Basically I want to isolate an AP for guest/unsafe, from the rest of the network. Currently the router is using a PPP connection on WAN and performing NAT(the traffic is going to a switch via eth2). I have a managed switch where I will configure 2 VLANs(one for the safe network and one for the unsafe/guest AP).
Do you have any ideas on how should I proceed with altering the existing configuration?
Are the access points SMART access points that can read vlans?
If not each access point will only be able to provide service for one subnet.
On bridge, two vlans, trunk port to switch, access ports from switch to two access points..
The AP cannot read VLANs, but I have a dedicated AP for unsafe wifi.
I only created 2 VLANs in the router(safe network, unsafe network), but I don’t know how to continue.
I was hoping that I could mark somehow the packets with a VLAN tag based on their subnet in the Firewall section, but it seems that this “shortcut” isn’t possible.
Please read through Item C. here - https://forum.mikrotik.com/viewtopic.php?t=182373
There are 4 links on that section:
The problem is that I only have basic CCNA1 knowledge, I don’t have network architecture design skills and I also don’t know how to organize the steps to not screw up the connectivity with the router.
It will take months for me to learn VLANs in general, VLANs on mikrotik routers and how to design the solution and figure out the steps needed.
Btw, I only have a simple masquerading rule on the router.
The only certification of our friendly @anav is the one noted in his forum signature. And didn’t take him months to get a grip on things. OK, perhaps it took more than that and sometimes he still struggles 
.
The point is that this forum is about sharing knowledge, not about spoon feeding or free consultancy services. And it’s not that hard, you’re mentioning CCNA and if you can get that without knowledge as basic as VLAN fundamentals, then my regard of CC certs just dropped to underground.
Max, then follow the guidance on assistance, because communication in IT, is key!!! Learn how to articulate requirements and the rest will follow!
https://forum.mikrotik.com/viewtopic.php?t=182373
Click on the link entitled - HAVING ISSUES AND NEED HELP READ THIS FIRST
The setup you are asking for is very basic.
Create bridge.
Assign vlans to the bridge ( one vlan for every subnet you have on the router).
Give vlans ip pool, dhcpserver, dhcpservernetwork, ip address
assign /interface bridge ports
assign /interface bridge vlans
ensure firewall rules are okay for your needs
ensure ip routes are okay for your needs
turn on bridge vlan filtering
basically done…
This is what I put on the switch:
And on the router:
Which menus do I have to access for this step?
“Give vlans ip pool, dhcpserver, dhcpservernetwork, ip address”
I will help with the switch settings by directing you to another thread where I did the very same thing, or at least close!!
As for the pictures they are great as a starter but also need
/export hide-sensitive file=anynameyouwish
Just be sure to put in xx.xxx.xx for any ISP public IPs or gateway IPs that may show, normally they do not.
The switch setup IS WRONG!!
DO NOT USE PORT BASED VLANS, you want 802.1Q VLANS
When you do…
VLAN1 is the default vlan or native vlan and is out of the box assigned to every port (untagged).
For trunk ports that are carrying vlans, the native or default vlan stays put as is!
For access ports that get untagged traffic from dumb devices, tag the traffic heading to the router and out the internet and then untag the return traffic before hitting the dumb device Replace vlan1 with THE PVID of the untagged vlan that is supposed to go through that port.
Look at the pictures I display here…
http://forum.mikrotik.com/t/isolate-ap-connected-to-via-the-same-ethernet-port/157231/18
I will change the switch config from port-based to 802.1Q.
This is my config:
# apr/16/2022 21:39:51 by RouterOS 6.45.9
/interface bridge
add fast-forward=no name=bridge1
add name=bridge_vlans
/interface ethernet
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mru=1492 max-mtu=\
1492 name=pppoe-out1 use-peer-dns=yes user=xxxxxxxx
/interface list
add exclude=dynamic name=discover
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" supplicant-identity=MikroTik \
unicast-ciphers=""
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=10.223.44.2-10.223.44.254
add name=dhcp_pool2 ranges=10.223.45.2-10.223.45.6
add name=openvpnpool1 ranges=172.25.10.1-172.25.10.2
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
interface=ether2 lease-time=3d name=dhcp1
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no \
interface=ether3 lease-time=3d name=dhcp2
/ppp profile
add local-address=dhcp_pool1 name=openvpnprofile remote-address=dhcp_pool1
/routing bgp instance
set default disabled=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=500
/ip firewall connection tracking
set tcp-syn-received-timeout=1m tcp-syn-sent-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge_vlans vlan-ids=2
add bridge=bridge_vlans vlan-ids=3
/interface list member
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=discover
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=openvpnprofile \
enabled=yes port=60501 require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile=\
default-encryption
/ip address
add address=10.223.44.1/24 interface=ether2 network=10.223.44.0
add address=10.223.45.1/26 interface=ether3 network=10.223.45.0
/ip dhcp-server lease
add address=10.223.44.2 mac-address=..
add address=10.223.44.5 lease-time=4d3h mac-address=..
/ip dhcp-server network
add address=10.223.44.0/24 gateway=10.223.44.1
add address=10.223.45.0/26 gateway=10.223.45.1
/ip dns
set max-udp-packet-size=512 servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=10.223.44.0/24 disabled=yes list=ether2lan
add address=10.223.45.0/26 disabled=yes list=ether3lan
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=add-src-to-address-list address-list="ping checkers" \
address-list-timeout=2w chain=input comment="Ping checkers" icmp-options=\
8:0-255 protocol=icmp
add action=drop chain=input comment="dropping Ping checkers" icmp-options=\
0:0-255 protocol=icmp src-address-list="ping checkers"
add action=add-src-to-address-list address-list=winbox_login_attempt \
address-list-timeout=none-dynamic chain=input dst-port=8291 in-interface=\
pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=ssh_attempt \
address-list-timeout=none-dynamic chain=input dst-port=60001 \
in-interface=pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=http_attempt \
address-list-timeout=none-dynamic chain=input dst-port=80 in-interface=\
pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=https_attempt \
address-list-timeout=none-dynamic chain=input dst-port=443 in-interface=\
pppoe-out1 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log-prefix=drop_invalid
add action=drop chain=input comment="defconf: drop WAN ICMP" \
in-interface-list=WAN protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=not_lan
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=drop_invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.223.44.0/24 to-addresses=\
0.0.0.0
add action=masquerade chain=srcnat src-address=10.223.45.0/26
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=pppoe-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=443
set api disabled=yes
set winbox address=10.0.0.0/8
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes always-allow-password-login=yes forwarding-enabled=\
both
/ppp secret
add disabled=yes name=openvpnuser profile=openvpnprofile service=ovpn
/system logging
set 1 action=disk
set 3 action=disk
add topics=info
add topics=pppoe
add disabled=yes prefix=pppoe topics=debug
Hi Max, Normally I recommend only ONE bridge!
Observations:
(1) I do not see any vlans defined??
they need to be assigned with parent interface of the bridge,
then they each need, IP pool, IP address, IP dhcp-server, IP dhcp-server-network settings!!
(okay I see pools etc…)
(2) Get rid of list discover its not required and does nothing for you.
(3) Similarly get rid of any interface list members to discover.
All you need is vlan2 to LAN, vlan3 to LAN and ether1 to WAN.
(4) IP addresses are set to ports, need to be set to vlan2 and vlan3 as interfaces..
(5) Need /interface bridge ports and /interface bridge vlans
The /interface bridge vlans looks more like you were trying to create/identify vlans which needs to be done in the interface menu.
/interface bridge ports -->Here you want to identify if the port is going to be a trunk port or an access port (need pvid for access port).
/interface bridge vlans → Here you want to identify the tagging and untagging of ports
(6) Source nat ----> I dont understand what you are trying to do and would stick to the standard rule until you can describe the requirement and the appropriate config rule can be put in place…
(7) WHy so wide open ??? set winbox address=10.0.0.0/8
(8) Recommend you stick with default rules and not add all the extra garbage…
https://forum.mikrotik.com/viewtopic.php?t=180838
Thank you for your post, but it’s too complex for me.
Have no idea how to do most of those steps, and I’m 95% sure I’ll end up losing connection to the router at some point by a wrong order of operations mistake.
I regret buying the switch, the sdcard and the camera. Now I have to sell them.
LE: this is already like this, so I don’t know what’s the problem:
As @anav (*) pointed out, currently you don’t have any VLANs. If you need only one cable between router and switch and everything else should be connected to switch, then you don’t need to bother with bridges at all (you currently have two, both empty and useless), simply add VLANs like this (where etherX is where switch is connected to):
/interface vlan
add interface=etherX name=vlan2 vlan-id=2
add interface=etherX name=vlan3 vlan-id=3
Then you’ll have tagged VLANs 2 and 3 on etherX and new interfaces vlan2 and vlan3 for them. Give them IP addresses, DHCP server, etc. Currently you have them on ether2 and ether3, so move them (if you want to use those subnets for VLANs). To not lock yourself out, connect to router using one, move the other, then see it you can connect to that, and only then move the first one.
If you want VLANs spread over more than one router’s ports, that would require bridge, which is used to configure on which ports you want VLANs and their forms (tagged/untagged). My favourite example is one in manual, which I find simple and easy to understand (but not everyone feels the same).
–
(*) He’s helpful, but so far we didn’t manage to train him to recognize important stuff from unimportant, sorry about that.
I found this: http://mikrotikroutersetup.blogspot.com/p/mikrotik-router-dhcp.html
(6) Source nat ----> I dont understand what you are trying to do and would stick to the standard rule until you can describe the requirement and the appropriate config rule can be put in place…
(7) WHy so wide open ??? set winbox address=10.0.0.0/8
(8) Recommend you stick with default rules and not add all the extra garbage…
viewtopic.php?t=180838
@anav, what do you consider to be garbage?
I saw that I tried to implement what you told me 2 years ago here:
http://forum.mikrotik.com/t/am-i-protected-with-this-settings/141086/29
(6) Source NAT, I’m giving internet to the computers on eth2 and the ones on eth3. I wanted to keep them in separate subnets.
Hi Max, I was referring to all the port scanning stuff.
/interface vlan
add interface=ether2 name=vlan2 vlan-id=2
add interface=ether2 name=vlan3 vlan-id=3
/ip address
add address=10.223.44.1/24 interface=vlan2
add address=10.255.1.1/24 interface=vlan3
/ip pool add name=vlan2 ranges=10.223.44.1-10.223.44.254
/ip pool add name=vlan3 ranges=10.255.1.1-10.255.1.254
/ Ip dhcp-server enable 0
/ Ip dhcp-server add interface = LOCAL address-pool = vlan2
/ Ip dhcp-server add interface = LOCAL address-pool = vlan3
/ i don't understand why i have to specify dns-server here, i already have a dns specified in the dns menu
/ Ip dhcp-server network add address = 10.223.44.0/24 gateway = 10.223.44.1 dns-server = ?.?.?.? comment=”vlan2”
/ Ip dhcp-server network add address = 10.255.1.0/24 gateway = 10.255.1.1 dns-server = ?.?.?.? comment=”vlan3”
/ip firewall nat
add chain=srcnat action=masquerade src-address=10.223.44.0/24 out-interface=WAN
add chain=srcnat action=masquerade src-address=10.255.1.0/24 out-interface=WAN
Should these be enough?
I don’t understand why I have to specify the DNS in the dhcp-server command, though.
It still feels sketchy to copy-paste these in the terminal.
I don’t want to risk taking the router out, reseting it, connecting to it directly with a laptop, reuploading the last working config, etc. That’s another 1 hour lost in anger.
yeah lets walk before running concur!
The question I have is how many subnets do you need.
Thus far for sure we have two as you are attempting to capture with vlan2 and vlan3
Is there another local LAN?
On a previous config you have two bridge as well, and we only need one.
That example is for trunkless inter-vlan routering. I think this (old) and this (new) are more like the example in this thread, with a trunk link.
There’s an updated version of the intervlan routing with bridge document referenced by @Sob here with some changes: It specifies allowed frame types, which is good practice. The update /interface bridge vlan section does not explicitly show the untagged ports, which has the same effect, but I think is possibly more confusing, because it relies on implicit behavior. I like to explicitly specify all involved bridge-ports related to a vlan in this section, if for no other reason than if you search the config, you can see the vlan member ports in the line. But all I have configured is hEX S, and that is port limited. On a CRS with many ports, that could be unwieldy (perhaps there is a way to create a “port group” that could be treated equally, but if that feature exists, I am not aware of it. It would be nice to be able to specify a list of bridge-port and give it a name, similar to /interface list for firewalls, but that could be referenced where a list of ports would be accepted. That would make configuring a CRS with many ports configured as access ports for the same vlan easier to configure/understand. Perhaps there is a way to do it using scripts, but I haven’t gotten that far, and for port limited devices like the hEX S, it wouldn’t make much difference.
These are the differences (the red is what is different)
Old:
Add bridge ports and specify pvid for VLAN access ports to assign their untagged traffic to the intended VLAN:
/interface bridge port
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400
Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example bridge1 interface is the VLAN trunk that will send traffic further to do InterVLAN routing:
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=bridge1 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-ids=400
New:
Add bridge ports and specify pvid for VLAN access ports to assign their untagged traffic to the intended VLAN. Use frame-types setting to accept only untagged packets.
/interface bridge port
add bridge=bridge1 interface=ether6 pvid=200 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether7 pvid=300 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether8 pvid=400 frame-types=admit-only-untagged-and-priority-tagged
Add Bridge VLAN entries and specify tagged ports in them. In this example bridge1 interface is the VLAN trunk that will send traffic further to do InterVLAN routing. Bridge ports with frame-types set to admit-only-untagged-and-priority-tagged will be automatically added as untagged ports for the pvid VLAN.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=200
add bridge=bridge1 tagged=bridge1 vlan-ids=300
add bridge=bridge1 tagged=bridge1 vlan-ids=400