Need HELP with VLAN

CannabisKid · March 21, 2020, 3:40pm

PLEASE SEE ATTACHED PICTURE OF MY SETUP

Hi guys, new here firstly i would like to introduce myself. I’m now recently working with mikrotik Routers, specifically RB750R2.

I have been given the task to install mikrotik Routers at our clients which also use Ubiquiti AP Pro WAPS.

The reason for the Mikrotik router is that we want to be able to create a vlan which will be used for the guests to connect over WIFI.

So what we want is the following.

All Wired machines, on 10.0.5.1/24 range - Must be able to PING each other
All WIFI devices (ipads RDP into server) 10.0.5.1 (WIFI ADMIN) - Must be able to PING each other
ALL ABOVE MUST HAVE INTERNET ACCESS VERY NB!

ALL WIFI Devices (GUESTS), on 10.0.15.1/24 - MUST NOT be able to PING 10.0.5.1/24 devices
MUST HAVE INTERNET ACCESS

So i have the config working with one small problem. the devices on the VLAN 10.0.15.1/24 CAN PING the 10.0.5.1/24 devices.

I am not familiar on how to read scripts and how to write them. i can obviously copy and paste but i know every script is specific to each persons unique situation so copy and pasting does not necessarily work.

Everything i have learned is from watching guys on Youtube doing the configs in WINBOX.

Please can somebody help push me in the right direction, i have done some reading and it sounds like i am going to have to apply Firewall rules? Is there perhaps somebody that could write a script for my specific setup so i can paste it in and see if it will work?

Thank you very very much people

** EDIT

I’m not sure if you guys can see my attached image as it shows its a broken image, perhaps the moderators need to approve it first.

ADSL router setup in bridge mode
From ADSL router to Ether 1 on mikrotik patch cable (for internet)
Mikrotik rb750r2 setup as PPOE with details connects to internet no problem
Ports are not all bridged
Router has DHCP SERVER enabled 10.0.5.1-10.0.5.254 (ROUTER IP 10.0.5.1)
Router is NAT enabled

I have internet access and router has been upgraded to v6.46.4

i have VLAN19 created on port2 using the interface list. Port 2 is the link between the Mikrotik and the 16p Switch
on the switch i have 2 unifi access points AC Pro’s running on a controller.

Nothing else is plugged into ether3,4 and 5

VLAN19 has its own address list 10.0.15.1/24 using interface VLAN19
10.0.5.1/24 on interface ether2

DHCP1 server is on interface 2 for 10.0.5.1/24
DHCP2 server is on interface VLAN19 for 10.0.15.1/24

i have not yet setup any bridges.

anav · March 28, 2020, 9:41pm

Hi weedmunchkin, too buzzed on a single beer to help now, but probably tomorrow.

anav · April 5, 2020, 1:09pm

Have a look, as an example… ( I use vlan5 and vlan10 for simplicity as they match the subnets…)
The explanation is weak. There is no need for 10.0.5.0 network as you describe no functionality or users on this network? Thus I have assumed that both on the routers other ports and perhaps on some of the other switch ports you wish to have another network existing for whatever reasons. Therefore this other network is on the trunk port to the switch and could be easily added to ethers 3-5 etc (just need to identify them on the bridge port and bridge vlan settings) So for understanding vlan5 is the home/admin network and vlan15 is the guest/client network.

# model = whatever
/interface ethernet
set [ find default-name=ether1 ] comment=Port1 name=ISP-eth1
set [ find default-name=ether2 ] comment=Port2 name=eth2_trunk
set ethers 3-5 disabled
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=myBridge \
    vlan-filtering=yes
/interface vlan
add interface=myBridge name=home_vlan5 vlan-id=5
add interface=myBridge name=guest_vlan15  vlan-id=15
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list members
add comment=defconf interface=ISP-eth1 list=WAN
add interface=home-vlan5 list=LAN
add interface=guest-vlan15 list=LAN
/ip pool
add name=pool-home ranges=10.0.5.1-10.0.5.254
add name=pool-guest ranges=10.0.15.1-10.0.15.254
/ip dhcp-server
add address-pool=pool-home disabled=no interface=home_vlan5 lease-time=\
    1d name=HomeLAN
add address-pool=pool-guest disabled=no interface=guest_vlan15 lease-time=\
    1d name=GuestLAN
/interface bridge port
add bridge=myBridge comment=defconf ingress-filtering=yes interface=eth2_trunk
/interface bridge vlan
add bridge=myBridge tagged=myBridge,eth2_trunk vlan-ids=5,15
/ip address
add address=10.0.5.1/24 interface=myBridge network=10.0.5.0
add address=10.0.15.1/24 interface=myBridge network=10.0.15.0
/ip dhcp-server network
add address=10.0.5.0/24 dns-server=10.0.5.1 gateway=10.0.5.1
add address=10.0.15.0/24 dns-server=10.0.5.1 gateway=10.0.15.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,1.1.1.1,9.9.9.9
/ip firewall address-list
add address=10.0.5.xx comment=Admin_desktop list=adminaccess
add address=10.0.5.yy comment=Admin_laptop list=adminaccess
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface=home-vlan11 src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state="" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE" log-prefix=\
    "INPUT DROP ALL"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, " connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="ENABLE vlans to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Admin to guest vlan"
in-interface=home-vlan11 out-interface=guest-vlan15 src-address-list=adminaccess
add action=accept chain=forward comment=\
    "Allow Port Forwarding -  DSTNAT" connection-nat-state=dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "DROP ALL other  FORWARD traffic"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=home-vlan5