hEX on Switch should manage access to printer [SOLVED]

start reading post#18

Hi,
i am new to MT. I would like to understand what I am doing and not just copy paste.
I read the most common tutorials already.

hEx on TP-link Switch with multiple VLANs
would like to understand how to write route from 10.0.0.10 to printer/scanner at 10.0.101.250
would like to understand how to write route from 192.168.179.10 to printer/scanner at 10.0.101.250
all other comunication between VLANs will be blocked by Firewall rules later

/interface bridge
add name=bridgeVLAN vlan-filtering=yes
/interface vlan
add interface=bridgeVLAN name=vlan1Default vlan-id=1
add interface=bridgeVLAN name=vlan10WWW vlan-id=10
add interface=bridgeVLAN name=vlan101Drucker vlan-id=101
add interface=bridgeVLAN name=vlan179Gast vlan-id=179
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=179
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridgeVLAN interface=ether3
/interface bridge vlan
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 vlan-ids=10
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 vlan-ids=179
add bridge=bridgeVLAN untagged=bridgeVLAN,ether3 vlan-ids=1
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 vlan-ids=101
/ip address
add address=192.168.179.254 interface=vlan179Gast network=192.168.179.0
add address=10.0.101.254 interface=vlan101Drucker network=10.0.101.0
add address=10.0.0.254 interface=vlan10WWW network=10.0.0.0
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add
/system note
set show-at-login=no

Read → for proper setup of vlans biggest change off the bat is dont use vlan1, simply change it to 11 and your golden.
https://forum.mikrotik.com/viewforum.php?f=23

Assuming ether3 is going to the managed switch.

/interface bridge port
add bridge=bridgeVLAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=179
add bridge=bridgeVLAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridgeVLAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=interface=ether3
/interface bridge vlan
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 untagged=ether2 vlan-ids=10
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 untagged=ether4 vlan-ids=179
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 vlan-ids=11,101

/interface vlan
add interface=bridgeVLAN name=vlan1Default vlan-id=11

WHY DO YOU ONLY HAVE THREE IP ADDRESSES ???

For firewall rules, in the forward chain, keep it simple.
add chain=forward action=fasstrack connection-state=established,related
add chain=forward action=accept connection-state=established,related,untracked
add chain=forward action=drop connection-state=invalid
add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment=“port forwarding” connection-nat-state=dstnat {disable or remove if not required }
+++++++++++ add additional ALLOW RULES here ++++++++++++++++++
add action=forward action=drop comment=“drop all else”

Firewall address lists are excellent mechanisms to identify users with common needs.
/ip firewall address-list
add address=10.0.0.10 list=AccessPrinter
add address=179.168.179.10 list=AccessPrinter

Add this rule above the drop all last rule.
add chain=forward action=accept src-address-list=AccessPrinter dst-address=10.0.101.250

tried my best.
vlan1 not needed so i deleted it compleatly.
yes ether3 is connected with managed switch
still no access to printer from 10.0.0.10

/interface bridge
add name=bridgeVLAN vlan-filtering=yes
/interface vlan
add interface=bridgeVLAN name=vlan10WWW vlan-id=10
add interface=bridgeVLAN name=vlan101Drucker vlan-id=101
add interface=bridgeVLAN name=vlan179Gast vlan-id=179
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=179
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridgeVLAN frame-types=admit-only-vlan-tagged interface=ether3 pvid=101
/interface bridge vlan
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 vlan-ids=10
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 vlan-ids=179
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 vlan-ids=101
/ip address
add address=192.168.179.254/24 interface=vlan179Gast network=192.168.179.0
add address=10.0.101.254/24 interface=vlan101Drucker network=10.0.101.0
add address=10.0.0.254/24 interface=vlan10WWW network=10.0.0.0
/ip firewall address-list
add address=10.0.0.10 list=ZugriffAufDrucker
/ip firewall filter
add action=accept chain=forward dst-address=10.0.101.250 src-address-list=ZugriffAufDrucker
add action=drop chain=forward comment="\"drop all else\""
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add
/system note
set show-at-login=no

Nor should you, lets look at the history:

You had,
/interface bridge port
…
add bridge=bridgeVLAN interface=ether3

I recommended,
/interface bridge port
…
add bridge=bridgeVLAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3

You put instead,
…
/interface bridge port
add bridge=bridgeVLAN frame-types=admit-only-vlan-tagged interface=ether3 pvid=101

Do you see the conflict. You have stated the etherport is only for vlans but then you identified one vlan that should leave the port untagged, like one does for an access port.
If your intent was a Hybrid Port, which I dont think is the case, then it would require no definition for frame types!!

started again by reset configuration…

/interface bridge
add name=bridgeVLAN vlan-filtering=yes
/interface vlan
add interface=bridgeVLAN name=vlan10WWW vlan-id=10
add interface=bridgeVLAN name=vlan101Drucker vlan-id=101
add interface=bridgeVLAN name=vlan179Gast vlan-id=179
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=179
add bridge=bridgeVLAN frame-types=admit-only-vlan-tagged interface=ether3
/interface bridge vlan
add bridge=bridgeVLAN tagged=ether3,bridgeVLAN untagged=ether2 vlan-ids=10
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 untagged=ether4 vlan-ids=179
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 vlan-ids=101
/ip address
add address=10.0.0.254/24 interface=vlan10WWW network=10.0.0.0
add address=10.0.101.245/24 interface=vlan101Drucker network=10.0.101.0
add address=192.168.179.254/24 interface=vlan179Gast network=192.168.179.0
/ip firewall address-list
add address=10.0.0.10 list=ZugriffAufDrucker
/ip firewall filter
add action=accept chain=forward dst-address=10.0.101.250 src-address-list=ZugriffAufDrucker
add action=drop chain=forward
/system note
set show-at-login=no

still no access from 10.0.0.10
connections within VLANs are all fine
dont I need to add a route or is this all handled by default?

as discusses in this post http://forum.mikrotik.com/t/hex-lite-for-different-subnets/178091/1 firewall need filter on both directions. I tried without success. So I switched back to your recommendation.

tracert shows 10.0.0.254 reached within ms. but no further hop → only timeout

By posting only partial configuration you are making much more difficult to follow your settings.
Please post the whole configuration.

This:

/ip firewall address-list
add address=10.0.0.10 list=ZugriffAufDrucker
/ip firewall filter
add action=accept chain=forward dst-address=10.0.101.250 src-address-list=ZugriffAufDrucker
add action=drop chain=forward

is likely the problem, if the packet is not matched on first rule, it will be dropped by the second.
Try disabling the second.

About routes, post the output of:

/ip route print

that’s it there isnot more…

[admin@MikroTik] > export
# 1970-01-06 00:32:25 by RouterOS 7.15.3
# software id = xx
#
# model = RB750Gr3
# serial number = xx
/interface bridge
add name=bridgeVLAN vlan-filtering=yes
/interface vlan
add interface=bridgeVLAN name=vlan10WWW vlan-id=10
add interface=bridgeVLAN name=vlan101Drucker vlan-id=101
add interface=bridgeVLAN name=vlan179Gast vlan-id=179
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=179
add bridge=bridgeVLAN frame-types=admit-only-vlan-tagged interface=ether3
/interface bridge vlan
add bridge=bridgeVLAN tagged=ether3,bridgeVLAN untagged=ether2 vlan-ids=10
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 untagged=ether4 vlan-ids=179
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 vlan-ids=101
/ip address
add address=10.0.0.254/24 interface=vlan10WWW network=10.0.0.0
add address=10.0.101.245/24 interface=vlan101Drucker network=10.0.101.0
add address=192.168.179.254/24 interface=vlan179Gast network=192.168.179.0
/ip firewall address-list
add address=10.0.0.1 list=ZugriffAufDrucker
/ip firewall filter
add action=accept chain=forward dst-address=10.0.101.250 src-address-list=ZugriffAufDrucker
add action=drop chain=forward
/system note
set show-at-login=no
[admin@MikroTik] >

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAc 10.0.0.0/24 vlan10WWW 0
DAc 10.0.101.0/24 vlan101Drucker 0
DAc 192.168.179.0/24 vlan179Gast 0

also dissabling only second filter or all firewall filter does not change anything.

Then the issue is related to VLAN settings.

No idea about those, I can only observe that you are not using the exacts settings anav suggested (cannot say if those would make a difference).

You have the routes as DAC, so you don’t need to add them as static.

Maybe you can go through this:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
which is the main forum resource for VLAN settings.

OKay so what you are saying is that the hex is not a router in your network and its acting as a switch.
Its connected to a TPLINK Switch on ether3. In this case your question or request may be unreasonable.
Whether or NOT, any device in one vlan can reach a device in another vlan IS THE RESPONSIBILITY of the router providing DCHP and firewall services.
WHen the hex is merely a switch it cannot divert individual vlan traffic, at least to my knowledge.

You may wish to research bridge firewalls but their interaction with vlans from another device are unknown to me.

To get familiar with Mikrotik hEX I have a very simple setup.
A switch with windows and linux hardware connected to individual port.
The switch is “separated” in 3 VLANs. All of them working as expected.
All hardware have static IP. Connections work as expected.

Now I added a hEX to my setup.
Hex should only be used to connect one specific device from one VLAN to another VLAN.

No Internet, no router, – nothing else.

Connecting PC 10.0.0.1 to VLAN10  no access through 10.0.0.254 to 10.0.101.250 (printer interface)
Connecting PC to VLAN101 (changed IP address)  access to 10.0.101.250 (printer interface)

Well what I stated is important to understand.
The hex is unable to make such decisions acting as a switch, nor can any other L2 device ( switch ).

Just did another test.
Added another router to VLAN10.
Added static route on this Router (10.0.101.0/24 to 10.0.0.254)
Start tracert from 10.0.0.1 to 10.0.101.254 with the following result:
ms to first router in VLAN10
ms to 10.0.0.254
timeout to reach 10.0.101.250

same result as before, no routing from VLAN10 to VLAN101

Nor should there be on the hex in this setup.

Ok so what is needed to make the hEX a router? DHCP or Internet is not needed. Just to connect two devices from different VLAN.

You need two or more different vlan’s on the hex.
The hex needs to have an IP address assigned to it for each vlan.

The devices on each vlan need to have the hex as their default gateway.

(Alternatively each vlan’s default gateway/router could have a static route for the other vlan(s) pointing to the
hex’s IP Address, which will hopefully redirect the device to use the hex as its gateway when needed)

The traffic from one vlan to another should now be possible but needs to make it through the firewall.
With the default firewall rules it would perhaps be best if you made each vlan a member of the LAN interface list.

If the hex is behind another router/firewall, you could largely remove/disable the forwarding firewall rules.

This assumes you trust all the devices on all the vlans.

If not you might want to create firewall rules to allow devices on trusted vlans to connect everywhere (eg member of LAN interface list).
While untrusted vlans can only connect to the internet. (Custom firewall rule)

/interface bridge
add name=bridgeVLAN vlan-filtering=yes
/interface vlan
add interface=bridgeVLAN name=vlan10WWW vlan-id=10
add interface=bridgeVLAN name=vlan101Drucker vlan-id=101
add interface=bridgeVLAN name=vlan179Gast vlan-id=179
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=179
add bridge=bridgeVLAN frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=101
/interface bridge vlan
add bridge=bridgeVLAN tagged=ether3,bridgeVLAN untagged=ether2 vlan-ids=10
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 untagged=ether4 vlan-ids=179
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 untagged=ether5 vlan-ids=101
/ip address
add address=10.0.0.254/24 interface=vlan10WWW network=10.0.0.0
add address=10.0.101.2[b]54[/b]/24 interface=vlan101Drucker network=10.0.101.0
add address=192.168.179.254/24 interface=vlan179Gast network=192.168.179.0
/ip firewall address-list
add address=10.0.0.1 list=ZugriffAufDrucker
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=10.0.101.250 src-address-list=ZugriffAufDrucker
add action=drop chain=forward disabled=yes
/system note
set show-at-login=no

now i have made it even more simple.
windows PC with 10.0.0.1 with GW 10.0.0.254 on port 2 of hEX
printer with 10.0.101.250 with GW 10.0.101.254 on port 5 of hEX
connection possible

in case i activate firewall rules → no connection
/ip firewall filter
add action=accept chain=forward dst-address=10.0.101.250 src-address-list=ZugriffAufDrucker
add action=drop chain=forward

learned a lot today.
I need firewall forward rule in both directions:

/ip firewall filter
add action=accept chain=forward dst-address=10.0.101.250 src-address-list=ZugriffAufDrucker
add action=accept chain=forward dst-address-list=ZugriffAufDrucker src-address=10.0.101.250
add action=drop chain=forward

tomorrow i will set up a more complex newtwork to finaly achive setup from post one

i am really new to mikrotik. but I learned to like the hEX allready.

I have connectet many devices to a switch separated in VLANs. A hEX is connected via a trunk port to manage the comunication between VLANs.

important: in case devices need a comunication in both directions → also open the hEX firewall in both directions.

for me everything works fine.

# 1970-01-12 01:31:21 by RouterOS 7.15.3
# software id = 
#
# model = RB750Gr3
# serial number = 
/interface bridge
add name=bridgeVLAN vlan-filtering=yes
/interface vlan
add interface=bridgeVLAN name=vlan10WWW vlan-id=10
add interface=bridgeVLAN name=vlan101Drucker vlan-id=101
add interface=bridgeVLAN name=vlan179Gast vlan-id=179
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=179
add bridge=bridgeVLAN frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=101
/interface bridge vlan
add bridge=bridgeVLAN tagged=ether3,bridgeVLAN untagged=ether2 vlan-ids=10
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 untagged=ether4 vlan-ids=179
add bridge=bridgeVLAN tagged=bridgeVLAN,ether3 untagged=ether5 vlan-ids=101
/ip address
add address=10.0.0.254/24 interface=vlan10WWW network=10.0.0.0
add address=10.0.101.254/24 interface=vlan101Drucker network=10.0.101.0
add address=192.168.179.254/24 interface=vlan179Gast network=192.168.179.0
/ip firewall address-list
add address=10.0.0.1 comment=Daniel list=ZugriffAufDrucker
/ip firewall filter
add action=accept chain=forward dst-address=10.0.101.250 src-address-list=ZugriffAufDrucker
add action=accept chain=forward dst-address-list=ZugriffAufDrucker src-address=10.0.101.250
add action=drop chain=forward
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/system note
set show-at-login=no

If this is an internet facing router your firewall rules suck.
Side note: If you have a vlan fully open to another vlan ( two way comms), perhaps it should just be one vlan?