Help with config of VLAN

RouterOS Beginner Basics
1

Hi!

I have never really used VLANs before but thought I grasped the concept but probably not :slight_smile:
I’ve got a RB5009 that i want to use as my firewall and main router and also supplying POE to the devices that supports it such as a couple of APs and a CRS305.

There are a couple of switches connected to the RB5009:

  • 1 xCRS326 - Used for other cabled clients
  • 1x CSS610 - Also used for cables clients
  • 1x CRS305 - This is where my RB5009(SFP+ port 1), CRS326(SFP+ port 2), CSS610(SFP+ port 3) and also my server(SFP+ port 4) is connected to via DAC cables.

I want to have a couple of different VLANs:

  • Trusted clients(called Hemma/VLAN30)
  • IOT(called IOT/VLAN20)
  • Server(called server/VLAN40)
  • Guests (VLAN10)

I want all the traffic between the VLANs to be routed through the RB5009 and through the firewall with only the traffic that I define is allowed(ex. trusted clients --to-- server VLAN, trusted clients --to-- IOT), but traffic within the VLANs should follow the shortest path.

I think I’ve somewhat got it to work, but I’m very unsure if I’ve did it correct. Some test seem to show that i “probably” works, which is of course great :slight_smile:
But still I’d very much like to know if I got the VLAN config “correct”, the way of doing FW rules, are the CRSs that’s supposed to act lite switche’s really acting like switches etc.

I’d really like to learn and do better, if someone got the time to help with feedback it’d be very much appreciated :slight_smile:

I’ve included the config files for the RB5009 and the CRS326 as well as the CRS305.

Oh, I tried to implement MGMT network to be able to reach the devices offline, but i stopped in fear of loosing connection to everything, so there is some config in reagards to VLAN99 = MGMT that I haven’t really dealt with yet.
CRS305.rsc (3.46 KB)
CRS326.rsc (6.07 KB)
RB5009.rsc (14 KB)

2

The best example to follow:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

In terms of vlans, the main difference between the router and the CR3xxx switches
is that only the management/trusted vlan needs to be created/identified and the bridge need only be tagged for the vlan-ids= the management vlan

You have valid concerns regarding losing connectivity as bridges and vlans burp often when implementing.
Hence i always take one port OFF the bridge, give the port an IP address like
192.168.55.1/30 and then you can config more freely by plugging in laptop to that port, change IPV4 settings to 192.168.55.2 and your in mostly.
set [ find default-name=ether8 ] name=OffBridge8 You already have ether7 for access to the management vlan directly so should be available and is recommended.
By the way you missed untagging ether7 anyway LOL.

Why is one switch disabled and the other only for pOE, thats nonsensical. where will 305 get its data flows from???

I personally dont like your use of interface lists (bridge has no business being there either ) and I would have
WAN - ether1
LAN - MGMT / HEMMA / SERVER / GUEST / IOT / VLAN88 / Offbridge8
TRUSTED= MGMT, Offbridge8

Do not mix bridge doing dhcp when you have really converted to vlans. Just change bridge to vlan88 minimal changes needed.
It also creates a mess of your /interface bridge ports and bridge vlans which are expectedly in conflict. You in affect created hybrid ports
where none where necessary with ether2 and 3 which should be trunk ports to the capax…

add interface=bridge name=vlan88 vlan-id=88
add address=192.168.88.1/24 comment=defconf interface=vlan88 network=
192.168.88.0
add address-pool=default-dhcp interface=vlan88 lease-time=8h name=defconf

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=“ether2 - CAPAX1”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=“ether3 - CAPAX2”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=“ether4 - POE-CRS326” disabled=yes???
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=“ether5 - CRS305 ONLY FOR POE” disabled=yes???
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=“ether6 - Mandarin OOB” pvid=88
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=“ether7 - Mandarin LAN - mgmt” pvid=99
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/interface bridge vlan
add bridge=bridge comment=“Identical flow for guest/iot/hemma” tagged=
“sfp-sfpplus1,bridge,ether3 - CAPAX2,ether2 - CAPAX1” vlan-ids=10,20.30
add bridge=bridge comment=“MGMT VLAN” tagged=
“sfp-sfpplus1,bridge,ether3 - CAPAX2,ether2 - CAPAX1” untagged=ether8
vlan-ids=99
add bridge=bridge comment=“SERVER” tagged=sfp-sfpplus1,bridge vlan-ids=40

Note: Now if you do want vlan88, to not go just to ether 6, but also to the capaxs and sfp, then you will need to adjust the /interface vlan settings.

++++++++++++++++++

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“admin access” in-interface-list=TRUSTED
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“Drop all else” { put this rule in last }
+++++++++++++++++++++++++++
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“admin access” in-interface-list=TRUSTED out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes {enable if required}
add action=drop chain=forward comment=“Drop all else”

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED


If not using IPV6
Disable it, then,
Copy the firewall address lists and firewall rules of IPV6 into a file on your computer for potential future use and then
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop

3

Sorry for the late reply.
Thanks for the link to the post and the examples!
I think I managed to improve the config and also move all the management traffic for the switches and the APs to the separate management VLAN. Took some trail and error but I learned a lot in the process :slight_smile: