Vircos
September 5, 2024, 12:48pm
1
I have a problem with IOT devices using a RB4011 as router and Omada switch+AP’s as network components behind it.
Standard → No vlan
IOT → VLAN 20
Guest → VLAN 30
All three WLAN’s can be used to connect to the internet when using a mobile or pc succesfully. However when I try to connect a IOT device to the IOT WLAN it won’t connect. Sometimes I see a DHCP lease appearing for a brief moment when trying to connect a IOT device to the IOT WLAN and then it drops. However, when I connect a IOT device to the standard WLAN it will connect. I am not sure why.
Any assistance is appreciated.
Kind regards,
Can you share the config?
/export file=anynameyoulike
Remove serial and any other private info and post between code tags by using the </> button.
Vircos
September 5, 2024, 1:09pm
3
My config
# 2024-09-05 14:59:35 by RouterOS 7.15.3
# software id = X1HM-6RXR
#
# model = RB4011iGS+
# serial number = **
/interface bridge
add admin-mac=2C:C8:1B:B0:55:AB auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no comment=WAN1
set [ find default-name=ether2 ] advertise=1G-baseT-full
set [ find default-name=ether10 ] comment=WAN2
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment=Gasten interface=bridge name=Guest vlan-id=30
add comment=IOT interface=bridge name=IOT vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
add fri=0s-23h59m mon=0s-23h59m name=Kids sat=0s-23h59m sun=0s-23h59m thu=\
0s-23h59m tue=0s-23h59m wed=0s-23h59m
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 comment=Guest interface=Guest name=Guest
add address-pool=dhcp_pool3 interface=IOT name=IOT
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *FFFFFFFE local-address=*ip* remote-address=vpn
/queue simple
add disabled=yes max-limit=8k/8k name="Sony Bravia" target=*ip*
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \
internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether9
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!LAN lldp-med-net-policy-vlan=1
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment=Gasten tagged=bridge vlan-ids=30
add bridge=bridge comment=IOT tagged=bridge vlan-ids=20
/interface detect-internet
set internet-interface-list=WAN wan-interface-list=WAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment="Internet Primary" interface=ether1 list=WAN
add comment="Internet Failover" interface=ether10 list=WAN
add interface=wireguard1 list=LAN
add comment=IO interface=IOT list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.100.2/32 comment="Mobiel" interface=\
wireguard1 name=peer4 public-key=\
"*key*"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=192.168.30.1/24 comment=Guest-vlan interface=Guest network=\
192.168.30.0
add address=192.168.20.1/24 comment=IOT-vlan interface=IOT network=\
192.168.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=Ziggo default-route-distance=255 interface=ether1 script=":if (\$b\
ound=1) do={\
\n:local gw \$\"gateway-address\"\
\n/ip route set [ find comment=\"Ziggo\" gateway!=\$gw ] gateway=\$gw\
\n}"
add comment=Failover default-route-distance=2 interface=ether10
/ip dhcp-server lease
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.20.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip dns static
/ip firewall address-list
add address=2.56.16.0/22 comment=NETHERLANDS list=AllowNL
...
/ip firewall filter
add action=drop chain=input comment="crowdsec input drop rules" \
in-interface-list=WAN src-address-list=crowdsec
add action=drop chain=forward comment="crowdsec forward drop rules" \
in-interface-list=WAN src-address-list=crowdsec
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.100.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=NotNat_
add action=drop chain=forward comment="Isolate Guest vlan 30" dst-address=\
192.168.1.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Isolate IOT vlan 20" dst-address=\
192.168.1.0/24 src-address=192.168.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=ReverseProxy443 dst-port=443 \
protocol=tcp src-address-list=AllowNL to-addresses=192.168.1.105 \
to-ports=443
/ip kid-control device
/ip route
add check-gateway=ping comment=Ziggo disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=*ip* pref-src="" routing-table=main \
suppress-hw-offload=no
/ip service
set telnet address=192.168.1.0/24 disabled=yes
set ftp address=192.168.1.0/24 disabled=yes
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24 disabled=yes
set api address=192.168.1.0/24
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24 disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=ChriscoGateway
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=kh.pool.ntp.org
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
/system upgrade upgrade-package-source
add address=0.0.0.0
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment="Check Ziggo Gateway" disabled=yes down-script=\
"interface ethernet disable ether1" host=*ip* interval=30s \
src-address=*ip*> test-script="" type=simple up-script=\
"interface ethernet enable ether1"
/tool sniffer
set filter-src-ip-address=192.168.1.150/32
I have found this:
/interface bridge vlan
add bridge=bridge comment=Gasten tagged=bridge vlan-ids=30
add bridge=bridge comment=IOT tagged=bridge vlan-ids=20
I would expect to see VLAN filtering on the port(s) as well.
Is there a trunk/hybrid port to the switch?
Please have a look at this great tutorial about VLAN:http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Vircos
September 11, 2024, 6:28am
5
@erlinden , thank you for the help.
It seems to work now. VLAN filtering on the bridge was not enable as you pointed out. The first two IOT devices are now connected to the right vlan with success.