Mikrotik VLANs (Office, Guest, Managment)

RouterOS Beginner Basics
1

Hello everyone,

I need your help if it’s not a problem ?
In my network (lab), I have the Mikrotik RB750 and the D-Link DGS-1100-26MP (Smart Managet Web switch).

For begin, I want to set up two or three VLANs:

  1. VLAN for Office
  2. VLAN for Guest
  3. VLAN Management

I know how to adjust VLAN (Access, Hybrid, Trunk) on the D-Link Web Smart Switch.

I want that Office VLAN IP clients-devices do not have access to the IP clients-devices from Guest VLAN and that IP clients-devices from the Guest VLAN do not have access to IP clients-devices from Office VLAN, and that both VLANs (Office-Guest) do not have direct access to Managment VLAN.

I also want that VLAN Managment to have access Office VLAN and Guest VLAN because I want to connect Servers, Aceess Point, etc in Managment VLAN …
I hope you understand me ?

Is it possible to set up this configuration on the Mikrotik Router, and if yes, can you give me an instruction how to do it?

Best Regards,
Dino
My network-lab.jpg

2

It seems that you’ve already done all L2 configuration.
The rest is just firewall rules to allow/drop the traffic between the vlan interfaces.

3

Thank for your reply

I did not set anything in the firewall rules.

Can you help me and give instructions on what to need set in the traffic between the vlan interfaces ?

4

Read trough this thread: http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/1
it show how to setup bridge and vlan for the 750Gr3 with ROS >=6.41
See at the bottom in the thread.

You need to att the bridgin, bridge/ports and interface/vlan

5

To Jotne: No offence. It is really great that you are trying to promote your own topic throughout the whole forum, because it kind of systematise the area of mikrotik knowledge that is otherwise spread on the wiki, and it can be really hard for a new user to collect all the pieces into a complete picture.
But if you try to read carefully the original post, you can see that there no need for any bridge at all in this case, because there is only one trunk port configured for all the vlans.

6

Well, if it will be your gateway router, you are going to need the firewall anyway.
For a standard firewall with “drop everything else” rule in the end, you just need to add accepting rules for the vlans that you want to be able to communicate with each other somewhere before the drop rule..
This simple example accepts only traffic initiated from your management network to both your vlans, and drops everything else passing through router:

/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=ether5 out-interface=vlan10
add action=accept chain=forward in-interface=ether5 out-interface=vlan11
add action=drop chain=forward

Try to start from reading the wiki:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

7

Dear,

Based on your instructions, I first tried to block communication between two VLANs, in my case, vlan-10 and vlan-11:

add chain=forward action=drop in-interface=vlan-10 out-interface=vlan-11
add chain=forward action=drop in-interface=vlan-11 out-interface=vlan-10

Then I connect to the D-Link switch to the LAN port that is in the Access-untaget LAN port and wich vlan-10 to test the communication .

I get IP address 10.1.10.30 (from vlan-10) and I can ping IP address 10.1.11.1 (vlan-11), which means that again the communication between vlan-10 and vlan-11 works.

Do I make a mistake in setting filters and firewal or need to add another rule to filter rules ?
config.txt (1.97 KB)

8

You can enable logging for the rules that you have created. Then you can see whether rules get hit.
You can also double check Dlink switch configuration. Maybe inter vlan traffic even not passing thru Mikrotik router.

9

You’re successfully pinging router’s address “from vlan-11” … but this doesn’t prrove you have connectivity between vlan-10 and vlan-11.

Here’s what’s going on:

  • router receives packet with dst address 10.1.10.30 on vlan-10 interface
  • it checks the destination IP against own IP addresses and against routing tables. It notices that destination IP address is one of its own addresses, so …
  • … it checks chain=input filters rather than chain=forward. Probably you don’t have any chain=input action=drop generic firewall rule, hence ping is accepted by router.

To really check the inter-VLAN connectivity, you need to ping a proper vlan-11 host (but first check firewall rules on that host, it is quite probable that host’s firewall will drop pings).

10

Hello everyone

Thank you for your help and instructions.

I successfully managed to set up VLANs in basic configuration through firewall rules and isolation VLANs.

chain=forward action=drop in-interface=vlan-10 out-interface=vlan-11 log=no log-prefix=“”
chain=forward action=drop in-interface=vlan-11 out-interface=vlan-10 log=no log-prefix=“”

Do you have any recommendations for the Connection state option for my case?

THANK YOU VERY MUCH

11

If you firewall consists of just these two entries for now, then there is no need to add anything else for this to work.
Now it accepts all, that is not forbidden.
But as I already said - try reading something about firewall in general, because you definitely want to forbid more.
If not even reverse the logic: “what is not allowed - is forbidden”.
And then allowing established and related connections will be the first rule to implement.