Hey guys,
I’ve configured Mikrotik router as DHCP server for VLANs and Mikrotik switch according to the picture in attachment. I got an IP address, but switch is not accesible from VLAN.
Basic question is: which IP address should I use for switch??? I want to be able to configure switch in every single VLAN, but I’m not able to do that.
/export hide-sensitive file=anynameyouwish
for both switch and router.
Thanks for such a quick response.
I was thinking that configs are not needed but if yes, they are in attachment.
router.rsc (2.33 KB)
switch.rsc (2.26 KB)
Does anybody have an idea how to do that?
I don’t need exact settings, maybe just basic principle how to manage switch with 3 or more VLANs - which IP should I choose??
thanks, Marek
Does anybody have an idea how to do that?
I don’t need exact settings, maybe just basic principle how to manage switch with 3 or more VLANs - which IP should I choose??
thanks, Marek
For the switches if you use static addresses you need to make sure you use vlan interfaces assigned to the bridge and set those interfaces and the bridge as being tagged for the respective vlan. Add an ip to the vlan interface and set the route.
I prefer to use dhcp on a management vlan that is restricted. This way you get 1 ip for the switch (a static dhcp assignment). Set the pvid of the bridge to your management vlan and add the bridge to bridge vlan Id config as untagged (it should already be there dynamically via setting the pvid, but I like to add it anyway). Then just add a dhcp client to the bridge.
I will take a look at the configs today.
Something seems off on the router config but not sure…
I am tempted to recommend putting the vlans on a bridge vice multiple vlans on ether5 but not 100% sure…
As for the switch, I am thinking the bridge should be part of the tagged side for the first three rules as well.
I am curious as to what IP the switch is getting in your scenario?
Silly me, the most obvious error on the router is that the vlan99 setup is incomplete.
You are missing IP pool, ip dhcp-server and ip dhcp-server network settings for vlan 99.
vlan99 is just a try according to this example: https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching
cause I’m not sure what to do with this vlan99
The router VLAN99 config is fine for attached devices with static IPs.
The switch is missing most of the management setup - the VLAN99 interface is disabled, there is no IP or routing information:
/interface vlan
add disabled=yes interface=ether1 name=VLAN4 vlan-id=4
add disabled=yes interface=bridge name=VLAN99_mgmt vlan-id=99
and
/ip address
add address=192.168.99.2/24 interface=VLAN99
/ip route
add distance=1 gateway=192.168.99.1
Whilst just enabling the VLAN and adding the IP address will allow access from the router, the default route is required so traffic from other subnets can be returned.
Also, whilst it doesn’t affect operation, the untagged= statements are not required under /interface bridge vlan - they are automatically added from the pvid= statements under /interface bridge port which can avoid potential errors (setting different untagged membership in the two places), so:
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether3 vlan-ids=2
add bridge=bridge tagged=ether1 untagged=ether4 vlan-ids=3
add bridge=bridge tagged=ether1 untagged=ether5,ether23,ether24 vlan-ids=4
add bridge=bridge tagged=ether1,bridge vlan-ids=99
Hey guys,
thanks, I’ve set everything and it’s working - was hard to understand that I have to create management VLAN99 in all device I want to control.
I have different issue now: I’m not able to disable command ping for only 1 VLAN - it will always disable for all VLANs.
My final network is:
Could you help please? For example I set firewall rule:
add action=drop chain=input log=yes protocol=icmp src-address-list=\VLAN3_public
, but it will disable ping from all VLANs, not only from VLAN3.
For further information, please see all configs in attachment.
switch.rsc (2.52 KB)
router.rsc (3.32 KB)
AP.rsc (1.82 KB)
There should only be firewall rules on the router so I will look there!
WHY DID YOU REMOVE FIREWALL RULES from the config… Danger, pull the plug on your router!!!
I don’t understand why you have ethernet 2 partially configured its missing dhcp-server-network for example but will assume its not used and you havent bothered removing it.
As for your firewall rules, I wont comment on them until you had least put back in the default rules as the router SHOULD NOT be hooked up to the internet its not secure at all. Once you have a coherent set of firewall rules I will assist in ensuring they meet your requirements.
+++++++++++++++++
Switch,
-where are the definitions for all the vlans I only see vlan99??
-you are missing all the untagged interfaces in your bridge vlan rules that should reflect your pvid settings in the bridge ports??
++++++++++++++++++
AP
-where are the definitions for all the vlans I only see vlan99??
-you are missing all the untagged interfaces in your bridge vlan rules that should reflect your pvid settings in the bridge ports??
The VLAN configuration is fine. Per my previous posts (and the Mikrotik Wiki) it is not necessary to specify untagged= under /interface bridge vlan as these are dynamically generated from the pvid= settings under /interface bridge port.
You can specify both, but if they do not match it causes wierd connectivity issues - this becomes more likely when you are reconfiguring the VLAN on an access port and change one but not the other.
@anav → no worries, I delete everything from firewall rules cause my router is not connected to the internet yet. I just want to setup everything “on my table” then I will connect my devices to the internet. I don’t even set different login, it’s still in default. Security I want to set according to https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router but if you have any other useful link, please share.
→ ethernet 2 is just my backup if I screw up something with VLAN setup.
→ OK, I delete dhcp-client in my AP, thanks
@tdw → I think so, I don’t need to setup untagged ports cause it’s set automaticaly. I read plenty of articles about VLANs in Mikrotik and I can confirm, it’s working like that.
Anyway I still don’t understand why the hell Mikrotik will block icmp protocol to all my gateways if there is specified exact source:
add action=drop chain=input log=yes protocol=icmp src-address-list=\VLAN3_public
in this rule - any ideas?
Some informations about VLANs, which helped me to little a bit understand to this topic (maybe will help to others:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 → general understanding VLAN
https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN → general understanding VLAN
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_VLANs_with_Trunks#Management_IP → for management VLAN
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table → tagged/untagged VLAN
Nothing wrong with using the MT ones, I prefer a little simpler.
This is from that link but modified…
INPUT CHAIN
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=protocol=icmp
add action=accept chain=input comment=“Allow ADMIN to Router” src-address-list=adminaccess &&&&
**add optional *****
add action=drop chain=input comment=“Drop All Else”
&&&&& /ip firewall address-list (to allow admin access to config the router from fixed static IPs for example on any subnet).
add address=admin-desktop_IP list=adminaccess
add address=admin-laptop_IP list=adminaccess
add address=admin-ipad_IP list=adminaccess
***** optiona**l: Provide access to lan users ONLY for any services they require that the router provides (examples):
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow NTP service” connection-state=
new dst-port=123 in-interface-list=LAN protocol=udp src-address-list=
NTPserver
Discussion: The last rule ensures that no other traffic is permitted that wasnt explicitly allowed above, which includes for example any wan to router traffic. Ensure that the admin access rules are in place before putting in the last rule otherwise one will lock themselves out of the router.
FORWARD CHAIN
Optional 1 +++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
Optional 2 ###
Optional 3 ===
add action=drop chain=forward comment=“drop all else”
+++ If you do use IPSEC you will need…
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
### This is where you place traffic you wish to allow examples:
(a) allow lan to wan traffic (by subnet, by vlan, by interface etc.)
add action=accept chain=forward comment=“ENABLE HomeLAN to WAN”
in-interface=Home-LAN_V12 out-interface-list=WAN src-address=192.168.0.0/24
(b) allow subnet A to access shared printerS on subnet B
add action=accept chain=forward comment="allow VlanA Users_TO_Printers
dst-address-list=House_Printers in-interface=VLANA src-address=192.168.0.0/24
=== If you need port forwarding for any reason you can add this rule.
add action=accept chain=forward comment=“Allow Port Forwarding” connection-nat-state=dstnat
connection-state=new in-interface-list=WAN
Discussion: The last rule automatically blocks all traffic not allowed above including WAN to LAN traffic and it blocks any subnet to subnet or vlan to vlan traffic at Layer 3. For me done, no other rules are needed in the standard security config. Most other stuff is bloatware.