Hey guys,
after managing to make the internet access working with your help, I want to setup the following infrastructure with the hEX S (image attached):
The three Access Points are for three different apartments. All of them should have internet access, their own network address and DHCP server while not being able to see computers from other networks/access points.
To achieve this I went through a tutorial with the help of a friend who is experienced setting up networks and VLANs. But The result with the current state is, that a (windows) computer connected to VLAN 1 does not get an IP address assigned. We were not able to find the reason for this.
Note: I want the three VLANS to be untagged, since the apartments residents will/can bring their own access points. So I do not want those access points need to be configured to work with a certain VLAN only.
This is the current config:
[admin@RouterOS] > export hide-sensitive
# oct/16/2022 12:37:58 by RouterOS 6.48.6
# software id = QXQC-WMAZ
#
# model = RB760iGS
# serial number = HD2086154BV
/interface bridge
add admin-mac=18:FD:74:8B:4F:B0 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan101 vlan-id=101
add interface=bridge name=vlan102 vlan-id=102
add interface=bridge name=vlan103 vlan-id=103
add interface=ether1 name=vlan_wan vlan-id=132
/interface ethernet switch port
set 2 default-vlan-id=101
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool101 ranges=192.168.101.10-192.168.101.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool101 disabled=no interface=vlan101 name=dhcp101
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=101
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=102
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=103
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge vlan-ids=102
add bridge=bridge tagged=ether1 vlan-ids=103
add bridge=bridge untagged=ether3 vlan-ids=101
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlan_wan list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.101.1/24 interface=vlan101 network=192.168.101.0
add address=192.168.102.1/24 interface=vlan102 network=192.168.102.0
add address=192.168.103.1/24 interface=vlan103 network=192.168.103.0
/ip dhcp-client
add comment=defconf disabled=no interface=vlan_wan
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.101.0/32 dns-server=192.168.88.1,195.43.113.130 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=vlan_wan \
out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=vlan_wan
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Assuming these are dumb access points that cannot read vlan tags…
Add vlan for your own connection, keeps it simple and clean, apples to apples
dont set etheport switch
add TRUSTED interface list entry
missing IP pools for all vlans, probably dhcp server probaby dhcp-server network, probably address???
Adjusted input chain rules so only you have access to the router for config purposes the rest just for DNS services.
Fixed /interface bridge ports and vlans
Adjust forward chain rule to be better for security and clearer rules.
Cannot have two out interfaces for masquerade rule…
Plus other points, so look at it line by line for differences…
I then tried to identify this config in the UI to adjust it, but I’m not able to find it. “ingress-filtering” can only be set for a bridge interface, but here I cannot set the corresponding interface.
See attached screenshots.
Where do I find the entries to edit the bridge as mentioned?
I would like to use your config as a file to load it as a backup. But I did not find any solution to store this as a file on the Mikrotik.
The VLAN tab on the Bridge itself.
The only thing that should be done is vlan filtering checked at the end of the config.
The rest leave at default / Pvid=1, ingress filtering=No / frame types = admit all.
I edit in winbox manually line by line OR
use the new terminal window and CLI commands…
Nlot sure why you are having problems setting the /interface bridge port settings…???
Go Bridge MENU, select ports tab etc…
Given the requirements and the diagram in this configuration, I don’t see any advantage in using vlans on any ether port except your WAN ether1 connection (and there only if your ISP is providing you internet on tagged vlan 132).
Vlans are useful when you have more than 1 group of ports in different subnets, e.g. wan on ether1, vlan 101 on ether2 and ether3 and sfp, vlan 201 on ether4 and ether5 and sfp. This would partition the bridge into two “mini-switches” with two access ports each and the spf as a trunk port (perhaps to an external switch).
But in your case, every port has its own ip subnet. I don’t see any advantage to using vlans. I generally do recommend using vlans, but in this case I don’t. I my opinion, using vlans in this case is just adding complexity with no benefit.
If your goal is to learn vlans, then you should learn in a case where they do add value.
I roughly understand it and it actually was the first idea to seperate them “physically” with different switches. But it seems the heXS is not able to do this, since there seem to be only one switch for all ports. There is no “add”-Button in the category “switches”.
Ah, got it. I expected that “/interface” is the equivalent of “interface” in the UI. Like it is for “/ip”.
I now applied everything identically as you had in your list with two exceptions.
I still have this setting by default and I don’t know how to remove it:
—/ip dns static
—add address=192.168.88.1 comment=defconf name=router.lan
I did not dare to add the following because I’m afraid that I could lock myself out again:
—/tool mac-server
—set allowed-interface-list=LAN
—/tool mac-server mac-winbox
—set allowed-interface-list=LAN
The result is: The router and me on Ether2 do have internet. The VLAN 101 to 103 are getting IP’s from the correct range. But they do not have internet access.
Any idea what the cause is?
btw: Seems this board is ignoring spaces and line breaks in many cases. I guess this is for saving space in the database, but it makes writing properly formatted, readable posts pretty hard.
Each group of ports that are members of that same vlan under the bridge acts like a separate “mini-switch”. I.e. each vlan is a separate “broadcast” domain.
It is like a “managed” switch, where you can put different ports into different vlans, and they will be “isolated” from each other. The only way they can communicate then is via some router. In the case of the hEX S, the router is software running on the CPU.
I will keep that in mind, but since I already spent a lot of time into the last approaches and since the current config is very close to be working (I guess), I honestly want to find the issue in the current one.
Also I don’t see a big difference to the current config compared to the paragraph “Breaking up one Physical Switch into multiple Virtual Switches” in the first article you have linked.
So before I spend another >10 hours into that approach: Does anybody have an idea why the clients on the VLAN 101 to 103 do not have internet access?
When connected to ether2 make a note of the output of command prompt ipconfig /all and tracert -d 1.1.1.1 copy the output to a file (e.g. notepad) or redirect to a file e.g. ipconfig /all > ipconfig_ether2.txt and tracert -d 1.1.1.1 >tracert_ether2.txt
Are you saying that if you plug into ether3, you get an ip address from the ranges=192.168.101.10-192.168.101.254 but can’t access internet? What does the ipconfig /all show when connected to ether3? What does output of tracert -d 1.1.1.1 show compared to when connected to ether2?
Same for connecting to ether5. Do you get address from ranges=192.168.103.10-192.168.103.254 but can’t access internet? What does the ipconfig /all show when connected to ether5? What does output of tracert -d 1.1.1.1 show compared to when connected to ether2?
You didn’t mention vlan 102, so does it work or not? If you connect to ether4 do you get ip address from ranges=192.168.102.10-192.168.102.254 but can’t access internet? What does the ipconfig /all show when connected to ether4? What does output of tracert -d 1.1.1.1 show compared to when connected to ether2?
Routenverfolgung zu 1.1.1.1 über maximal 30 Hops
1 <1 ms <1 ms <1 ms 192.168.88.1
2 17 ms 15 ms 17 ms 10.10.10.2
3 * * * Zeitüberschreitung der Anforderung.
4 16 ms 16 ms 15 ms 192.168.127.13
5 16 ms 16 ms 16 ms 212.88.145.237
6 17 ms 16 ms 17 ms 217.24.235.181
7 17 ms 17 ms 17 ms 217.24.235.178
8 17 ms 17 ms 17 ms 217.24.235.157
9 24 ms 21 ms 21 ms 80.81.194.180
10 23 ms 22 ms 26 ms 172.70.244.3
11 21 ms 20 ms 20 ms 1.1.1.1
Ablaufverfolgung beendet.
Actually the /32 was not visible in the UI configuration anymore, since the last parameter set the netmask=24.
But after removing the parameter and adding the /24 manually, if worked.
.