New Home Setup VLANs

hahnhell · March 26, 2020, 12:47pm

Good day everyone,

I’m new to Mikrotik and very new to VLANs. I have read through a number of posts here and am about to start writing up my own file to implement in my home network. I am still in the learning curve of Mikrotik language so I just wanted to ask about a few of the things stated within the how-tos.

I have a RB4011iGS+5HacQ2HnD so I am trying to implement the method suggested in post #3. While reading through the RouterSwitchAP.rsc, there are a few things I am not sure how to do.
While configuring:
Access Ports: “L3 switching”:
What does it mean to [find vlan-ids=10]?
IP Addressing & Routing: DNS Server:
Do I put my preferred DNS here or do I put 9.9.9.9?
IP Services: /ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
How is the dns-server=x.x.0.1? Is this defined somewhere that I missed? I haven’t loaded the RB without default config yet so I am a bit uncertain how this setting works from a fresh start.

This is about as far as I’ve gotten through the file so far before I had enough questions that I feel comfortably lost. Figured I’d post now and get more knowledge before moving forward.

I more than likely will need to post my own topic to get more advice on how to proceed with the way I want my network laid out, but I wan to at least understand this current topic as much as I can before doing so. I’ve attached my network diagram (very skeleton) for ref.

Thank you so much in advance!! I’ve been learning so much already and have mustered enough courage to at least post something here in hopes that you fine folk can lend some expertise.

Ref: My brain idea mess - https://docs.google.com/document/d/1awdz6T4BIC1nkz2ENChtZQPW-u15ELzIgaKE1H-DQoo/edit?usp=sharing

Hey gang!

You are a very responsive group! I want to thank you for that. @anav replied within hours of my post and I am excited already.

I have added an attempt at an explanation to my want/need. Main thing here is I want to segregate my IoT wifi devices from the internet. They have no requirement to be accessible to the outside and I just want to make sure it stays that way.

The rest is just some guest and admin segregation from the regular network. Maybe I am going a bit too far here and need to pull back a bit before I jump in. Please any advice is appreciated and thank you!

Quoted questions still stand.

Thanks.

Note: Currently the RB is setup with default config and I have PPPoE working on ether1. I was not able to get the SFP+ working for my FTTH, but I believe I may be able to get that working once I have more knowledge in this VLAN thing as I think that is where my problems are stemming from in this case. I have 2 wifi setup (an IOT wifi (2GHz) and a Home wifi (5GHz).
Home Network.png

anav · March 26, 2020, 4:43pm

Very doable, I have the same setup differnt router with no wifi but I use two capACs and have set it up pretty much as per the examples in the ref thread.

I use vlans for everything and one bridge to keep it clean and simple.
Home vlan (trusted users) - VLANXX

capac upstairs:
Iot devices upstairs VLANYY (2.4ghz chain)
home trusted wifi upstairs - VLANXX (5ghz chain)
Guest wifi upstairs - VLANQQ (virtual chain off 5ghz)

capac downstairs:
lot devices basement VLANZZ (2.4ghz chain)
basement trusted wifi - VLANXX (5ghz chain)
basement guest wifi - VLANSS (virtual chain off of 5ghz chain)

anav · March 26, 2020, 4:47pm

I would separate into different vlans
guest wifi (access to internet only)
home (trusted wifi)
iot devices (access to internet only)

The one I am not sure where it fits is google devices but would tend to put it with iot devices.

Sounds like the rest of the devices are part of the home trusted network
adminPC (will give this puppy special powers via firewall rules)
server homelab
synology
htpc ?? (guessing as I do not know that this serves as functional wise)
printer ( will create an interface list of untrusted users that you think may want to have access only to the printer in the trusted lan (one way)_)

+++++++++++++++++++++++++
oKay just seeing your google list now. Is that what you want to achieve or someones suggestion??

hahnhell · March 26, 2020, 5:11pm

Hey there anav,

The google doc is brainstorming but I believe you’ve got most things just about covered in your explanation so far. I was trying to make a diagram/list of what I saw in my head for breaking the network into pieces. Main idea is for the IoT devices to not have access to the internet and only to be able to have mqtt/http access to the server. The google devices will need internet so they can run routines, etc as they have the google assistant active on them.

I should be able to see/control all things from the Admin PC, i.e. upload/manage the IoT devices (they are all wifi based) and ssh/remote desktop locally to the htpc and the server.

Print services for all the computers (not really necessary for guests).

The HTPC is my home theatre pc. it’s an old mac-mini but it’s now just running windows 10.

Does that help a bit?

Thank you!

anav · March 26, 2020, 7:15pm

This is just to give you an idea of how I would tackle this setup.
The technical question I dont know how to answer is to best utilize the router switching.
I put the htcp and synology (heaviest traffic folks) on the same switch chip just in case and put the other devices on the other switch chip.

Basic starting point.
vlan2=adminPC (iot, google, home wifi devices, synology, serverhomelab, htpc, internet, printer, homewifi)

vlan5 -printer (internet?? )
vlan5-homewifi (internet)

vlan10 Server home/Lab (synology printer, iot, home wifi, internet)
vlan15=home wifi_devices (internet, (synology, printer))
vlan20=synology (internet only)
vlan30=google (internet only)
vlan40=guest wifi (internet only)
vlan50=iotdevices (homeserver only)
vlan 60 = htpc (serverhomelab, internet, printer, synology)

Create bridge = bridgehome
Create vlans with interface =bridgehome
Create dhcp structures for each vlan (ip address, dhcp-server, dhcp-server network, dhcp pool)
Create bridge port structure (assuming eth1 is for WAN)
eth2 - adminpc
eth3 - homeserverlab
eth4
eth5
++++++++++++++++++++++++++++++++++++++++ eth2-5 are one switch chip /6-10 on another/ sfp port is by itself.
eth6 - htcp
eth7 - synology
eth8 -
eth9
eth10
wlan1 5ghz home wifi
wlan2 5ghz guest wifi
wlan3 5ghz google devices wifi
wlan3 2ghz (iot devices channel 1)
wlan4 2ghz (home wifi devices channel 11)

Bridge ports describe ingress behaviour
so wlans entries include PVID and have frame-types=admit-only-untagged-and-priority-tagged [access ports]
so eth port entries to non vlan capable devices are same as wlans frame-types=admit-only-untagged-and-priority-tagged [access ports]
eth port entries to vlan aware devices (smart switches etc) ingress filtering=yes [trunk ports]

Bridge vlan behaviour (egress)
add a line for each vlanid, what needs to be tagged (bridge and trunk ports), untagged (wlan and access ports).

Default firewall rules to start.
Input chain
{default rules}
add action=accept chain=input comment=“Allow ADMIN to Router”
in-interface=vlan2 src-address=adminpcIP
last rule drop all else

Forward Chain.
{default rules}
[admin access] accept in-interface=vlan2 source ip= adminpcIP, out-interface-list=ADMIN (note2)
[synology, vlan2, vlan5, wifi devices, hptc, guest wifi, google access] accept in-interface-list=INTernet out-interface=wan (note6)
[server/home access] accept in-interface=vlan10 sourceip=serverhomeIP, out-interface-list=LAB (note3)
[wifi devices access] accept in-interface=vlan15 destination address-list=wifidevices (note4)
[iot access] accept in-interface=vlan50 destination-address=homeserverlabIP
[htpc access] accept in-interface=vlan 60 destination-address-list=HTPC note5
{default rules}
last rule drop all else

note2: Make an interface list
vlan5=ADMIN
vlan10=ADMIN
vlan15=ADMIN
vlan20=ADMIN
vlan30=ADMIN
vlan40=ADMIN
vlan50=ADMIN
vlan 60 =ADMIN
note3: Make an interface list
vlan5=LAB
vlan20=LAB
vlan50=LAB
Note4: Make a firewall address list
synologyIP=wifidevices
printerIP=wifidevices
Note5: Make a firewall address list
homelabIP=HTPC
printerIP=HTPC
synologyIP=HTPC
note6: Make an interface list
vlan2=INTernett
vlan5=INTernet (this includes home wifi and printer (did you want printer to access internet??)
vlan10=INTernet
vlan15=INTernet
vlan20=INTernet
vlan30=INTernet
vlan40=INTernet
vlan 60=INTernet

hahnhell · March 26, 2020, 8:03pm

The server/lab is what I use to play around with learning more networking stuffs. It’s just an ubuntu pc, but I have NodeRed, MQTT, and OpenHAB (OH) running on it. OH is the central to all my home automation. So it controls everything in the house IoT.

For my IoT (lots of ESP8266), I do not have/want it to have any internet access as they are all locally controlled via OH. The OH has internet access[able] so that I can control my items via google or web app, but for now things are staying internal and I will only enable that at a later date once I feel comfortable about my network being secure enough.

I SSH into the Server to modify and add devices and configure the home automation stuff.

My Synology is where I keep files/photos/videos backed up. I have a Plex server running off that one so the home lan will need access to that.

I like your idea of beefing up the Admin PC so that it has more accesses.

The HTPC is the largest hog on bandwitch/access. It will either be looking at Netflix, YouTube, or streaming Plex or movies from the Synology. I have a few Chromecasts which will be in there as well, but they will be covered in the Google devices section.

Did I get all your questions? Thank you sooo much for the quick replies. I am amazed at the turnaround time I’m getting! Although, considering the climate we are in, many of us are probably sitting at home with not a whole lot going on. I’m working from home as it is, so I have a bit more free time on my hands.

The google devices are WiFi.

hahnhell · March 27, 2020, 12:30pm

Good morning @anav, at least it’s morning here for me, TGIF.

First of all.. WOW. I’ve been looking at trying to figure this all out for a long time now and you’ve just thrown something together in a day. Thank you and now I have some playing around to do today!

From what I’ve quoted above, are you saying that I would use the default firewall configs from a freshly reset RB and then add in what you have below that? I I’m learning that these have to be in order of precedence, so I gather I put everything in there, then add the drop all at the end.

Lasly, I’ve read a lot (with little understanding) about how there is a difference between interface VLANs and Bridge VLANs (and others..). I know that the RB4011 doesn’t have one of those fancy CRS switch chips, but does this method take advantage of everything to ensure we are getting the best performance from the network? Please don’t take this as doubting your hard work, I’m just trying to learn as much as I can as I go here.

Have a wonderful Friday. I will try and not drive my wife crazy with the setup and disconnects that will be happening most of today! haha.

anav · March 27, 2020, 1:23pm

Keep the drop all else rules till the end… to make sure you dont lock yourself out of access to the router or on the LAN.
Also use the winbox use the SAFEBOX for all changes (upper left of screen).

Well the setup I tried to think of is probably not the most efficient but its a decent start.
In terms of using the switching capabilities to the max, that is a good question.
The problems is I am very comfortable with the new method of vlan bridging but not at all familiar with the older style of HW offloading switch chip approach.
Lets get one working and then tackle the harder one later LOL.

Okay What we can do to make this more efficient is put the hctp computer and synology on the same VLAN.
Will need to make some extra firewall rules to ensure the design requirements access to and fro are met but this will allow super great connectivity between the two and thus no extra load on the CPU for routing this heavy traffic!!

anav · March 27, 2020, 1:58pm

With slight modifications LOL
Basic starting point.
vlan2=adminPC (iot, google, home wifi devices, synology, serverhomelab, htpc, internet, printer, homewifi)
vlan5 -printer & homewifi (internet)
vlan10 Server home/Lab (synology printer, iot, home wifi, internet)
vlan15=home wifi_devices (internet, (synology, printer))
vlan20=synology (internet only) & htpc (server/lab, printer, internet)
vlan30=google (internet only)
vlan40=guest wifi (internet only)
vlan50=iotdevices (homeserver only)

Create bridge = bridgehome
Create vlans with interface =bridgehome
Create dhcp structures for each vlan (ip address, dhcp-server, dhcp-server network, dhcp pool)
Create bridge port structure (assuming eth1 is for WAN)
eth2 - adminpc
eth3 - homeserverlab
eth4
eth5
++++++++++++++++++++++++++++++++++++++++ eth2-5 are one switch chip /6-10 on another/ sfp port is by itself.
eth6 - htcp
eth7 - synology
eth8 -
eth9
eth10
wlan1 5ghz home wifi
wlan2 5ghz guest wifi
wlan3 5ghz google devices wifi
wlan3 2ghz (iot devices channel 1)
wlan4 2ghz (home wifi devices channel 11)

Bridge ports describe ingress behaviour
so wlans entries include PVID and have frame-types=admit-only-untagged-and-priority-tagged [access ports]
so eth port entries to non vlan capable devices are same as wlans frame-types=admit-only-untagged-and-priority-tagged [access ports]
eth port entries to vlan aware devices (smart switches etc) ingress filtering=yes [trunk ports]

Bridge vlan behaviour (egress)
add a line for each vlanid, what needs to be tagged (bridge and trunk ports), untagged (wlan and access ports).

Default firewall rules to start.
Input chain
{default rules}
add action=accept chain=input comment=“Allow ADMIN to Router”
in-interface=vlan2 src-address=adminpcIP
last rule drop all else

Forward Chain.
{default rules, fasttrack, established connected, drop invalid etc…}
[admin access] accept in-interface=vlan2 source ip= adminpcIP, out-interface-list=ADMIN (note2)
[synology, admin, homewifi, printer, wifi devices, hptc, guest wifi, google access] accept in-interface-list=INTernet out-interface=wan (note6)
[server/home access] accept in-interface=vlan10 sourceip=serverhomeIP, destination-address-list=LAB (note3)
[wifi devices access] accept in-interface=vlan15 destination address-list=wifidevices (note4)
[iot access] accept in-interface=vlan50 destination-address=homeserverlabIP
[htpc access] accept in-interface=vlan 20 source-address=htpcIP destination-address-list=HTPC note5
{default rules, defconf: drop all from WAN not DSTNATed" }
last rule drop all else

note2: Make an interface list for admin access to all vlans
vlan5=ADMIN
vlan10=ADMIN
vlan15=ADMIN
vlan20=ADMIN
vlan30=ADMIN
vlan40=ADMIN
vlan50=ADMIN

note3: Make a firewall address list for server home lab access to other devices
vlan5subnet=LAB
synologyIP=LAB
vlan50subnet=LAB

Note4: Make a firewall address list
synologyIP=wifidevices
printerIP=wifidevices

Note5: Make a firewall address list
homelabIP=HTPC
printerIP=HTPC

note6: Make an interface list for access to the internet
vlan2=INTernett
vlan5=INTernet (this includes home wifi and printer (did you want printer to access internet??)
vlan10=INTernet
vlan15=INTernet
vlan20=INTernet
vlan30=INTernet
vlan40=INTernet

hahnhell · March 27, 2020, 9:04pm

Alright, I’ve tried my best to put this all into action and it does seem that everything is almost working!

I gave it a try and from my AdminPC I have internet but I’m having trouble with the rest. You can see my config attached.

First thing is I can’t seem to access the RB via winbox anymore. All I can get is the webgui
Seems my Home WiFi does not have internet
I can’t seem to ping my server or the synology from the adminpc

I can see all my devices within DHCP leases, it seems that I can’t get access to them.

I tried my best to follow everything that you put into there. Save for a few minor changes to vlan#.

My printer is a LAN printer and is connected to port 8. It does not need the internet to survive.

Is there something I missed or misconfigured? I didn’t restart all the devices to renew IPs etc. I just tried the WiFi with my cell and can obviously still connect as it is the same SSID and pwd, but no longer have internet on them.

I’ll leave it at that, I have a feeling I have bastardised something completely.

The places I got a little lost were:

correctly configuring the DHCP structures, I’m not sure I have the gateways right;
I don’t have any trunk ports, so I believe I configured the bridge port ingress behaviour;
I’m not good at the tagging bits, please check my file that I did it right - It also may need to change due to the printer not being connected to the internet;
Ref firewall rles: I didn’t have IPs configured for my adminpc or other devices yet, I thought I could just not include that and it would let the whole VLAN have access;
VLANCONFIG.rsc (13.1 KB)

anav · March 27, 2020, 11:42pm

Going to eat first but will take a look at this later. Progress is starting a first config.

vortex · March 27, 2020, 11:57pm

A problem is when you need mDNS to be able to connect to a device.

anav · March 28, 2020, 2:24am

Comments
1- Get rid of legacy 88 stuff.
2 - Your WIFI is very confusing, do you not have an RB4011 with wifi???
It is supposed to have 5 Chains!!
You should be able to assign wlan1- 5ghz, wlan2 - 5ghz, wlan3 - 5ghz, wlan 4- 2ghz, wlan 5- 2ghz or something like that.
Its missing wlans too.
3 - dont forget vlan 5 is home wifi, vlan15 is home wifi devices (in your config you have dropped the word devices from vlan15 entries making the config very confusing.)
4 - Errors also in that you need to apply actual IPs for firewall address lists and one of your firewall address lists is supposed to be an interface list!

/interface bridge
add admin-mac=C4:AD:34:60:85:C1 auto-mac=no name=“Home Bridge”
/interface ethernet
set [ find default-name=ether1 ] name=“1 - Valerie WAN”
set [ find default-name=ether2 ] name=“2 - AdminPC”
set [ find default-name=ether3 ] name=“3 - Server”
set [ find default-name=ether4 ] name=“4 - Work PC”
set [ find default-name=ether5 ] name=“5 - RPi”
set [ find default-name=ether6 ] name=“6 - HTPC”
set [ find default-name=ether7 ] name=“7 - Synology”
set [ find default-name=ether8 ] name=“8 - Printer”
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=“1 - Valerie WAN” name=
“PPPoE WAN” service-name=“Virgin Mobile PPPoE” user=
REDACTED@virginmobile.ca
/interface vlan
add interface=“Home Bridge” name=“AdminPC VLAN101” vlan-id=101
add interface=“Home Bridge” name=“Google VLAN30” vlan-id=30
add interface=“Home Bridge” name=“Guest WiFi VLAN40” vlan-id=40
add interface=“Home Bridge” name=“Home WiFi ??? Devices VLAN15” vlan-id=15
add interface=“Home Bridge” name=“IoT VLAN50” vlan-id=50
add interface=“Home Bridge” name=“Printer & Home WiFi VLAN5” vlan-id=5
add interface=“Home Bridge” name=“Server/Lab VLAN10” vlan-id=10
add interface=“Home Bridge” name=“Synology & HTPC VLAN20” vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
]add name=Admin
add name=Internet

(5) Until we get the number of chains resolved not much we can do on wifi… you need to use all five chains
iotdevices 2ghz, home wifi devices -2ghz home wifi - 5ghz, guest wifi-5ghz, google-5ghz
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX country=canada disabled=no distance=indoors frequency=
auto hide-ssid=yes installation=indoor mode=ap-bridge name=“Home WiFi”
secondary-channel=auto security-profile=home ssid=“JBHLMH Home 5GHz”
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-eC
country=canada disabled=no frequency=2452 mode=ap-bridge name=“IoT WiFi”
security-profile=iot ssid=“JBHLMH IoT 2GHz” wireless-protocol=802.11
wps-mode=disabled
add hide-ssid=yes keepalive-frames=disabled mac-address=76:4D:28:BE:98:0E
master-interface=“IoT WiFi” multicast-buffering=disabled name=
“Backup IoT WiFi” security-profile=iot ssid=“JBHLMH IoT Backup”
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:60:85:CD
master-interface=“Home WiFi” multicast-buffering=disabled name=
“Google WiFi” security-profile=iot ssid=“JBHLMH Google 5GHz”
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=“Default Pool” ranges=192.168.88.10-192.168.88.254
add name=“Admin Pool” ranges=192.168.101.2-192.168.101.254
add name=“Printer & Home WiFi Pool” ranges=192.168.5.1-192.168.5.254
add name=“Server Pool” ranges=192.168.10.1-192.168.10.254
add name=“Home WiFi Pool” ranges=192.168.15.2-192.168.15.254
add name=“Synology and HTPC Pool” ranges=192.168.20.2-192.168.20.254
add name=“Google Pool” ranges=192.168.30.2-192.168.30.254
add name=“Guest WiFi Pool” ranges=192.168.40.2-192.168.40.254
add name=“IoT Pool” ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=“Default Pool” disabled=no interface=“Home Bridge” name=
“Default DHCP”
add address-pool=“Admin Pool” disabled=no interface=“AdminPC VLAN101” name=
“Admin DHCP”
add address-pool=“Printer & Home WiFi Pool” disabled=no interface=
“Printer & Home WiFi VLAN5” name=“Printer & Home WiFi DHCP”
add address-pool=“Server Pool” disabled=no interface=“Server/Lab VLAN10”
name=“Server DHCP”
add address-pool=“Home WiFi ??? (devices) Pool” disabled=no interface=“Home WiFi VLAN15”
name=“Home WiFi DHCP”
add address-pool=“Synology and HTPC Pool” disabled=no interface=
“Synology & HTPC VLAN20” name=“Synology & HTPC DHCP”
add address-pool=“Google Pool” disabled=no interface=“Google VLAN30” name=
“Google DHCP”
add address-pool=“Guest WiFi Pool” disabled=no interface=“Guest WiFi VLAN40”
name=“Guest WiFi DHCP”
add address-pool=“IoT Pool” disabled=no interface=“IoT VLAN50” name=
“IoT DHCP”
/interface bridge port
add bridge=“Home Bridge” comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=“2 - AdminPC” pvid=101
add bridge=“Home Bridge” comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=“3 - Server” pvid=10
add bridge=“Home Bridge” comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=“4 - Work PC” pvid=40
add bridge=“Home Bridge” comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=“5 - RPi” pvid=10
add bridge=“Home Bridge” comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=“6 - HTPC” pvid=20
add bridge=“Home Bridge” comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=“7 - Synology” pvid=20
add bridge=“Home Bridge” comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=“8 - Printer” pvid=5
add bridge=“Home Bridge” comment=defconf disabled=yes interface=ether9
add bridge=“Home Bridge” comment=defconf disabled=yes interface=ether10
add bridge=“Home Bridge” comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=“Home WiFi ???Devices” pvid=15
add bridge=“Home Bridge” comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=“IoT WiFi” pvid=50
add bridge=“Home Bridge” disabled=yes interface=“Backup IoT WiFi” what the heck is this LOL.
add bridge=“Home Bridge” frame-types=admit-only-untagged-and-priority-tagged
interface=“Google WiFi” pvid=30
{missing home wifi vlan 5}
{missing guest wifi vlan 40}
/ip neighbor discovery-settings
set discover-interface-list=LAN

Yikes, major clean up here…stuff in reds gotta go
/interface bridge vlan
add bridge=“Home Bridge” tagged=“Home Bridge” untagged="2 - AdminPC,3 - Server
,4 - Work PC,5 - RPi,6 - HTPC,7 - Synology,8 - Printer,Home WiFi,Google Wi
Fi,IoT WiFi" vlan-ids=101
add bridge=“Home Bridge” tagged=“Home Bridge” untagged=
“8 - Printer,Home WiFi,1 - Valerie WAN” vlan-ids=5
add bridge=“Home Bridge” tagged=“Home Bridge” untagged=
“3 - Server,7 - Synology,8 - Printer,Home WiFi,1 - Valerie WAN” vlan-ids=
10
add bridge=“Home Bridge” tagged=“Home Bridge” untagged=
Home WIFI Devices WLAN “1 - Valerie WAN,7 - Synology,8 - Printer” vlan-ids=15
add bridge=“Home Bridge” tagged=“Home Bridge” untagged=
“6 - HTPC”, “7 - Synology” “1- Valerie WAN,3 - Server,8 - Printer” vlan-ids=20
add bridge=“Home Bridge” tagged=“Home Bridge” untagged= google wlan “1 - Valerie WAN”
vlan-ids=30
add bridge=“Home Bridge” tagged=“Home Bridge” untagged= guest wifi wlan “1 - Valerie WAN”
vlan-ids=40
add bridge=“Home Bridge” tagged=“Home Bridge” untagged="IoT WiFi “3 - Server” vlan-ids=
50
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=“Home Bridge” list=LAN
add comment=defconf disabled=yes interface=“1 - Valerie WAN” list=WAN
add interface=“PPPoE WAN” list=WAN
add interface=“Printer & Home WiFi VLAN5” list=Admin
add interface=“Server/Lab VLAN10” list=Admin
add interface=“Home WiFi VLAN15” list=Admin
add interface=“Synology & HTPC VLAN20” list=Admin
add interface=“Google VLAN30” list=Admin
add interface=“Guest WiFi VLAN40” list=Admin
add interface=“IoT VLAN50” list=Admin
add interface=“AdminPC VLAN101” list=Internet
add interface=“Printer & Home WiFi VLAN5” list=Internet
add interface=“Server/Lab VLAN10” list=Internet
add interface=“Home WiFi VLAN15” list=Internet
add interface=“Synology & HTPC VLAN20” list=Internet
add interface=“Google VLAN30” list=Internet
add interface=“Guest WiFi VLAN40” list=Internet
/ip address
add address=192.168.88.1/24 comment=defconf interface=“Home Bridge” network=
192.168.88.0
add address=192.168.101.1/24 interface=“AdminPC VLAN101” network=
192.168.101.0
add address=192.168.5.0/24 interface=“Printer & Home WiFi VLAN5” network=
192.168.5.0
add address=192.168.10.0/24 interface=“Server/Lab VLAN10” network=
192.168.10.0
add address=192.168.15.0/24 interface=“Home WiFi VLAN15” network=192.168.15.0
add address=192.168.20.0/24 interface=“Synology & HTPC VLAN20” network=
192.168.20.0
add address=192.168.30.0/24 interface=“Google VLAN30” network=192.168.30.0
add address=192.168.40.0/24 interface=“Guest WiFi VLAN40” network=
192.168.40.0
add address=192.168.50.0/24 interface=“IoT VLAN50” network=192.168.50.0
/ip dhcp-client
add comment=defconf interface=“1 - Valerie WAN”
/ip dhcp-server lease
add address=192.168.88.203 client-id=1:0:4:20:f0:9:54 mac-address=
00:04:20:F0:09:54 server=“Default DHCP”
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.15.0/24 gateway=192.168.15.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.60.0/24 gateway=192.168.60.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.101.0/24 gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
This is also an area with some issues.

Remember
Note4: Make a firewall address list
synologyIP=wifidevices - you need the IP address of the synology here!! it needs to be made static.
printerIP=wifidevices - same comment for printer IP

Note5: Make a firewall address list
homelabIP=HTPC - same comment for homelabIP
printerIP=HTPC - same comment for printerIP
synologyIP=HTPC - same comment for synology IP.

note3: Make a firewall address list for server home lab access to other devices
vlan5subnet=LAB
synologyIP=LAB
vlan50subnet=LAB

/ip firewall address-list
add address=192.168.5.0/24 list=LAB OK
add address=192.168.20.0/24 list=LAB
[add address=192.168.50.0/24 list=LAB OK
add address=192.168.20.0/24 list=“WiFi Devices”
add address=192.168.5.0/24 list=“WiFi Devices”
add address=192.168.20.0/24 list=HTPC
add address=192.168.5.0/24 list=HTPC

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“VLAN Allow Admin to Router”
in-interface=“AdminPC VLAN101” (add source IP address= admin PC (put in the actual IP of the admin pc as well)
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“VLAN Admin Access” in-interface=
“AdminPC VLAN101” out-interface-list=Admin source-ip=adminpcIP (like above put in actual ip of admin pc)
add action=accept chain=forward comment=“VLAN Internet Access”
in-interface-list=Internet out-interface-list=WAN
add action=accept chain=forward comment=“Server Access” dst-address-list=LAB
in-interface=“Server/Lab VLAN10” source ip=serverhomeIP
add action=accept chain=forward comment=“VLAN WiFi Device Access”
dst-address-list=“WiFi Devices” in-interface=“Home WiFi VLAN15”
add action=accept chain=forward comment=“VLAN IoT Access” dst-address-list=
LAB dst-address= serverlabIP in-interface=“IoT VLAN50”
add action=accept chain=forward comment=“VLAN HTPC Access” dst-address-list=
HTPC in-interface=“Synology & HTPC VLAN20” src-address-list=HTPC src-address=htpcIP
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

hahnhell · March 28, 2020, 12:16pm

Ok, I’m going to work on these changes.

However, wrt the wlan3/4 I am not certain I know how to enable this. Yes, it is a 4-chain 5GHz and 2-chain 2GHz, but I only can see 2 wlan interfaces… Is there something I am doing wrong?

I removed the backup, sorry that was me playing around! here is a pic, and printout of my wireless.. Note, this is just in it’s current state running without vlans enabled.

[JBHLMH@MikroTik] > interface wireless print
Flags: X - disabled, R - running 
 0    name="Google WiFi" mtu=1500 l2mtu=1600 mac-address=C6:AD:34:60:85:CD 
      arp=enabled interface-type=virtual master-interface=Home WiFi 
      mode=ap-bridge ssid="JBHLMH Google 5GHz" vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=iot 

 1  R name="Home WiFi" mtu=1500 l2mtu=1600 mac-address=C4:AD:34:60:85:CB 
      arp=enabled interface-type=QCA9984 mode=ap-bridge ssid="JBHLMH Home 5GHz" 
      frequency=auto band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX 
      secondary-channel=auto scan-list=default wireless-protocol=802.11 
      vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none 
      wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes 
      default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 
      hide-ssid=no security-profile=home compression=no 

 2  R name="IoT WiFi" mtu=1500 l2mtu=1600 mac-address=74:4D:28:BE:98:0E 
      arp=enabled interface-type=Atheros AR9300 mode=ap-bridge 
      ssid="JBHLMH IoT 2GHz" frequency=2452 band=2ghz-b/g/n 
      channel-width=20/40mhz-eC secondary-channel="" scan-list=default 
      wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 wds-mode=disabled 
      wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled 
      default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 
      default-client-tx-limit=0 hide-ssid=no security-profile=iot 
      compression=no

Only thing I can see to make is more virtual wireless interfaces.. Is this what you mean?

I’ll work on the rest for now.
wireless interfaces.PNG

anav · March 28, 2020, 12:32pm

I will endeavour to find out. My capac has two chains and I have a 2ghz wlan and a 5ghz wlan. Anything above that is virtual.
Reading the literature it says the rb4011 should have 4x 5ghz chains, and 2x 2ghz chains so SIX in total.

mkx · March 28, 2020, 1:37pm

Number of chains has nothing to do with number of master wlan interfaces, it’s tge number of radios (and each radio can have one or more chain). @anav’s cAP ac devices have tewo radios (2.4GHz and 5GHz) and each radio has 2 chains (for 2x2 MIMO).

anav · March 28, 2020, 1:43pm

Hmmmmmmmm
Okay so in my capac, I have two radios and thus only 2 master WLANs to configure?
The rest have to be virtual.
So what is the benefit of having 2 chains per radio then?? One chain is for the master WLAN and one for as many virtual radios??

So in the RB4011 there are also two radios,
So he will only have two master WLANs, one for 2gig and one for 5gigh

So what the hell good is 4 chains for the 5ghz radio and 2 chains for the 2ghz radio… man I know shit and its very confusing and frustrating. Why cant this be rationally explained in plain english.

anav · March 28, 2020, 2:01pm

Okay dude, guess we are stuck on making virtual radios
So decide which will be 5ghz and which will be 2ghz.
house wifi- ?
guest wifi -?
google wifi -?
iot devices wifi -?
home wifi devices -?

Typically IOT devices work best in 2ghz domain. Not sure about google devices or your home wifi devices.
The pita is that each 2ghz radio will be sharing the same frequency so pick this very carefully, as far away from noise as possible.
I would put the home wifi and guest wifi at the 5ghz domain.

5ghz Master - home wifi on mine I have scan-list=5175-5185,5195-5205,5215-5225
5ghz Virtual - guest wifi
[5ghz Virtual - googe devices]

2ghz Master - iot devices
2ghz Virtual home wifi devices
[2 ghz Google home devices ]

hahnhell · March 28, 2020, 2:11pm

Ok, so I’ve tried to configure it again and removed the 88 stuffs and fixed the items like you said.

Seems i’ve still got some issues.

So decide which will be 5ghz and which will be 2ghz.

wlan1 5ghz home wifi
wlan2 5ghz guest wifi > (virtual)
wlan3 5ghz google devices wifi > (virtual)
wlan4 2ghz (iot devices channel 1)
wlan5 2ghz (home wifi devices channel 11) > (virtual)

I just haven’t designated channels yet. I’ll have to scan to see what’s best where I live. There are a number of other WiFi folks nearby.

Here is the latest config. I still don’t have wifi internet (5GHz at least that I have checked) nor do I have winbox access from my adminpc. I still have internet on it though.. seeing as this is how I’m posting to you. But I will revert from vlan-filtering on the bridge and see what we can do next.

Is there something I’ve done wrong in the firewall?
VLANCONFIG-no88.rsc (12.9 KB)

anav · March 28, 2020, 2:51pm

Probably not included in hide-sensitive configs, but can you confirm that you have IP Service setup for winbox with your adminpc having access??

Also under tools, for mac server, that for the winbox server, ensure the vlan101 interface is set there as allowed interface