HAP AX S first config - vlan issues

RouterOS Beginner Basics
1

I just bought my first Mikrotik for home use and after reading multiple guides I’m still struggling with the vlan setup.

The design is pretty simple, all the ports and the main wifi on vlan10(10.0.10.0/24), then a guest ssid on vlan20(10.0.20.0/24), both with access to internet but isolated from one another.

home net
home net361×362 14.5 KB

This is my current configuration: https://pastebin.com/AV9PPszT

With this configuration as soon as I enable the vlans with
/interface bridge set BR1 vlan-filtering=yes
the router correctly reboots but i can’t connect again on winbox (via mac, as the IP remains 0.0.0.0) and can't understand why.

This is not the only issue as I also have issues with getting a dhcp address via wifi for example but I’d like to have the vlans configuration sorted first.

Thanks for anyone that can help :slight_smile:

2

No need to put your main wifi on a vlan. Yes, every document you see does this, but basically you only put something on a vlan when you can articulate a need. At this stage, the only need we can articulate is to put the guest wifi on a vlan to keep guests separate from the main lan. So just do that. Leave your main wifi on the native lan. As you are new at this, only ever do one vlan at a time.

And then, hopefully, you will never again commit all your interfaces to a vlan. It is generally recommended to leave 1 ethernet port alone and not involved in vlans for precisely the situation you are in, so that you can get back into your config. You now have the more immediate problem of how to get back in. You might prefer to do a factory reset - or if you have a linux box, you can use Network Manager to set up a network connection on vlan10. Perhaps you can do the same from Windows too, but I don't know.

3

you should have it like this

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes

/interface bridge port
add bridge=bridge1 interface=ether1 pvid=10
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=10

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether1,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1 vlan-ids=20

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20

/interface wifi
set [ find default-name=wifi1 ] configuration.. .ssid=main_wifi datapath.bridge=bridge1 .vlan-id=10
add name=wifi1_guest master-interface=wifi1 configuration.mode=ap .ssid=guest_wifi datapath.bridge=bridge1 .vlan-id=20

/ip address
add address=10.0.10.0/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.0/24 interface=vlan20 network=10.0.20.0

/ip dhcp-server
add address-pool=pool1 interface=vlan10 name=server1
add address-pool=pool2 interface=vlan20 name=server2
..

further firewall configuration is carried out in /ip/fiwerall/..

4

And - only as a side note - for a simple home use you don't actually need a VLAN, JFYI:
https://tangentsoft.com/mikrotik/wiki?name=Isolated%20Guest%20WiFi%20Sans%20VLANs

5

Thanks a lot for the replies, especially the tip about keeping an eth on vlan1, with that i was able to keep access and test further, with my surprise everything works as it should (for some reason it wasn’t the case before, and the only change was “/interface bridge port add bridge=BR1 interface=ether1”) so i can start adding things with a working base config.

I’m left with the question on how to keep winbox access with the eth1 untagged on vlan10 as well, I would expect to connect via the gw (10.0.10.1) but that’s not the case, do you have any hint?

7

To the two commenters above,

Firstly, the author wrote a diagram and asked how it should work, and the answer was given. What he wants to do and whether he needs any more advice—we don't know, and we're not interested. I hope he's doing well.

Secondly, there shouldn't be any MGMT, VLAN isolation across horizons, or bridge filtering. This is all nonsense. Because the web interface is inconvenient, and the author will have to configure everything in WinBox, which a) securely encrypts the connection, and b) requires a password of 16 or more characters, which we a priori consider impossible to crack.

What's worth mentioning is:
a) for WiFi, we usually use dynamically adding bridge ports and a VLAN table, because the WiFi settings have a life of their own and are still full of errors. For example, /interface/wifi/reset wifi1 doesn't delete all the settings. Why Mikrotik?
b) a regular firewall is sufficient to isolate access and will be redundant for us; no rules for bridges, etc. are needed since they have their own specifics.

8

You lose access because all ports and WiFi are put into VLANs without a safe untagged management path, so when vlan-filtering is enabled Winbox traffic is dropped. Leave at least one Ethernet port untagged for management or keep the main LAN and main WiFi on the native bridge, and only place the guest WiFi on VLAN20. If you are already locked out, factory reset or connect using a VLAN-aware interface to regain access, then rebuild the VLANs step by step.

9

Thanks @gardlaerk for the extensive review, I’ve implemented some of the things you listed, but still haven’t found a solution there in order to keep eth1 untagged on vlan10 like the others and be able to access mgmt.

@fierce87x what makes a “safe management path”?

I just need an in-bound management access as i don’t want to deviate from the design above and not want to waste a port for mgmt only (although I recognize it’s another security layer), there should be a knob to turn to enable that..

10

We don't know what the current config is. And you are trying to combine multiple recommendations, and we don't know which recommendations you have used.

Please post in a </> (preformatted text) block, e.g. before pasting, press Ctrl-E or click the </> icon at the top. Then where is says "type or paste code here" paste in the output of your sanitized config (remove your serial number)

You should be able to connect to winbox when vlan-filtering is on. There must be something in your config that is preventing it.

I can't comment on the wifi config, because I don't have any MikroTik routers with wifi built in.

12

Here is the updated configuration: https://pastebin.com/b0S2tTHc
I’m able to access to winbox via eth1 (via MAC address) as I kept eth1 on BR1 on native vlan, I still have no way to access it from vlan10.
As a temporary solution, I found out I can use webfig (the tmp rule is for that) from vlan10 by pointing at the gw address, I would like to be able to do the same for winbox but I keep seeing 0.0.0.0 ip address there.

13

Note: before making any changes you get from the forum, backup your config using both back (under files) and export and save off the router. This gives you a way back in case the advice was not correct.

If vlan10 is your trusted vlan and where you want to be able to access the router via winbox, then you need to add vlan10 as a member of the LAN list.

This is controlled here:

/tool mac-server mac-winbox
set allowed-interface-list=LAN

Here's what you currently have:

/interface list member
add comment=defconf interface=BR1 list=LAN
add interface=sfp1 list=WAN

you need to add vlan10 so your config would look like this:

/interface list member
add comment=defconf interface=BR1 list=LAN
add interface=vlan10 list=LAN
add interface=sfp1 list=WAN

Then connect to ether2 and verify you can connect the the router with winbox.

After you verify you have access from ether2, you can then change the pvid on ether1 to 10.

After that, then all your RJ45 ethernet ports will be on vlan10.

I think it should still allow access to winbox if you remove BR1 from the LAN list, since you won't have access to it anyway. But I am not sure if that's the case, so if you do remove it, then you should remove it when using safe mode. I would also remove the disabled entry for spf1 in the /interface bridge port stanza

When done:

/interface bridge port
add bridge=BR1 interface=ether1 pvid=10
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 pvid=10
add bridge=BR1 comment="Remove this line" disabled=yes interface=sfp1  
add bridge=BR1 comment=defconf interface=wifi1-2.4
add bridge=BR1 comment=defconf interface="main wifi" pvid=10
add bridge=BR1 interface="guest wifi" pvid=20
add bridge=BR1 interface=wifi4

/interface list member
add interface=vlan10 list=LAN
add interface=sfp1 list=WAN
14

This is what I was searching for and it worked! Thanks a lot!

15

ONLY to preserve the original configuration posted by mikrogee as future reference should the pastebin link become invalid, here it is reproduced:

/interface bridge
add admin-mac=XXXXXX auto-mac=no comment=defconf name=BR1 vlan-filtering=yes
/interface wifi
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Switzerland .mode=ap .ssid=MikroTik disabled=no name="main wifi" security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Switzerland .mode=ap .ssid=MikroTik name=wifi1-2.4 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
add configuration.mode=ap .ssid=guestc mac-address=XXXXXX master-interface=wifi1-2.4 name=wifi4
/interface vlan
add interface=BR1 name=vlan10 vlan-id=10
add interface=BR1 name=vlan20 vlan-id=20
/interface wifi
add configuration.mode=ap .ssid=guestc disabled=no mac-address=XXXXXX master-interface="main wifi" name="guest wifi"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name="dhcp pool" ranges=10.0.10.100-10.0.10.254
add name="guest pool" ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool="dhcp pool" interface=vlan10 name=dhcp1
add address-pool="guest pool" interface=vlan20 name=dhcp2
/ipv6 dhcp-server
add address-pool=v6pool interface=BR1 name=v6server
/disk settings
set auto-media-interface=BR1 auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge filter
add action=drop chain=forward in-interface="guest wifi"
add action=drop chain=forward out-interface="guest wifi"
# wifi4 not ready
# in/out-bridge-port matcher not possible when interface (wifi4) is not slave
add action=drop chain=forward in-interface=wifi4
# wifi4 not ready
# in/out-bridge-port matcher not possible when interface (wifi4) is not slave
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=BR1 comment=defconf interface=ether2 pvid=10
add bridge=BR1 comment=defconf interface=ether3 pvid=10
add bridge=BR1 comment=defconf interface=ether4 pvid=10
add bridge=BR1 comment=defconf interface=ether5 pvid=10
add bridge=BR1 comment=defconf disabled=yes interface=sfp1
add bridge=BR1 comment=defconf interface=wifi1-2.4
add bridge=BR1 comment=defconf interface="main wifi" pvid=10
add bridge=BR1 interface="guest wifi" pvid=20
add bridge=BR1 interface=wifi4
add bridge=BR1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether1,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
/interface list member
add comment=defconf interface=BR1 list=LAN
add interface=sfp1 list=WAN
/ip address
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20 network=10.0.20.0
/ip dhcp-client
add interface=sfp1 use-peer-dns=no
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="tmp: to restrict later" src-address=10.0.10.0/24
add action=drop chain=forward in-interface=vlan10 out-interface=vlan20
add action=drop chain=input dst-address=10.0.10.0/24 src-address=10.0.20.0/24
add action=drop chain=input dst-address=10.0.20.0/24 src-address=10.0.10.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 address
add from-pool=v6pool interface=BR1
/ipv6 dhcp-client
add add-default-route=yes interface=sfp1 pool-name=v6pool pool-prefix-length=56 request=address,prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward connection-state=established,related in-interface=sfp1 out-interface=BR1
add action=drop chain=forward in-interface=sfp1 out-interface=BR1
/ipv6 nd
set [ find default=yes ] interface=BR1 managed-address-configuration=yes mtu=1500 other-configuration=yes
/tool mac-server mac-winbox
set allowed-interface-list=LAN