Hybrid VLAN port on LCAP

RouterOS General
1

Hi,
Im a noob/its a hobby in regards to networking, so please be patient, stupid questions will come towards you :slight_smile:

Equipment:
Router - RB5009UB+S+
Unify with:

  • Unify cloud key


  • Switch - 2 x Unify US-8-60w


  • AP - 3 x Unify UAP-IW-HD

What I want to obtain:
4 ports from RB5009 will be in LCAP (2 for each us-8-60) with hybrid VLAN ports. Base IP 10.10.0.0 for equipment communication and n x VLANs to be tagged on the AP SSID. All ports should be with HW (using switch chip) LCAP and n x VLAN. All VLANs should have internet.

What I want to obtain security wise:
VLANs should not be able to communicate with router configuration interface (example base ip 10.10.0.1 or vlan ip 10.10.30.1). VLANs should not be able to communicate with each other or VLAN1.

  • only if I specify ip/port/protocol


  • one vlan will be for IoT wifi and it needs all bangs and whistles ICMP, MCAST…
    They will be cut off from cloud when I finish the config and will be using Home Assistant as access point

What I don`t understand:

  • fasttrack-connection - should I keep it for IoT devices or not?


  • for the bellow config, why I cannot get ip on VLAN66

Thanks in advance for your help :slight_smile:

This is what I have now:

# 2023-10-17 00:54:14 by RouterOS 7.11.2
# model = RB5009UG+S+
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=LAN_BRIDGE name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=PORTS_INTERFACE mac-address=**ELIDED** name=ether1-WAN
set [ find default-name=ether6 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether7 ] name="ether7 - Bond"
set [ find default-name=ether8 ] name="ether8 - Bond"
set [ find default-name=sfp-sfpplus1 ] comment=SFP+_INTERFACE
/interface bonding
add comment=LCAP_INTERFACE mode=802.3ad name=bond_1_7-8_2gb slaves="ether7 - Bond,ether8 - Bond" transmit-hash-policy=\
    layer-2-and-3
/interface vlan
add interface=bond_1_7-8_2gb name=vlan20 vlan-id=20
add interface=bond_1_7-8_2gb name=vlan30 vlan-id=30
add interface=bond_1_7-8_2gb name=vlan66 vlan-id=66
add interface=bond_1_7-8_2gb name=vlan80 vlan-id=80
/interface list
add comment=WAN_INTERFACE_LIST name=WAN
add comment=LAN_INTERFACE_LIST name=LAN
add comment=VLAN_INTERFACE_LIST name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=10.10.0.100-10.10.0.254
add name=dhcp_pool_vlan20 ranges=10.10.20.200-10.10.20.254
add name=dhcp_pool_vlan30 ranges=10.10.30.200-10.10.30.254
add name=dhcp_pool_vlan66 ranges=10.10.66.200-10.10.66.254
add name=dhcp_pool_vlan80 ranges=10.10.80.200-10.10.80.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp interface=bridge lease-time=10m name=bridge-defconf
add add-arp=yes address-pool=dhcp_pool_vlan20 interface=vlan20 lease-time=10m name=dhcp_vlan20
add add-arp=yes address-pool=dhcp_pool_vlan30 interface=vlan30 lease-time=10m name=dhcp_vlan30
add add-arp=yes address-pool=dhcp_pool_vlan66 interface=vlan66 lease-time=10m name=dhcp_vlan66
add add-arp=yes address-pool=dhcp_pool_vlan80 interface=vlan80 lease-time=10m name=dhcp_vlan80
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=bond_1_7-8_2gb
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge untagged=bond_1_7-8_2gb vlan-ids=66
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge list=LAN
add comment=WAN_LIST interface=ether1-WAN list=WAN
add interface=vlan66 list=VLAN
add comment=VLAN_LIST interface=vlan20 list=VLAN
add interface=vlan30 list=VLAN
/ip address
add address=10.10.0.1/24 comment=defconf interface=bridge network=10.10.0.0
add address=10.10.20.1/24 interface=vlan20 network=10.10.20.0
add address=10.10.30.1/24 interface=vlan30 network=10.10.30.0
add address=10.10.66.1/24 interface=vlan66 network=10.10.66.0
add address=10.10.80.1/24 interface=vlan80 network=10.10.80.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1-WAN
/ip dhcp-server network
add address=10.10.0.0/24 comment=defconf-address dns-server=10.10.0.1 gateway=10.10.0.1
add address=10.10.66.0/24 dns-server=10.10.66.1 gateway=10.10.66.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.66.0/24 list="IoT - 66"
add address=10.10.0.0/24 list="Lan - List"
add address=10.10.20.0/24 list="Containers - 20"
add address=10.10.30.0/24 list="Containers - 30"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Full Access" disabled=yes in-interface=bridge
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN \
    out-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=LAN \
    out-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=from-dscp-high-3-bits passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=webfig disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1-WAN type=external
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

when you get rid of the bridge playing silly dhcp games and create a vlan for that subnet, I would be willing to help.

3

Hi,

Ok.
By VLAN subnet you are talking about VID1?
If not, then I need help :disappointed_face:

4

Ok,
Some other help please.

5

Anyone?!