how to access client in vlan from bridge

Hi,

My only LAN is based on devices that connect to LAN-bridge 192.168.88.0.
I do have 2 Unifi APs + 1 switch (TL-SG108PE) that connect to LAN-Bridge.The 2 Unifi APs connect to the router´s ether9 and ether10 ports and serve the following VLANs (30/31/32/33/40/41/50) for my wifi clients.

Now I did to setup LAN2: vlan-100: 192.168.100.0/27 for a test lab. It has one server running with an IP 192.168.100.27.

What FW rules should I place:
0) to access the server in LAN2 from my client in LAN-Bridge 192.168.88.100?

1. to isolate vlan-100 from LAN-bridge and VLANs (30/31/32/33/40/41/50)?

My config export is attached.
setup_v1.rsc (10.8 KB)

Once you go to the one bridge approach and turn any bridge subnet into a proper vlan ( very minor changes ), then I can be of assistance.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Hi again, I don´t understand what you mean by “turn any bridge subnet into a proper vlan”. Could you guide me on how to do that for 1 vlan? I have read several times the topic you told me, and even re-do the whole setup again, but with no luck.

Another concept I do no fully understand is if I setup a BASE-VLAN(192.168.0.0), I still have in my config the subnet 192.168.88.0 that came with the default RoS setup. Do I need to erase anything realated to it:
IP>Addresses: 192.68.88.1/24 192.168.88.0 BR1
IP>Pool: 192.168.88.10-192.168.88.254
IP>DHCP Server
IP>DHCP Networks
If yes, how should it be done? I have tried and always loose the access to the router?
Rgds

When doing VLAN, you indeed no longer do anything with IP’s on the bridge.
To keep access to the router, just leave one (enabled) port out of the bridge ports and use this for management (over MAC address).

Looks like you are nearly there, a network diagram (and useful names) would help.

Hi, good to hear I am nearly there .

I have been working on this and did a few changes just trying to stick to the names and setup used in the post: viewtopic.php?t=143620. So I will upload again the setup and now I also attach an image of my LAN map.

1. As I wrote before, I don´t know if I should/can delete this parameters from the config file:
   /interface list
   add comment=defconf name=LAN
   /ip pool
   add name=LAN-bridge-pool ranges=192.168.88.10-192.168.88.254
   /ip dhcp-server
   add address-pool=LAN-bridge-pool interface=BR1 lease-time=5m name=LAN-bridge
   /interface list member
   add interface=BR1 list=LAN
   /ip address
   add address=192.168.88.1/24 comment=defconf interface=BR1 network=192.168.88.0
   add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8 gateway=192.168.88.1
   Although there is one bridge now (BR1) there are still around all these parameters related to the previous bridge from default RoS setup.If I delete them how can I be sure the router would still mantain his IP 192.168.88.1?

2. Another thing I need to fix is both APs (connected to ether9/10) do not get an IP from the subnet BASE-VLAN, they still get an IP from 192.168.88.10. I want them to be on BASE-VLAN.

I managed -after lots of testing- to gain access to Winbox in 2 ways:
-connect from a client connected to router´s ether2 > then I can connect to BASE-VLAN
-connect from a client connected to switch´s ether6/7/8 (the switch itself is connected to router´s ether6); for this to work I had to:

• set router´s ether6 as tagged (in Bridge>VLANs>) and
• setup the switch to:
• assign ports 6/7/8 a pvid=99
• set port1 as tagged
• set port 6/7/8 as untagged
  I still have to play around a third option: bring out of the bridge port i.e. ether3 and set it up for management of the router. But this for later.

Now I would like to clarify 1) and 2). Let me know if you need any other info.
setup_v2b.txt (11.7 KB)

network map - 3.png1138×663 49.3 KB

To avoid losing access to the router, best method is to take a port off the bridge and manage from that port.
In this modification, I have used ether8. Just plug your laptop into ether8, change ipv4 settings on laptop to 192.168.77.2 and you should be in.
VLAN interface list not required. VLANs are already part of the LAN interface list.
After accessing by port 8 remove all references to 192.168.88 subnet!!
The biggest problems is that you have put the unifi NOT on the base vlan but on the Bridge subnet for their IP address.
Assuming the unifi have not been changed from default they expect the managment vlan untagged and the data vlans tagged and thus a hybrid port arrangment.
If wrong then they can all be vlans and they should get an IP address on the 192.168.0.0/24 subnet as well as the SWITCH!
Input chain needs work, notice you allow all vlans to router, then after base vlan to router…where in fact the LAN user only need access to services like dns ntp.
Ensure you disable ip dhcp client as your ISP termination is done in pppoe settings.

The main difference now is that your unifi APs should get an IP address from 192.168.0.0 dhcp servers ( and no longer be part of the .88 removed network ).
…

# model = RB4011iGS+
/interface bridge
add admin-mac=74:4D:28:A0:4B:78 auto-mac=no comment=defconf name=BR1 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[WAN]"
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] name=OffBridge8
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add comment=WAN interface="ether1[WAN]" name=vlan20-digi vlan-id=20
add interface=BR1 name=MAX-wifi-VLAN vlan-id=30
add interface=BR1 name=BLUEI-wifi-VLAN vlan-id=31
add interface=BR1 name=TICOX-wifi-VLAN vlan-id=32
add interface=BR1 name=USSU--wifi-VLAN vlan-id=33
add interface=BR1 name=ORB-wifi-VLAN vlan-id=40
add interface=BR1 name=META-wifi-VLAN vlan-id=41
add interface=BR1 name=OSS-wifi-VLAN vlan-id=50
add interface=BR1 name=BASE-VLAN vlan-id=99
add interface=BR1 name=TEST-VLAN vlan-id=100
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan20-digi max-mru=512 name=\
    pppoe-out-digi user=123
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MAX-pool ranges=10.0.30.10-10.0.30.254
add name=USSU-pool ranges=10.0.33.10-10.0.33.254
add name=TICOX-pool ranges=10.0.32.10-10.0.32.254
add name=OSS-pool ranges=10.0.50.10-10.0.50.254
add name=TEST-pool ranges=192.168.100.10-192.168.100.40
add name=ORB-pool ranges=10.0.40.10-10.0.40.254
add name=META-pool ranges=10.0.41.10-10.0.41.254
add name=BLUEI-pool ranges=10.0.31.10-10.0.31.254
add name=BASE-pool ranges=192.168.0.10-192.168.0.40
/ip dhcp-server
add address-pool=MAX-pool interface=MAX-wifi-VLAN lease-time=5m name=\
    wifi-MAX-dhcp
add address-pool=BLUEI-pool interface=BLUEI-wifi-VLAN lease-time=5m name=\
    wifi-BLUEI-dhcp
add address-pool=OSS-pool interface=OSS-wifi-VLAN lease-time=5m name=\
    wifi-OSS-dhcp
add address-pool=TICOX-pool interface=TICOX-wifi-VLAN lease-time=5m name=\
    wifi-TICOX-dhcp
add address-pool=TEST-pool interface=TEST-VLAN lease-time=5m name=TEST-dhcp
add address-pool=ORB-pool interface=ORB-wifi-VLAN lease-time=5m name=\
    wifi-ORB-dhcp
add address-pool=META-pool interface=META-wifi-VLAN lease-time=5m name=\
    wifi-META-dhcp
add address-pool=USSU-pool interface=USSU--wifi-VLAN lease-time=5m name=\
    wifi-USSU-dhcp
add address-pool=BASE-pool interface=BASE-VLAN lease-time=5m name=BASE-dhcp
/interface bridge port
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=99
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BR1  interface=ether9  pvid=99
add bridge=BR1  interface=ether10 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ipv6 settings
disabled=yes
/interface bridge vlan
add bridge=BR1 tagged=ether9,ether10,BR1 vlan-ids=30,31,32,33,40,41,50
add bridge=BR1 tagged=BR1,ether6 vlan-ids=100
add bridge=BR1 tagged=BR1,ether6  untagged=ether2,ether9,ether10 vlan-ids=99
/interface list member
add interface="ether1[WAN]" list=WAN
add interface=pppoe-out-digi list=WAN
add interface=MAX-wifi-VLAN list=LAN
add interface=META-wifi-VLAN list=LAN
add interface=ORB-wifi-VLAN list=LAN
add interface=OSS-wifi-VLAN list=LAN
add interface=TICOX-wifi-VLAN list=LAN
add interface=USSU--wifi-VLAN list=LAN
add interface=BLUEI-wifi-VLAN list=LAN
add interface=OffBridge8 list=LAN
add interface=BASE-VLAN list=BASE
add interface=OffBridge8 list=BASE
/ip address
add address=192.168.0.1/27 interface=BASE-VLAN network=192.168.0.0
add address=10.0.30.1/24 interface=MAX-wifi-VLAN network=10.0.30.0
add address=10.0.31.1/24 interface=BLUEI-wifi-VLAN network=10.0.31.0
add address=10.0.32.1/24 interface=TICOX-wifi-VLAN network=10.0.32.0
add address=10.0.33.1/24 interface=USSU--wifi-VLAN network=10.0.33.0
add address=10.0.50.1/24 interface=OSS-wifi-VLAN network=10.0.50.0
add address=10.0.40.1/24 interface=ORB-wifi-VLAN network=10.0.40.0
add address=10.0.41.1/24 interface=META-wifi-VLAN network=10.0.41.0
add address=192.168.100.1/27 interface=TEST-VLAN network=192.168.100.0
add address=192.168.77.1/30 interface=OffBridge8 network=192.168.77.0
/ip dhcp-client
add comment=defconf interface="ether1[WAN]" disabled=yes
/ip dhcp-server network
add address=10.0.30.0/24 dns-server=192.168.0.1 gateway=10.0.30.1
add address=10.0.31.0/24 dns-server=192.168.0.1 gateway=10.0.31.1
add address=10.0.32.0/24 dns-server=192.168.0.1 gateway=10.0.32.1
add address=10.0.33.0/24 dns-server=192.168.0.1 gateway=10.0.33.1
add address=10.0.40.0/24 dns-server=192.168.0.1 gateway=10.0.40.1
add address=10.0.41.0/24 dns-server=192.168.0.1 gateway=10.0.41.1
add address=10.0.50.0/24 dns-server=192.168.0.1 gateway=10.0.50.1
add address=192.168.0.0/27 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.100.0/27 dns-server=192.168.0.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=\
    8.8.8.8 verify-doh-cert=yes
/ip firewall address-list
add address=192.168.0.X  list=Authorized comment="local admin wired"
add address=192.168.0.Y  list=Authorized comment="local admin wifi"
add address=192.168.77.2 list=Authorized comment="local admin port 8"
/ip firewall filter
{default rules to keep}
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input  dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment="admin to router" in-interface-list=BASE src-address-list=Authorized
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=drop chain=input comment="Drop all else"    { insert this rule here, but last of all rules }
+++++++++++++++++++++++++++++++++
{default rules to keep}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward  connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
(admin rules)
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat  disabled=yes  { enable if required or remove }
add action=accept chain=forward comment="admin to LAN"  in-interface-list=BASE src-address-list=Authorized out-interface-list=LAN
************* add any other allow traffic rules here, like to shared printer etc. **************
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.77.2,192.168.0.0/27 port=x
set api disabled=yes
set winbox address=192.168.77.2,192.168.0.0/27 port=x
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop
/system clock
set time-zone-autodetect=no time-zone-name=GMT
/system identity
set name=chupsu
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Hi again, thx for your last post.

I did go through your export file and implement it.

Now I am able to log in Winbox throught the port set outside the bridge (I changed it for ether3[offBridge]). And from there I could do the changes to remove all references to 192.168.88 subnet. I have also now the switch and the APs on the BASE-VLAN.

Since ether3[offBridge] provides subnet 192.168.77.0/30 and it is out of the bridge, now “IP>DHCP Server” does not show my laptop at 192.168.77.2 in Leases. Is there a way to make it be shown again in DHCP Server?

Just to double check, I need to place the FW rules in the same order as your export, right?

I am trying to go through the FW rules and test them. Regarding the INPUT admin rules:

add action=accept chain=input comment="admin to router" in-interface-list=BASE src-address-list=Authorized

This rule let clients defined in src-address-list=Authorized access the router (the client traffic is sent to in-interface-list BASE), right?
So, what does this next rule allow?

add action=accept chain=forward comment="admin to LAN"  in-interface-list=BASE src-address-list=Authorized out-interface-list=LAN

Another thing I have noticed is that I have some of my wifi-users (for example 10.0.31.11) that do not connect to the internet although they show as connected in Leases. Once I enter their IP in the src-address-list=Authorized they connect to internet. Is this correct? If I do that they can also get access to Winbox, right?

And I also had this rule before in my export that I did not see in yours:

add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN

Should I remove it? For now I have only disabled it since I was no sure what to do.

I attach the actual config just in case I missed something. Don´t think so.

Rgds
setup_v3b.txt (11.8 KB)

Correct there is no lease as there is no DHCP required for this subnet. There is only one address that will work.

Rest good questions!!

1. yes, the idea is that ONLY the admin should have access to the router (input chain).
   All other users typically only require access to certain services, the two common ones dns and ntp )

2. The similar rule in the forward chain is for traffic through the Router ( wan to lan, lan to wan AND LAN TO LAN )
   Thus the rule simply says, ALLOW ADMIN TO ALL VLANS or simply “admin to LAN”

3. Yes, only the admin should get access to the router, let me see your config for this weirdness…

4. Yes can remove the old rule

5. I see no reason for vlan31 wifi to be acting weird based on the vlan settings themselves.

I did note the following
a. These are no longer needed, we allow DNS specifically from the LAN only and then at the end of the input chain we drop all else!!
add action=drop chain=input comment=“drop DNS queries from WAN” dst-port=53 in-interface=“ether1[WAN]” protocol=tcp
add action=drop chain=input comment=“drop DNS queries from WAN” dst-port=53 in-interface=“ether1[WAN]” protocol=udp

b. I SEE THE PROBLEM you have taken liberties and added stuff without permission LOL""
Look at these two lines
add action=accept chain=input comment=“***** ADMIN to Router " in-interface-list=BASE src-address-list=Authorized
add action=accept chain=input comment=" USERS to Services: DNS " dst-port=53 in-interface-list=LAN protocol=tcp src-address-list=Authorized
add action=accept chain=input comment=" USERS to Services: DNS *****” dst-port=53 in-interface-list=LAN protocol=udp src-address-list=Authorized
add action=drop chain=input comment=“drop all else”

Even when adding these extra bits ( dont know why you did ), the logic should have prevented it. If just above these two rules you have a rule
that only allows the admin to access the router.
(i) Why would you use the same address list when the comment says USERS, not admin ???
(ii) If we already allowed the admin Full access to the router, what would be the sense to have a following rule that allows the same people partial access to DNS.

This is the source of the issue, so you can get rid of the xtra addition to the firewall address list!!!

6. This rule is now redundant and should be removed.
   add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

7. If not using ipv6
   then ensure
   /ipv6 services
   disable=yes
   /ipv6 firewall filter
   add chain=input action=drop
   add chain=forward action=drop

and get rid of all the address lists associated.

Great! Your posts are very helpful.

the problem is everytime I copy and paste a config inside Winbox I need to pay attention otherwise some parameters from old config are kept.

Ok I followed carefully all the steps from your last post. I have some things I still need to understand…

1. 192.168.77.2 does not resolve nslookup google.com, but it can ping successfully 8.8.8.8, is this normal?

2. now I cannot connect to ether3[Off-Bridge]. I can´t think of any changes I have done apart from the ones in your last post. I have checked for the following:
   -IP>Services>Winbox (192.168.77.2 is allowed at port x)
   -ether3[Off-Bridge] is active
   -IP>FW>Address Lists> ether3[Off-Bridge] is marked as Authorized
   -IP>FW:

add action=accept chain=input comment="#####    Allow ADMIN to Router" in-interface-list=BASE log-prefix="Allow ADMIN to Router" src-address-list=Authorized
add action=accept chain=forward comment="#####   Allow ADMIN to all VLAN s" in-interface-list=BASE out-interface-list=LAN src-address-list=Authorized

I still can access Winbox from BASE-VLAN from any port connected to the bridge, but only entering the MAC (due to MAC Winbox allowing BASE access). If I enter 192.168.88.1:x it does not connect.

3. I had some issues of clients connecting to internet but not being able to surf intenet (nslookup did not work).
   I fixed that by adding this line:

add action=accept chain=forward comment="#####   Allow  Internet Traffic " in-interface-list=LAN out-interface-list=WAN

Before we only had this line:
add action=accept chain=forward comment="##### Allow Internet Traffic " in-interface-list=BASE out-interface-list=WAN

4. I did a battery of Ping tests and coming back to the OP I can say this setup is working much beter in terms of isolating VLANS from each other and from router/switch/APs:

• clients from any wifi-VLAN:
• communicate with each other within their subnet
• do not reach the router
• do not reach clients in 192.168.77.0/30 (only the gateway!)
• do not communicate with clients of other wifi-VLANs (only the gateway!)
• clients from BASE-VLAN:
• communicate with each other (including the switch & APs)
• do not reach the router
• do not reach clients/gateway in 192.168.77.0/30
• do not communicate with clients/gateways of wifi-VLANs
  So far so good.
  Still need to test TEST-VLAN full isolation.

I am wondering if it is a normal behaviour that from any wifi-VLAN (30/31/32/33/40/41/50) you can ping:

• the BASE-VLAN gateway 192.168.0.1
• ether3[Off-Bridge] gateway 192.168.77.1
• or any of the wifi-VLANs gateways?
  
  \

5. Regarding a new rule to setup a schedule for certain clients to be able to access the internet:
   would this work? which option is better? where should they be placed?

FORWARD
add action=drop chain=forward in-interface=BLUEI-wifi-VLAN src-address-list=kids time=20h30m-0s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward in-interface=BLUEI-wifi-VLAN src-address-list=kids time=0s-17h,sun,mon,tue,wed,thu,fri,sat
Where should I place them?
or ..
RAW
add action=drop chain=prerouting comment="drop kids" src-address-list=kids time=20h30m-0s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=prerouting comment="drop kids" src-address-list=kids time=0s-17h,sun,mon,tue,wed,thu,fri,sat

Edit: Forgot to attach my setup.

Rgds
setup_v4b.rsc (8.96 KB)

Yes, gateways are pingable by default, its nothing to worry about.
The rule you added was already in the config provided LOL.

(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=accept chain=forward comment=“admin to LAN” in-interface-list=BASE src-address-list=Authorized out-interface-list=LAN
************* add any other allow traffic rules here, like to shared printer etc. **************
add action=drop chain=forward comment=“drop all else”

Will have a look at latest.

1. Best to comment on which are hybrid ports on /interface bridge ports for clarity.

2. Forgot ingress filtering for ether6

3. If the tagging for multiple vlans is identical and no untagging involved they can be put on one line.

4.A. I always add BASE vlan to the LAN interface list as a member, to ensure access to the WWW, as per firewall rules.
4.B. By doing so this extra rule is not required and should be removed.
add action=accept chain=forward comment="##### Allow Internet Traffic "
in-interface-list=BASE out-interface-list=WAN

5. Here is a very minor problem…
   add address=10.0.0.1/24 *interface=11 network=10.0.0.0
   Just remove this from IP address.

6. Missing TEST vlan in interface list member group ???

7. What I dont get is the disparity between your src-address-list authorized and your winbox ssh allowed entries.
   Typically I look at security as a layered approach.
   a. you can leave winbox, ssh port blank which means any traffic is permitted and using only other rules to define access.
   b. waht I do is put in whole relevant subnets that can access ssh winbox in this section.
   ( I dont want to have to go to too many places for every change and thus I am confident that putting in the entire base vlan, or wireguard subnet is a reasonable flexible entry)
   c. I couple this with some winbox mac limitations by ensuring only folks captured in the interface list TRUSTED have access to winbox mac access.
   d. Finally, I use firewall address lists in the input chain for granular who can access, as I am in fireawll rules all the time for any refinements.
   Here I also use TRUSTED interface list and source address list to narrow down access.

So in your case I could understand for SSH and winbox 192.168.0.0/24 and 192.168.77.0/24
but you have =192.168.0.10/32,192.168.0.11/32,192.168.77.2/32,10.0.40.12/32

So why is source address list missing 0.10 and why someone in ORBWIFI… ???

They are not part of the mac TRUSTED interface list which impacts, ip neighours, win-macwinbox setting, and input chain rule ??
Best to keep it to subnets in the above, and use firewall address list to refine…personal choice though.

+++++++++++++++++++++++++
In summary, minor points really, everything should be working!!
…

/interface bridge
add admin-mac=74:4D:28:A0:4B:78 auto-mac=no comment=defconf name=BR1 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[WAN]"
set [ find default-name=ether3 ] name="ether3[Off-Bridge]"
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=BR1 name=BASE-VLAN vlan-id=99
add interface=BR1 name=BLUEI-wifi-VLAN vlan-id=31
add interface=BR1 name=MAX-wifi-VLAN vlan-id=30
add interface=BR1 name=META-wifi-VLAN vlan-id=41
add interface=BR1 name=ORB-wifi-VLAN vlan-id=40
add interface=BR1 name=OSS-wifi-VLAN vlan-id=50
add interface=BR1 name=TEST-VLAN vlan-id=100
add interface=BR1 name=TICOX-wifi-VLAN vlan-id=32
add interface=BR1 name=USSU--wifi-VLAN vlan-id=33
add comment="WAN interface" interface="ether1[WAN]" name=vlan20-digi vlan-id=\
    20
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan20-digi max-mru=512 name=\
    pppoe-out-digi user=123
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MAX-pool ranges=10.0.30.10-10.0.30.254
add name=USSU-pool ranges=10.0.33.10-10.0.33.254
add name=TICOX-pool ranges=10.0.32.10-10.0.32.254
add name=OSS-pool ranges=10.0.50.10-10.0.50.254
add name=TEST-pool ranges=192.168.100.10-192.168.100.40
add name=ORB-pool ranges=10.0.40.10-10.0.40.254
add name=META-pool ranges=10.0.41.10-10.0.41.254
add name=BLUEI-pool ranges=10.0.31.10-10.0.31.254
add name=BASE-pool ranges=192.168.0.10-192.168.0.40
/ip dhcp-server
add address-pool=MAX-pool interface=MAX-wifi-VLAN lease-time=5m name=\
    wifi-MAX-dhcp
add address-pool=BLUEI-pool interface=BLUEI-wifi-VLAN lease-time=5m name=\
    wifi-BLUEI-dhcp
add address-pool=OSS-pool interface=OSS-wifi-VLAN lease-time=5m name=\
    wifi-OSS-dhcp
add address-pool=TICOX-pool interface=TICOX-wifi-VLAN lease-time=5m name=\
    wifi-TICOX-dhcp
add address-pool=TEST-pool interface=TEST-VLAN lease-time=5m name=TEST-dhcp
add address-pool=ORB-pool interface=ORB-wifi-VLAN lease-time=5m name=\
    wifi-ORB-dhcp
add address-pool=META-pool interface=META-wifi-VLAN lease-time=5m name=\
    wifi-META-dhcp
add address-pool=USSU-pool interface=USSU--wifi-VLAN lease-time=5m name=\
    wifi-USSU-dhcp
add address-pool=BASE-pool interface=BASE-VLAN lease-time=5m name=BASE-dhcp
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=99
add bridge=BR1 disabled=yes interface=ether4
add bridge=BR1 disabled=yes interface=ether5
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BR1 disabled=yes interface=ether7
add bridge=BR1 disabled=yes interface=ether8
add bridge=BR1 interface=ether9 pvid=99 comment="hybrid port"
add bridge=BR1 interface=ether10 pvid=99 comment="hybrid port"
/ip neighbor discovery-settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set discover-interface-list=BASE
/ipv6 settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BR1 tagged=ether9,ether10,BR1 vlan-ids=30,31,32,33,40,41,50
add bridge=BR1 tagged=BR1,ether6 untagged=ether2,ether9,ether10 vlan-ids=99
add bridge=BR1 tagged=BR1,ether6 vlan-ids=100
/interface list member
add interface="ether1[WAN]" list=WAN
add interface=pppoe-out-digi list=WAN
add interface=MAX-wifi-VLAN list=LAN
add interface=META-wifi-VLAN list=LAN
add interface=ORB-wifi-VLAN list=LAN
add interface=OSS-wifi-VLAN list=LAN
add interface=TICOX-wifi-VLAN list=LAN
add interface=USSU--wifi-VLAN list=LAN
add interface=BLUEI-wifi-VLAN list=LAN
add interface=BASE-VLAN list=LAN
add interface=BASE-VLAN list=BASE
add interface="ether3[Off-Bridge]" list=LAN
add interface="ether3[Off-Bridge]" list=BASE
/ip address
add address=192.168.0.1/27 interface=BASE-VLAN network=192.168.0.0
add address=10.0.30.1/24 interface=MAX-wifi-VLAN network=10.0.30.0
add address=10.0.31.1/24 interface=BLUEI-wifi-VLAN network=10.0.31.0
add address=10.0.32.1/24 interface=TICOX-wifi-VLAN network=10.0.32.0
add address=10.0.33.1/24 interface=USSU--wifi-VLAN network=10.0.33.0
add address=10.0.50.1/24 interface=OSS-wifi-VLAN network=10.0.50.0
add address=10.0.40.1/24 interface=ORB-wifi-VLAN network=10.0.40.0
add address=10.0.41.1/24 interface=META-wifi-VLAN network=10.0.41.0
add address=192.168.100.1/27 interface=TEST-VLAN network=192.168.100.0
add address=192.168.77.1/30 interface="ether3[Off-Bridge]" network=\
    192.168.77.0
/ip dhcp-server network
add address=10.0.30.0/24 dns-server=192.168.0.1 gateway=10.0.30.1
add address=10.0.31.0/24 dns-server=192.168.0.1 gateway=10.0.31.1
add address=10.0.32.0/24 dns-server=192.168.0.1 gateway=10.0.32.1
add address=10.0.33.0/24 dns-server=192.168.0.1 gateway=10.0.33.1
add address=10.0.40.0/24 dns-server=192.168.0.1 gateway=10.0.40.1
add address=10.0.41.0/24 dns-server=192.168.0.1 gateway=10.0.41.1
add address=10.0.50.0/24 dns-server=192.168.0.1 gateway=10.0.50.1
add address=192.168.0.0/27 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.100.0/27 dns-server=192.168.0.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=\
    9.9.9.9 verify-doh-cert=yes
/ip firewall address-list
add address=192.168.77.2 comment="Local  - ether3[Off-Bridge]" list=\
    Authorized
add address=192.168.0.11 comment="Local - wired" list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    log-prefix=ICMP protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="#####    Allow ADMIN to Router" \
    in-interface-list=BASE log-prefix="Allow ADMIN to Router" \
    src-address-list=Authorized
add action=accept chain=input comment="#####   Allow USERS to Services: DNS" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="#####   Allow USERS to Services: DNS" \
    dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="#####   DROP everything else "
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="#####   Allow  Internet Traffic " \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="#####   Allow  Internet Traffic " \
    in-interface-list=BASE out-interface-list=WAN
add action=accept chain=forward comment="#####   Allow ADMIN to all VLAN s" \
    in-interface-list=BASE out-interface-list=LAN src-address-list=Authorized
add action=drop chain=forward comment="#####   DROP everything else "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=no
set h323 disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24,192.168.77.0/24 port=x
set api disabled=yes
set winbox address=192.168.0.0/24,192.168.77.0/24 port=y
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=GMT
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool sniffer
set filter-stream=yes streaming-server=192.168.88.175

…

PS. I dont like names in quotes for interfaces. Quotes IMHO should only be used for text.

Schedules for kids is difficult, what I dont know is if there is a current session going on, will it get terminated, I think not.
So lets say someone is watching a netflix movie, will it get cut or not?
Hopefully somebody has better answers.

Did you check out the IP KID CONTROL menu???

All these things will not work since you cannot control kids devices,
for example, on the iphone it uses random IP addresses etc…

So to make sure this works
a. turn off ipv6 on the router ( can be used to circumvent such blocks)
b. ONLY allow kids to use certain WIFI SSID, and then we can disable that WLAN at a certain time if possible via a script.
c. if not then we will have to turn dhcp off for that wifi
THEN folks have to be manually added to the the wifi subnet for example, in this case means they have to turn off random IP, but just for the SSID being used at home.
Then with that fixed mac address you can give them a staic IP and it will be effective in KID CONTrol.

If you are talking wired connections, the same approach can be used to ensure only approved macaddress-ip address combinations are permitted.

Hi again!

I have done all changes from your last post.

I fixed the mismatch between src-address-list authorized and my winbox ssh allowed entries. For now SSH and winbox are 192.168.0.0/24 and 192.168.77.0/27.

I added BASE-VLAN to the LAN Interface-List and removed the rule that is not need any more: add action=accept chain=forward comment="##### Allow Internet Traffic " in-interface-list=BASE out-interface-list=WAN.

Just want to focus on this two things now before moving on.

0. This rule seems to be not working because I tried to ping some clients in wifi-VLANS from Authorized pc and I can´t:
   ;;; ##### Allow ADMIN to all VLAN s
   chain=forward action=accept src-address-list=Authorized in-interface-list=BASE out-interface-list=LAN log=no log-prefix=“”
   Any ideas?

1. Constant packet flow:
   I have been looking at logs from rule: add action=accept chain=input comment=“##### Allow ADMIN to Router” in-interface-list=BASE log-prefix=“Allow ADMIN to Router” src-address-list=Authorized and there is a permanent flow of these packets:

025-02-24 20:23:04 firewall,info Allow ADMIN to Router input: in:BASE-VLAN out:(unknown 0), connection-state:new src-mac XX:XX:XX:XX:XX:XX, proto UDP, 192.168.0.11:55062->255.255.255.255:20561, len 50
 2025-02-24 20:23:04 firewall,info Allow ADMIN to Router input: in:BASE-VLAN out:(unknown 0), connection-state:new src-mac XX:XX:XX:XX:XX:XX proto UDP, 192.168.0.11:55062->255.255.255.255:20561, len 50

It is generated from one of the clients (admin) that is connected to Winbox.
If I change the rule to:

chain=input action=accept protocol=!udp src-address-list=Authorized in-interface-list=BASE log=yes log-prefix="Allow ADMIN to Router"

…this packet flow ends.
Why is Winbox generating this UDP packets?

2. Access to router:
   2.1) from ether3-OffBridge: I cannot acces using router IP nor MAC.
   2.2) rom BASE-VLAN: I cannot access/ping the router IP (I can only enter Winbox by entering the MAC).
   I thought this rule would allow pinging the router IP from ether3-OffBridge:
   add action=accept chain=input comment=“##### Allow ADMIN to Router” in-interface-list=BASE log-prefix=“Allow ADMIN to Router” src-address-list=Authorized but it does not.
   Any idea how to access Winbox from ether3-OffBridge?

Rgds

EDIT: I had some time to quickly setup TEST-VLAN.I do not want this vlan to access internet.
I need to connect from an Authorized client of BASE-VLAN to a client in TEST-VLAN using a browser. What rule/s should I use?
I added this one but it dows nothing:

add action=accept chain=forward comment=\
    "#####   Allow ADMIN to all VLAN  members of  TEST   #####"  in-interface-list=BASE out-interface-list=TEST src-address-list=Authorized

setup_v6cbis.txt.rsc (8.96 KB)

I need to play with inter-vlan routing so forget all my questions of the previous post related to it.

Just want to confirm if this log:
025-02-24 20:23:04 firewall,info Allow ADMIN to Router input: in:BASE-VLAN out:(unknown 0), connection-state:new src-mac XX:XX:XX:XX:XX:XX, proto UDP, 192.168.0.11:55062->255.255.255.255:20561, len 50
is traffic that is generated by me accesing Winbox (I guess it is)?

Btw I found out why I could not enter Winbox from port off-bridge .. I was trying to login via the old 192.168.88.1 and not the new base-vlan 192.168.0.1. OMG.

Glad you are solving your own issues, growth is a wonderful thing and turns configs into fun vice hair pulling.

Yes good idea if you dont want test vlan to access internet to simply remove it from LAN interface list as I think you did.
ALso for single IP to access test subnet,
correct a forward chain rule before the last drop all rule is needed to allow this traffic,
I would tend to put like so
add chain=forward action=accept comment=“admin to test” in-interface=VLANX src=address=adminIP dst-address=testsubnet

After some testing, I am not sure what is going on regarding Authorized clients not being able to ping clients in other vlans. On one hand it is the exact behaviour I was looking for to isolate traffic between vlans (my OP). On the other hand I need to be able to access certain clients that are in other vlans.

Let us have a look at router´s ether6 that connects to a switch TL-SG108PE and the switch´s config. Ether6 is setup equal to ether9/10 that connect to the APs.

As we talked in a previous post the AP ports expect the management vlan untagged and the data vlans tagged and thus a hybrid port arrangment. Therefore I think the problem for my Authorized from BASE-vlan to ping a client in TEST-vlan must be the switch config and/or the router´s ether6 config since the APs connected to ether9/10 do assign fine the vlans to the wifi-clients.

When I try to ping from the router 192.168.0.1:
-any wifi subnet gateway (they are all behinf the APs connected to ether9/10): I can ping them
-any wifi subnet client (they are all behinf the APs connected to ether9/10): I can ping them
-BASE-vlan gateway: I can ping it
-BASE-vlan clients: I can ping them
-TEST-vlan gateway: I can ping it
-TEST-vlan client: I cannot ping them.

FW rules:

The rules that should allow this inter-vlan traffic are there so it must be the config of the switch.

Looking for help how to solve this. Maybe someone with a similar setup can confirm how this needs to be configured.

Upon quick review the MT is not correct and perhaps there are more errors on the switch??

Assuming the switch is on trunk port 6
You have ONLY two vlans going to the switch vlans 99 (management) and 100.
IT IS NOT IDENTICAL to etherports 9,10 which include ALL vlans.
I noted you stated: "Ether6 is setup equal to ether9/10 that connect to the APs. "
I took this to mean the same vlans need to traverse ether6 as ether9,10 as of course they are not equal otherwise, as ether9,10 are hybrid ports and ether6 is a trunk port.


So suggest from this:
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether6 untagged=ether2,ether9,ether10 vlan-ids=99
add bridge=BR1 tagged=ether9,ether10,BR1 vlan-ids=30
add bridge=BR1 tagged=ether9,ether10,BR1 vlan-ids=31
add bridge=BR1 tagged=ether9,ether10,BR1 vlan-ids=32
add bridge=BR1 tagged=ether9,ether10,BR1 vlan-ids=50
add bridge=BR1 tagged=ether9,ether10,BR1 vlan-ids=33
add bridge=BR1 tagged=ether9,ether10,BR1 vlan-ids=40
add bridge=BR1 tagged=BR1,ether6 vlan-ids=100
add bridge=BR1 tagged=ether9,ether10,BR1 vlan-ids=41

TO:
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether6 untagged=ether2,ether9,ether10 vlan-ids=99
add bridge=BR1 tagged=ether6,ether9,ether10,BR1 vlan-ids=30,31,32,33,40,41,50
add bridge=BR1 tagged=BR1**,ether6** vlan-ids=100

IF NOT and only 99,100 are supposed to go. then this is fine.
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether6 untagged=ether2,ether9,ether10 vlan-ids=99
add bridge=BR1 tagged=ether9,ether10,BR1 vlan-ids=30,31,32,33,40,41,50
add bridge=BR1 tagged=BR1,ether6 vlan-ids=100

Can you confirm that the switch gets an IP address on the vlan99 subnet as well?

I would need jpegs of all pertinent TP link screens to assess what is going.

What I did setup is exactly this. Only 99(=BASE-vlan) and 100(TEST-vlan) are supposed to be the vlans that need to talk to each other, or even better said: BASE Authorized client does need web access to a NAS in TEST. This is what I only need.

Can you confirm that the switch gets an IP address on the vlan99 subnet as well?

Yes, the switch gets an IP in BASE.
Also the AP´s get an IP in BASE (ACPro+Lite2). Same for the NAS (Tower). Same for Authorized admin (sp8).

Switch config:

What is missing is the details in the first diagram, there should have been three diagrams in total plus PVID diagram, ( 802.1q vlan configuration )(
stick in vlan1, 99, 100 at the top ( vlan id ) to see the outputs.