I have a Netgear AP that has 2 net home and guest. The Guest wifi is on VLAN 20. I think that that home wifi is untagged on the same port.
My rb2011 setup is:
2 wan on eth1 and eth2
a bridge from eth3 to eth10
Netgear AP is conected to eth10
I’ve created a VLAN “vlan20” on eth10 and is in the bridge.
The 2 WAN are in load balance.
Dhcp server on bridge is 192.168.1.0/24 for home network
I’ve setup a dhcp server on vlan20 192.168.2.0/24 for gust wifi network.
Now i want that the vlan can reach the 2 WAN in load balance but cannot communicate with the home network.
Which firewall rule i have to set to isolate the vlan from home network ?
Why not get rid of the following quickset legacy crap…
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dns static
add address=192.168.88.1 name=router.lan
The most glaring error is attaching vlan20 to an interface. Normally the vlan should be part of bridge…
Personally (and as per the link examples) I would get rid of the concept of the bridge giving out dhcp and using vlan1 default.
Allows much more flexibility and less confusing.
Thus it would look like the following…
/interface bridge
add auto-mac=no comment=defconf name=bridge vlan-filtering=no (change this to YES after config complete but with safe mode on!!)
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] disabled=yes name=WAN2
/interface vlan
add interface**=bridge** name=vlan10home vlan-id=10
add interface=bridge name=vlan20guest vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_homepool10 ranges=192.168.1.2-192.168.1.254
add name=dhcp_guestpool20 ranges=192.168.178.2-192.168.178.254
/ip dhcp-server
add address-pool=dhcp_homepool10 disabled=no interface=vlan10home name=homelan
add address-pool=dhcp_guestpool20 disabled=no interface=vlan20guest name=guestlan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=WAN2 list=WAN
/ip address
add address=192.168.1.1/24 comment=home-network10 interface=vlan10home network=
192.168.1.0
add address=192.168.178.1/24 comment=guest-network20 interface=vlan20guest network=
192.168.178.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 DNS server=??? - what is your plan here??
add address=192.168.178.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
Now I left one important part out and there is one important part missing.
INTERFACE BRIDGE PORT SETTINGS - identifies ports associated with bridge and if any are access ports, which vlans are associated (ingress filtering)
INTERFACE BRIDGE VLAN SETTINGS - identifies ports associated with bridge (highlights trunk ports and any egress filtering).
So do any of these ports go to devices which cannot assign vlans??? Which ones are trunk ports??
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
Then you will need to configure the /interface bridge vlan PART OF THE CONFIG.
I’m using a routerboard without wireless.
I’ve associted the vlan20 to the eth9 because the AP is connected to the eth9. Is an error ? Or simply isn’t necessary ?
Vlan10 doesn’t exist. The AP has only the vlan20 for the WIFI Guest net. The home WIFI isn’t associated to a VLAN but is received on the same physical eth port. I think.
The only port that “receive” the Vlan20 is the eth9.
Eth3 to eth8 and eth10 are connected to device that not assign vlans.
Guest WIFI had to be a completely separated network.
DNS for the home network 192.168.1.0/24 isn’t indicated because i use the ISP dns.
It appears then that you really didnt grasp the reference then but it does take several reads for sure…
What I am saying is you have two vlans.
vlan10 is your home vlan
vlan20 is your guest vlan
The important part comes down to this basic question.
Is your access point VLAN capable. If it can assign vlan IDs then eth9 is a trunk port carrying both vlans.
If your access point is NOT vlan capable it can only handle one vlan from the router and eth9 is an access point and you will need to get a second AP or get one that can assign vlan ids.
I have checked the AP configuration. It can assign more than one Vlan. Can assign 3 Vlan to respective “services”: Home Wifi, Guest wifi, IPTV.
It was set for only one Vlan 20 for guest wifi. Now i have a “vlan 10” for the home wifi.
eth9 is a trunk port.
How i can isolate Vlan 20 from home network and made it independent ?
Well add to your config the necessary interface bridge vlan settings… and modify any current bridge ports if necessary.
As far as connectivity, the fact that the V20 is in a vlan ensures some separation at layer 2.
To ensure the router doesnt route at layer 3 you need some Forward Chain filter rules…
Basically
FORWARD CHAIN
add fastrack established related
add established related
drop malformed packets
++++++++++++++++++++++++++++++++++
drop all else
Where the +++++++++++++++++++ is where you put traffic flow you wish to permit.
Everything else will be dropped such as VLANA to VLAB or VLANB to VLANA traffic.
typical allow rules one does need are.
vlanA to internet
vlanB to internet
access to a common printer that is on one of the vlans
admin access to the other vlan
port forwarding rule if required
ipsec rules if required
etc…
Problem resolved by itself.
The AP doesn’t support Vlan when in AP mode, only when in router mode. So i can’t use vlan to differentiate home wireless network from guest. It’s limited by the netgear firmware.