ISP (over DHCP) and it seems to be sensible (82.9.x.x).

I remain confused about this line:

/ip route rule
add distance=2 destination IP= 0.0.0.0/0 gateway IP=gatewayIP of Provider

I realise I’m supposed to fill in last field, but ‘destination IP’ is not listed in the docs as a property of /ip route. Is this meant to be ‘dst-address IP’ ?
Mostly, though, that “gatewayIP of Provider” is still concerning me. I guess I could determine that address from the info received over DHCP from my ISP, but what if it changed tomorrow? How would I know?

You don’t have to configure routing towards WAN, it’s done automatically by DHCP client. Or it should be …

You can select default route (checkbox) in the IP DHCP client setup and it will create the ip route rule for you and you dont have to make one.

By the way when the DHCP client connects, shows as BOUND.
Double click on the entry and then to go the STATUS TAB, it will tell you the gatewayIP.

I don’t think mixing static (gw IP address) and dynamic (own IP address) setup is a wise thing to do. Specially so if there isn’t a good reason for doing it.

I dont have a clue about what your talking about mkx.
I have two connections, one straight cable ethernet that always pulls an IP automatically and a vlan fiber connection that I normally have to bind and then find the gateway IP and stick it in my recursive rules.

When posting advice in other users’ topics, think about their needs (and ROS fluency). Majority of users have single WAN line and there’s no need to complicate things.

In particular: if WAN config is dynamic (either DHCP client or PPPoE client), it’s not wise to accept dynamic IP address but set static IP of default GW. It might change as well. Further more: even if you do have static IP address, GW might change due to ISP changing subnet mask (it did happen on one of locations I’m in charge of and ISP instructed me to staticly set things hence ISP should have informed me about the change but did not).
Unless, of course, it is necessary because of certain use case and router’s administrator knows what he’s doing …

True enough, but there is merit in understanding that the default route exists for a reason (checkbox) and what the route means and that its separate but required from NAT either way etc…
I was trying to find a post I think you had made in another thread but couldnt find it, showing different ways of making routes using route table or other commands I had not encountered before.
On the posts above (with config), you will note I made some changed to the ports from my usual config…
add bridge=homebridge comment=defconf interface=ether2 frame-types=admit-only-vlan-tagged ingress-filtering=yes
(a. admit only and b ingress filtering)

I just wanted to confirm that is was NOT wrong. In the general case what if ether 2 is a trunk port carrying vlan1 (by default) amongst other vlans which are explicitly identified. There is no issue with the above bridge port config then?? The reason I ask is I started to doubt myself in that normal lan traffic coming in from PCs which dont tag traffic I am assuming would be allowed through but I forget if they are automatically assumed to have vlan1 tags… Its terrible when doubt creeps in LOL.

This weekend, I have gone live with the suggested setup. Initially, this did not work until I realised that the dhcp-client had the default route turned off, and I had not applied the slightly contentious /ip route rule line. Once I activate the default route in the dhcp-client, things mostly worked. Which is fantastic! Here’s my current setup:

# jan/14/2019 07:40:14 by RouterOS 6.43.8
# software id = C1ZE-CKFX
#
# model = RouterBOARD 3011UiAS
# serial number = xxxx
/interface bridge
add admin-mac=B8:69:F4:8E:7F:61 auto-mac=no comment=defconf name=HomeBridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Virgin speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Guest speed=100Mbps
set [ find default-name=ether3 ] name=ether3-WAP speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] name=ether6-Home speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=HomeBridge name=GuestAccess vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=HomePool ranges=192.168.111.120-192.168.111.179
add name=GuestPool ranges=192.168.222.10-192.168.222.254
/ip dhcp-server
add address-pool=HomePool disabled=no interface=HomeBridge lease-time=1d name=HomeDhcp
add address-pool=GuestPool disabled=no interface=GuestAccess lease-time=1d name=GuestDhcp
/dude
set enabled=yes
/interface bridge port
add bridge=HomeBridge comment="Guest, wired" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2-Guest
add bridge=HomeBridge comment="Home LAN" interface=ether6-Home
add bridge=HomeBridge comment="Home and Guest, WAPs" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3-WAP
add bridge=HomeBridge interface=ether7
add bridge=HomeBridge interface=ether8
add bridge=HomeBridge interface=ether9
add bridge=HomeBridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether2-Guest,ether3-WAP vlan-ids=99
/interface list member
add comment=defconf interface=HomeBridge list=LAN
add comment=defconf interface=ether1-Virgin list=WAN
add interface=ether2-Guest list=discover
add interface=ether3-WAP list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-Home list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=HomeBridge list=discover
add interface=HomeBridge list=mactel
add interface=HomeBridge list=mac-winbox
add interface=GuestAccess list=LAN
/ip address
add address=192.168.111.2/24 comment="Home gateway" interface=HomeBridge network=192.168.111.0
add address=192.168.222.2/24 comment="Guest gateway" interface=GuestAccess network=192.168.222.0
/ip dhcp-client
add comment=defconf default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=ether1-Virgin use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.111.0/24 comment=Home dns-server=192.168.111.2 gateway=192.168.111.2
add address=192.168.222.0/24 comment=Guest dns-server=192.168.222.2 gateway=192.168.222.2
/ip dns
set allow-remote-requests=yes servers=194.168.4.100,194.168.8.100,8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222
/ip dns static
add address=192.168.111.2 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Unfortunately, not everything is working. As planned, I plugged the WAPs into ether3, but I could not access them on either 192.168.111.5 or 192.168.111.6. I moved the connection to ether7 and both became available. I was wondering if this line was the culprit:

add bridge=HomeBridge comment="Home and Guest, WAPs" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3-WAP

The WAP connection (ether3) was expected to provide access to Home and Guest users (Guest via vlan 99, presented as a separate SSID), but I read this line as an instruction to filter out non-vlan traffic, thus filtering out everything on the 192.168.111.0 (Home) network? Is this line the problem?

Thanks again for your continued help in this!

This line assumes everything comming down the UTP cable from WAPs will be already tagged. Did you configure WAPs to tag everything (the rest of RB3011 config and your own words indicate that that’s not intended)? Please post config from one of APs.

The WAPs are both TP-Link EAP225. They have a GUI-based config, and I’m not sure I can export something I can paste here, but will have a look tonight.
I can tell you that how I’ve set them up. They have two SSIDs, one for Home and one for Guest.
The configuration interface is on the Home network range of 192.168.111.x.
The home SSID has the VLAN set to 0 (which means no VLAN on the AP).
The guest SSID has the VLAN set to 99.
I expected both untagged (VLAN=0) and tagged traffic (VLAN=99) to move back and forth to the access points from the router for this setup to work, and for the AP to route each to the appropriate SSID.
Probably I’ve just misunderstood VLANs, and I’m trying to do this in the wrong way! If that’s the case, please say so!
Hope this helps.

For the reported issue: Try setting VLAN=1 for the home regular users (not vlan=0) and see what happens.


I just noticed something else. In that your ether2 interface may allow non vlan99 traffic

++++++++++++++++++++++++++
add bridge=homebridge comment=defconf interface=ether2 frame-types=admit-only-vlan-tagged ingress-filtering=yes
add bridge=homebridge comment=defconf interface=ether3 frame-types=admit-only-vlan-tagged ingress-filtering=yes

/interface bridge vlan
add bridge=homebridge tagged=homebridge, eth2,eth3 vlan-ids=99
+++++++++++++++++++++++++

Upon review I think I may have erred on the first rule, and omitted an important part and it should be this…
add bridge=homebridge comment=defconf interface=ether2 pvid=99 frame-types=admit-only-vlan-tagged ingress-filtering=yes
This assumes there are no smart switches or devices that are tagging the traffic, just users on their computers etc…
If there is tagging already done then the pvid is not required?

This may leads to a modification of the following rule
/Interface bridge vlan but I cannot figure it out…

Setting for ether3-WAP is not right. It should be like this:

/interface bridge port
# frame-types should be admit-all: port will admit both untagged (i.e. HomeLAN) and tagged (i.e. GuestAccess) frames
# setting pvid=1 means untagged but we need it for ingress-filtering to work
add bridge=HomeBridge comment="Home and Guest, WAPs" frame-types=admit-all ingress-filtering=yes pvid=1 interface=ether3-WAP

And leave VID on Home SSID set to whatever TP-Link uses to express untagged (0 is fine) frames.

So MKX…

/interface bridge port (dont add ports if not used in general)
add bridge=homebridge comment=defconf interface=ether6
add bridge=homebridge comment=defconf interface=ether7
add bridge=homebridge comment=defconf interface=ether8
add bridge=homebridge comment=defconf interface=ether9
add bridge=homebridge comment=defconf interface=ether10
add bridge=homebridge comment=defconf interface=ether2 pvid=99 frame-types=admit-only-vlan-tagged ingress-filtering=yes
add bridge=homebridge comment=defconf interface=ether3 frame-types=admit-all ingress-filtering=yes {pvid=1 is the default}

/interface bridge vlan
add bridge=homebridge tagged=homebridge, eth2,eth3 vlan-ids=99 ??

Are you saying also that no change to the VLAN number on the TP link is okay or are you saying to create a VLAN of 0 on the mikrotik??

What’s intended purpose of ether2? Wired access port to GuestAccess? In that case it should be

/interface bridge port
add bridge=HomeBridge comment="Guest, wired" frame-types=admit-only-untagged-and-priority-tagged pvid=99 ingress-filtering=yes interface=ether2-Guest

/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether3-WAP untagged=ether2-Guest vlan-ids=99

Why not just admit untagged, why include priority?

I suggest you to have a look at documentation to see which settings to frame-types are possible. One has to choose the most sensible one according to needs.