No access to router

5009Owner · February 14, 2022, 9:54am

Hello again.

Problem from beginner.
My config idea is to have VLAN for every port, eth2 to eth 8. Eth1 is the WAN-port.
Eth8 is for configuration only, and only from eth8. Eth2-Eh7 should have no access to router configuration.
Eth8 not in bridge. Eth8 not having connection to the internet. (Not necessary).
I was using 10.0.80.5, MASK 255.255.255.0, GW 10.0.80.1 in my pc connected to router eth8.
Anyway, when using config below, i can not access router from eth8. I have to use MAC-address.
Must be a simple mistake (probably many!) somewhere.
Another thing, how much i need to change my config, if i'm getting my internet connection from android phone (tethering)?
Because i got my router well before ISP-company is bringing fiber to my place.
So here i'm making everyhing ready for that day.

\

feb/13/2022 16:24:16 by RouterOS 7.1.1

model = RB5009UG+S+

/interface bridge
add ingress-filtering=no name=BR1 protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=BR1 name=OMA_PC_VLAN vlan-id=20
add interface=BR1 name=M_LAPTOP_VLAN vlan-id=30
add interface=BR1 name=OMALAPTOP_VLAN vlan-id=40
add interface=BR1 name=PI_VLAN vlan-id=50
add interface=BR1 name=WLAN_BOX_VLAN vlan-id=60
add interface=BR1 name=TV_VLAN vlan-id=70
add interface=ether8 name=MGMT_VLAN vlan-id=80

/interface list
add name=WAN
add name=LAN
add name=MGMT

/ip pool
add name=OMA_PC_POOL ranges=10.0.20.2-10.0.20.254
add name=M_LAPTOP_POOL ranges=10.0.30.2-10.0.30.254
add name=OMALAPTOP_POOL ranges=10.0.40.2-10.0.40.254
add name=PI_POOL ranges=10.0.50.2-10.0.50.254
add name=WLAN_BOX_POOL ranges=10.0.60.2-10.0.60.254
add name=TV_POOL ranges=10.0.70.2-10.0.70.254
add name=MGMT_POOL ranges=10.0.80.2-10.0.80.254

/ip dhcp-server
add address-pool=OMA_PC_POOL interface=OMA_PC_VLAN name=OMA_PC_DHCP
add address-pool=M_LAPTOP_POOL interface=M_LAPTOP_VLAN name=M_LAPTOP_DHCP
add address-pool=OMALAPTOP_POOL interface=OMALAPTOP_VLAN name=OMALAPTOP_DHCP
add address-pool=PI_POOL interface=PI_VLAN name=PI_DHCP
add address-pool=WLAN_BOX_POOL interface=WLAN_BOX_VLAN name=WLAN_BOX_DHCP
add address-pool=TV_POOL interface=TV_VLAN name=TV_DHCP
add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=70

/ip neighbor discovery-settings set discover-interface-list=MGMT

/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=BR1 tagged=BR1 vlan-ids=40
add bridge=BR1 tagged=BR1 vlan-ids=50
add bridge=BR1 tagged=BR1 vlan-ids=60
add bridge=BR1 tagged=BR1 vlan-ids=70

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=MGMT

/ip address
add address=10.0.20.1/24 interface=OMA_PC_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=M_LAPTOP_VLAN network=10.0.30.0
add address=10.0.40.1/24 interface=OMALAPTOP_VLAN network=10.0.40.0
add address=10.0.50.1/24 interface=PI_VLAN network=10.0.50.0
add address=10.0.60.1/24 interface=WLAN_BOX_VLAN network=10.0.60.0
add address=10.0.70.1/24 interface=TV_VLAN network=10.0.70.0
add address=10.0.80.1/24 interface=MGMT_VLAN network=10.0.80.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
add address=10.0.50.0/24 dns-server=10.0.50.1 gateway=10.0.50.1
add address=10.0.60.0/24 dns-server=10.0.60.1 gateway=10.0.60.1
add address=10.0.70.0/24 dns-server=10.0.70.1 gateway=10.0.70.1
add address=10.0.80.0/24 dns-server=10.0.80.1 gateway=10.0.80.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN-list" in-interface-list=LAN
add action=accept chain=input comment="Allow MGMT-list Full Access" in-interface=ether8 in-interface-list=MGMT
add action=drop chain=input comment="Drop everything not mentioned above"

add action=accept chain=forward comment="Accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow all VLANs to access the Internet only, NOT each other" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop everything not mentioned above"

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT" out-interface-list=WAN

/tool mac-server
set allowed-interface-list=MGMT

/tool mac-server mac-winbox
set allowed-interface-list=MGMT

anav · February 14, 2022, 12:29pm

For interface list members use the vlans, not the etherports for 2-7
/interface list member
add interface=ether1 list=WAN
add interface=OMA_PC_VLAN list=LAN
etc for ether ports 3-7
add interface=ether8 list=MGMT

5009Owner · February 14, 2022, 5:50pm

I have changed interface list members like you informed. Still no access to the eth8 with IP 10.0.80.1.

anav · February 14, 2022, 5:58pm

add action=accept chain=input comment=“Allow MGMT-list Full Access” in-interface=ether8 in-interface-list=MGMT

I dont believe one is allowed to have both an in-interface and an in-interface-list !!

only need
add action=accept chain=input in-interface-list=MGMT

anav · February 14, 2022, 6:08pm

I see the problem…
You have created a vlan for ether8

NOT REQUIRED…
YOU ARE MIXING UP TWO CONCEPTS.

one a management vlan which the admin is on normally for work and which is used to give IP addresses and configure all other smart devices on the network!
with an OFF Bridge access to the router in case the Bridge config is screwed up somehow, easy to do!!

TO illustrate this, if you are the admin and work normally in the management vlan ( trusted vlan - for me its my home vlan not a separate management vlan), and lets say you were on port 9,

then what you would have is
/interface bridge port
add bridge=bridge interface=ether9 pvid=80 etc…

for OFF Bridge emergency access or simply access OFF the bridge then there is no VLAN associated at all.
Simply the IP address and adding ether8 to a MGMT interface as you have done.

SO to FIX your config do the following.
(1) DISABLE VLAN80
/interface vlan
…
add interface=ether8 name=MGMT_VLAN vlan-id=80

(2) DISBLE POOL, DHCP SERVER DHCP SERVER NETWORK for VLAN80

(3) Make the one firewall rule as I noted in the previous post.

You should be good to go.

5009Owner · February 14, 2022, 6:31pm

Thanks, i will try that later on today!

5009Owner · February 15, 2022, 5:43pm

Well well, i can get connection to my router from ether8…
There are people who make life easier, thank you anav.
Next i will try to make tethering working. I start to read manuals and i try to find instructions from this forum. If i need help, i’ll be back…

anav · February 15, 2022, 7:22pm

Will be here for the easy stuff . Others are better at the more than ‘light’ configuration requirements.