Internet connection on CRS326 behind external router

Hi all,

I’m pretty new to Mikrotik and I have the following architecture planned:
Router provided by ISP (cable) → CRS326 creating 4 VLANs → LAN ports and several cAP ax for WiFi
VLAN 10 internal
VLAN 20 guest (participants can’t see others)
VLAN 30 for home automation system
VLAN 99 for management
The cAPs shall provide all VLANs 10, 20 and 30 with separate WiFi SSIDs and enable WiFi roaming between the APs.
And some endpoints shall have access to multiple VLANs. To simplify broadcasts ect. every VLAN shall reside in a separate partition of the same /24 subnet.
VLAN 99 devices shall also be able to connect to the router for configuration.

I’m currently building the network setup step by step reading the documentation. Port 1 shall be used for WAN and port 2 for management. The current state is having set up the VLAN on the first ports.

/interface bridge
set bridge vlan-filtering=no

/interface vlan
add interface=bridge vlan-id=99 name=MGMT
add interface=bridge vlan-id=10 name=V10
add interface=bridge vlan-id=20 name=V20
add interface=bridge vlan-id=30 name=V30

/ip/pool
add name=vlan10 ranges=192.168.0.10-192.168.0.127
add name=vlan20 ranges=192.168.0.128-192.168.0.191
add name=vlan30 ranges=192.168.0.192-192.168.0.223

/ip/dhcp-server/
add address-pool=default-dhcp interface=MGMT
add address-pool=vlan10 interface=V10
add address-pool=vlan20 interface=V20
add address-pool=vlan30 interface=V30
remove defconf

/interface bridge port
set bridge=bridge interface=ether2 pvid=99 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether3 pvid=10 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether4 pvid=10 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether5 pvid=20 frame-types=admit-only-untagged-and-priority-tagged

Questions at the current stage:

• Makes this approach any sense or not at all or what should be changed?
• How do I integrate the internet access?

That will not work, and it is not specific to using a Mikrotik. Each VLAN is its own layer 2 broadcast domain so broadcasts will not pass between them. Having overlapping subnets would require special handling as the router would not know which interface to send ARP requests from for any particular address within the /24.

Also be aware you are asking the CRS326 to perform routing functions and its a switch so not quite sure what performance will be realized.
In terms of the upstream router and configuration. If the upstream router cannot read vlans sending it vlan99 would be a waste of time.
The private WANIP, will be coming from the private LAN of the upstream router. Thus if you need to access the config of the mikrotik while on the LAN of the upstream router, that would simply be a case of identifying which LANIPs have access to the input chain.
Typically I put on the local LANIPs that the admin uses on an address list for input chain access. The LAN only gets access on input chain to DNS services and sometimes NTP, then drop all else.

• wired admin
• wifi admin
• wireguard admin

In your case it would appear you would also add

• wired admin on upstream router LAN.

(1) Your missing IP pool for management vlan 99 ???

you have no firewall rules, you have no bridge vlan settings… sorry this is not worthwhile reviewing.

Check out.
https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=447s

Based on your feedback I revised my plans and they now look as follows:

port 1: Router provided by ISP (cable), running a own DHCP server on 192.168.188.0/24, not capable of VLANs
ports 2-19: VLAN 10 internal home network, also used for router management
wifi only: VLAN 20 guest (participants can’t see others)
ports 20-22: VLAN 30 as a separate network
ports 23+24: The cAPs shall provide all VLANs 10, 20 and 30 with separate WiFi SSIDs and enable WiFi roaming between the APs.

The current configuration looks as follows:

[admin@RouterOS] > export
# jan/02/1970 10:19:19 by RouterOS 6.48.6
# software id = xxx
#
# model = CRS326-24G-2S+
# serial number = xxx
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool10 ranges=192.168.1.2-192.168.1.254
add name=pool20 ranges=192.168.2.2-192.168.2.254
add name=pool30 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=pool10 interface=vlan10 name=dhcp10
add address-pool=pool20 interface=vlan20 name=dhcp20
add address-pool=pool30 interface=vlan30 name=dhcp30
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=10
add bridge=bridge1 interface=ether6 pvid=10
add bridge=bridge1 interface=ether7 pvid=10
add bridge=bridge1 interface=ether8 pvid=10
add bridge=bridge1 interface=ether9 pvid=10
add bridge=bridge1 interface=ether10 pvid=10
add bridge=bridge1 interface=ether11 pvid=10
add bridge=bridge1 interface=ether12 pvid=10
add bridge=bridge1 interface=ether13 pvid=10
add bridge=bridge1 interface=ether14 pvid=10
add bridge=bridge1 interface=ether15 pvid=10
add bridge=bridge1 interface=ether16 pvid=10
add bridge=bridge1 interface=ether17 pvid=10
add bridge=bridge1 interface=ether18 pvid=10
add bridge=bridge1 interface=ether19 pvid=10
add bridge=bridge1 interface=ether20 pvid=20
add bridge=bridge1 interface=ether21 pvid=20
add bridge=bridge1 interface=ether22 pvid=20
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
/interface bridge vlan
add bridge=bridge1 tagged=ether23,ether24 untagged=\
    ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19 vlan-ids=10
add bridge=bridge1 tagged=ether23,ether24 untagged=ether20,ether21,ether22 vlan-ids=20
add bridge=bridge1 tagged=ether23,ether24 vlan-ids=30
/ip address
add address=192.168.1.1/24 interface=vlan10 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan20 network=192.168.2.0
add address=192.168.3.1/24 interface=vlan30 network=192.168.3.0
add address=192.168.188.111/24 interface=bridge1 network=192.168.188.0
/ip dhcp-client
add interface=bridge1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.3.0/24 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input in-interface=vlan10
add action=drop chain=input in-interface=!vlan10
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=53 protocol=udp
add action=accept chain=input dst-port=53 protocol=tcp
add action=accept chain=input protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1
/ip route
add distance=1 gateway=192.168.188.1
/system identity
set name=RouterOS
/system routerboard settings
set boot-os=router-os

However this attempt also doesn’t look that prmising, because

• Seems like ports 23 and 24 are “directly” connected to the modem and get IP adresses from there, while the CRS326 as well as all other ports have no internet access
• CRS326 access is possible from ports 23 and 24, but not from others
• DHCP is not working

I know the RouterOS version is not current, I’ll update it once I get internet access on the CRS326.

Any hints on what my mistakes are?

Problem solved after merging my settings with the ones from here: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Internet connection now works fine. AP settings I’ll check at a later point in time.