Noob starting out with a few VLANs

RouterOS Beginner Basics
1

Wow, RouterOS is turning out to be much more difficult than I expected. I would really appreciate some help/guidance/pointers/etc for my network.

I’ve attached a PDF of the network I’m trying to build. The important part for the Hex S is I will have three VLANs (10, 20, 30). I want VLANs 10 and 30 to have DHCP and DNS, and VLAN 20 only having DHCP. I would also like the management interface (webfig) to only be accessible from vlan 20 (Think I know how to configure that).

  1. The combo switch/router part of the Hex S is very confusing for me. It has a switch chip, but it comes with a bridge interface by default. Why? I have a separate switch, so I have no use for switch ports on the Hex S. Can I disable the switch and delete the bridge interface? If I leave it as-is, will I be able to accomplish the above ^^?

  2. VLANs, VLANs, VLANs.. I already defined a VLAN ID and specified the associated interface in the Interfaces tab and assigned each VLAN a network. How can I allow devices in each VLAN to access the internet, but disallow inter-vlan routing? Firewalls are probably my weakest point (even though I’m pretty weak with networking in general lol).

This will probably be my first post of many.

Thanks!

Here’s my config:

[admin@MikroTik] > /export hide-sensitive 
# jan/02/1970 01:16:02 by RouterOS 6.47.10
# software id = 88SS-MGZU
#
# model = RB760iGS
/interface bridge
add admin-mac=18:FD:74:0A:21:51 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=VLAN10 vlan-id=10
add interface=ether1 name=VLAN20 vlan-id=20
add interface=ether1 name=VLAN30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Network-2.pdf (151 KB)

2

http://forum.mikrotik.com/t/configure-wifi-in-router-with-switch-chip/159418/1

Handled some of your questions

3

C. VLAN FILTERING -http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 and relationship between bridge and vlan filtering - http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1
***** Did you Turn ON VLAN filtering after configuring /ip bridge port and /ip bridge vlan settings *****

Note: MT help topics have vastly improved on this topic and can be found at:
https://help.mikrotik.com/docs/display/ … NFiltering
https://help.mikrotik.com/docs/display/ … VLAN+Table

4

PS it would take me about 5 minutes to change your config to what you want, not far off actually.
The biggest problem is you have a network there not described .88 just turn that into a vlan if you need it for any purpose

Most folks have issues configuring the bridge and making changes with vlans with the old default subnet kicking around.
THe most error free approach is doing something called configuring off bridge, which basically means taking an ethernet port and removing it from the bridge, attaching your laptop to it,
and making all the changes from there, so you can butcher the bridge and the vlans and not lose access to the router.

https://forum.mikrotik.com/viewtopic.php?t=181718

5

First thing I saw in your export is the VLAN is on the ether1 interface and your ether interfaces are part of a bridge. If you want to use all of your ether interfaces you’d need to move the VLANs onto the bridge.
I think I go somewhat against most on the forum here, I do VLAN wrongly but it works perfect for what I need, I add the VLANS to my bridge interface and nothing more.

6

I do VLAN wrongly but it works perfect for what I need, I add the VLANS to my bridge interface and nothing more.

All depends on what you need, I presume. With ether1 here as WAN (interface list member) and not a port to the bridge, and ether2-ether5 as port of the bridge which itself is in the LAN interface list, then all bridge slave interfaces (ether2-ether5) are defined as being part of the LAN environment.
What you do with the VLAN interfaces depends on what you want. They can be added to the WAN interface list as WAN-side VLAN, or to the LAN interface list as LAN side VLAN. Or they can be added to the bridge as port, and being slave interfaces to the bridge, which is the main LAN here.

VLAN can be not-defined as interface, and as ether2-ether5 are connected to the bridge, the bridge can tag/untag/filter VLAN traffic to-from the bridge ports (including ethernet and CPU, and other ports).

Creating VLAN interfaces and adding them to the bridge or not, is something different, from handling/filtering VLAN traffic with the bridge (actually switch if HW offloaded).

“WAN-side” and “LAN-side” is about the default Firewall rules for allowed access and NAT/masquerade. The membership does not matter for “slave interfaces”, it’s defined by the master (bridge).

7

Thanks for this! I was able to remove one port from the bridge, switch to it, then remove the bridge altogether. I also added the physical interfaces to the LAN list. What I’m unsure of now is how to add the VLANs. I can define VLAN interfaces, their IDs, and their backing physical interfaces from the “Interfaces” tab, but I’m unsure what to do next. Can I just set up each VLAN interface with a subnet and be done with it? Do I need to add each VLAN interface to the LAN list? And do I need to modify the firewall to allow inter-VLAN routing? I don’t know if the firewall drops or accepts if no rules match. I’m also confused what the difference now is between the ether interface and its component VLAN interfaces. Does the ether interface represent the untagged VLAN?

8

I don’t think “remove the bridge altogether” was what @anav was suggesting. Only that by removing a single port from the bridge to work from, you can modify the bridge and ports in it without locking yourself out. It’s avoiding the “sawing off the limb your are sitting on” problem.

If you never plan to use any of the other ports on the hEX S, then what you have done can work, but in my opinion, it isn’t the best way to set things up, as you won’t be able to use the hEX S ports as access ports to any of the vlans. Instead, I would only remove the internet and “configuration/emergency access” ports from the bridge, then working from the port, complete your setup of the bridge. Then you can setup an access port for the management vlan on the hEX S as well as

Your diagram shows you are using a Unifi switch and AP. Are these set up correctly? Was this working with another router at some point? Where is the Unifi controller in the diagram? Are the vlans 10,20,30 all tagged on the trunk interfaces? What is associated with untagged traffic on the trunk links?

For how to set up the UniFi kit, you should head over to the Ubiquiti site and see how to configure the switch and controller with a non-UniFi router (the USG and UDM are the “UniFi” routers that the UniFi controller can configure). There are many people that use UniFi switches, controllers and APs with non-UniFi routers, e.g. EdgeRouters, pfsense and MikroTik routers). When you are not using a USG or UDM, and using UniFi switches, you will need to setup the vlans as “vlan only”. Also, UniFi by default expects the APs and switches to be adopted/configured on the untagged vlan (what Cisco calls the native vlan), and in UniFi this untagged vlan defaults to vlan 1. So if you can find a config using the ER-X with vlan-aware switch0 that would work, it should be possible to recreate the vlan config on a hEX S.

What I would do would be to have all the vlans under the bridge interface (this is configuring the layer 2 part using the /interface bridge port and /interface bridge vlan commands), and then create vlan interfaces under the bridge to attach ip addresses to using the command /interface vlan.

If you want to be able to use the vlan-filtering bridge and have hardware assist from the built in switch ASIC, you will need to upgrade the firmware to something more recent, v7.3.1 is the latest ‘stable’ right now. I just updated from v7.2.1 to v7.3.1 and my vlan-filtering bridge based vlans still work.

Read the links in post #3

9

@Buckeye being brilliant, luv the analogy → It’s avoiding the “sawing off the limb your are sitting on” problem. I am going to use that in the user article!!

Yes, to the OP, stop being a chicken running around with your head cut off.
You followed the instruction on how to config the bridge (not delete the bridge) safely, and then you jumped back into the deep end, breathe instead, or in other words to follow the guide on how to deal with vlans. Read, learn move slowly, avoid youtube!! Ask questions here, but only after making somewhat of an effort. Post your config we will have a look when you get stuck

10

@anav I’ve followed the instructions to create VLANs with the bridge. I am using ether1 as an off-bridge interface. This is my current config:

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=GuestVLAN vlan-id=30
add interface=bridge name=HomeVLAN vlan-id=10
add interface=bridge name=MgmtVLAN vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=HomePool ranges=192.168.10.10-192.168.10.254
add name=MgmtPool ranges=192.168.20.10-192.168.20.254
add name=GuestPool ranges=192.168.30.10-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=HomePool interface=HomeVLAN name=HomeDHCP
add address-pool=MgmtPool interface=MgmtVLAN name=MgmtDHCP
add address-pool=GuestPool interface=GuestVLAN name=GuestDHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=HomeVLAN tagged=bridge,ether2,ether3,ether4,sfp1 vlan-ids=10
add bridge=bridge comment=MgmtVLAN tagged=bridge,ether2,ether3,ether4,sfp1 vlan-ids=20
add bridge=bridge comment=GuestVLAN tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=30
/interface list member
add interface=bridge list=LAN
add interface=ether5 list=WAN
add interface=ether1 list=LAN
add interface=GuestVLAN list=VLAN
add interface=HomeVLAN list=VLAN
add interface=MgmtVLAN list=VLAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.99.1/24 interface=ether1 network=192.168.99.0
add address=192.168.10.1/24 interface=HomeVLAN network=192.168.10.0
add address=192.168.20.1/24 interface=MgmtVLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GuestVLAN network=192.168.30.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
add address=192.168.30.0/24 dns-server=192.168.0.1 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow VLAN to services" in-interface-list=VLAN
add action=accept chain=input comment="Allow Mgmt VLAN" in-interface=MgmtVLAN
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN \
    out-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system identity
set name="CDomain Router"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I can get DHCP on the bridge ports with my laptop directly connected when I allow untagged frames. This makes sense since I am treating them as access ports in this scenario. But I only get addresses on the default 88 subnet. This also makes sense because the PVID is 1. But when I change the PVID on ether2 to match one of my VLANs (vlan 10) and I allow untagged packets on the port, I can’t get DHCP and I can’t ping the 192.168.10.1 interface. I think this might be because my LAN firewall list wasn’t updated in the tutorial(?) My LAN list currently only contains the bridge and my off-bridge interface (ether1, WAN is ether5). Do I need to update my LAN list to contain the VLAN interfaces?

The rule in question:

add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

Edit: I added the 3 VLAN interfaces to the LAN list and disabled the “VLAN” firewall rules from the guide, since there are no more interfaces in the “VLAN” list. Still can’t get DHCP or ping the router’s VLAN interfaces when I set a given port’s PVID and allow untagged packets through the port.

11

See @anav’s New User Pathway To Config Success thread. Then see section C.

@anav, the links in post #3 didn’t get copied correctly from section C, this forum software doesn’t allow you to copy/paste links easily. And I just tried the links directly in section C, and the Bridge VLAN Filtering link no longer works, perhaps MikroTik changed something.

This currently works (as of 2022-07-17):

Bridge VLAN Filtering

Also see this post by @sindy. MikroTik expects you to configure egress and ingress separately.

The following should make ether2 an access port for vlan 10. /interface bridge port controls ingress, /interface bridge vlan controls how egress frames will be placed on the wire (tagged, untagged) for each port that is a member of the specified vlan. You need to move ether2 from the “tagged” set to the “untagged” set if you want the port to sent untagged frames for vlan 10.

/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
…snip…
/interface bridge vlan
add bridge=bridge comment=HomeVLAN tagged=bridge,ether3,ether4,sfp1 untagged=ether2 vlan-ids=10

12

@Buckeye you were right on the money with the egress! Thank you! I will read up on those links :slight_smile:

13

@buckeye, thanks fixed the now outdated link!

(1) The vlan filtering example did not have the bridge giving out DHCP so you need to change it to a vlan… Its not clear to me the purpose of your .88 subnet, why did you keep it??
If you are going to keep it turn it into a vlan
/interface vlan
add interface=bridge name=vlan88 vlan-id=88

/ip dhcp-server
add address-pool=default-dhcp interface=vlan88 name=defconf

/ip address
add address=192.168.88.1/24 comment=defconf interface=vlan88 network=192.168.88.0

(2) Get rid of your interface list VLAN, it serves no real purpose as you it basically duplicating the LAN setup and you use LAN interface list in many config areas.
When you change subnet88 to a vlan, add it to the list of LAN members and DROP the bridge reference to LAN

/interface list member
add interface=vlan88 list=VLAN

(3) I thought ether5 was your WAN port??

/ip dhcp-client
add comment=defconf interface=ether1 SHOULD BE ETHER 5 ?

(4) Remove this default setting no longer required.

/ip dns
/ip dns static (remove default setup legacy)
add address=192.168.88.1 comment=defconf name=router.lan

(5) If vlan20 is you management vlan then you need to do the following…
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE

/interface list member
add interface=ether5 list=WAN
add interface=GuestVLAN list=LAN
add interface=HomeVLAN list=LAN
add interface=vlan88 list=LAN
add interface=MgmtVLAN list=LAN
add interface=MgmtVLAN list=MANAGE
add interface=ether1 list=MANAGE

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

(6) ALSO the VLAN interface list member has no purpose as you can do everything with the LAN list. Only if it was unique in some way would you need it…

(7) Some changes to firewall rules to make it simpler for now and once everything is up and running we can finesse it.

/ip firewall filter
REPLACE THIS
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN

WITH THIS
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else”


REPLACE THIS
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
WITH THIS
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=“allow internet traffic”
add action=accept chain=forward comment="allow port forwarding
connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(8) How are you configing the router??
/ip service
set winbox disabled=yes ??? Do you not use winbox???

(9) AS buckeye noted, you have three choices.

/interface bridge ports ( incoming data )
Trunk port - going to smart devices that can read vlan tags (business class APs, managed switches etc…)
add bridge=bridge interface=X ingress-filtering=yes frame-types=admit-only-vlan-tagged

Access port - going to dumb devices (PCs, printers etc…)
add bridge=bridge interface=Y ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=??

Hybrid port - Smart devices and specialty devices (some smart devices require management vlan untagged and some VOIP devices may require tagged for voice, untagged for an attached PC)
add bridge=bridge interface=Z pvid=??

/interface bridge vlans (out going data)
access ports should be untagged in relation to vlan-ids
trunk ports should be tagged in relation to vlan-ids
a hybrid port should have both types of entries: tagged (however many) in related to associated vlan-ids and only one untagged in relation to vlan-ids

14

Well I locked myself out, so I will be rebuilding :cry: extra practice I guess

(1) I was using the default 88 subnet for configuration. I’m unsure how to implement my Management VLAN at the moment, considering my unifi gear. That is the next step.
(2) Will remove
(3) Yep, I need to change that.
(4) Will look at that when I implement the management VLAN
(5) If I get rid of the 88 subnet I can remove ether1 from MANAGE, right? And is any of that required if I don’t use winbox?
(6) got it
(7) thanks!
(8) webfig. Using a Mac and don’t want to bother with WINE
(9) thanks!

I’ll rebuild, try and fix some of these things, and report back.

Regarding management vlan:
From what I gather, it is recommended to run management things on something other than the default VLAN for security (if someone were to plug in, they would prob end up on that VLAN). I’m not rlly concerned about that, but I want to move the traffic anyway. That’s why I have VLAN 20. I want the webfig interface and the unifi management to only be visible from VLAN 20. I know that I can change the management interface on my unifi devices after adoption, but I’m a bit confused with the mikrotik. It appears that I can change the network it is served on from the Services tab. So I could isolate it to the VLAN 20 network. Then I could theoretically delete my .88 network?

15

Ensure that the management vlan and the config off bridge port both have access to the router via the input chain and you wont be locked out.

16

@anav Could you please explain this? It looks like you are converting rules from a blacklist to a whitelist (which I would agree with). But I don’t think port forwarding and dest. nat are the same thing. Am I missing something? Thanks in advance.

17

I have much more experience with the ER-X than the hEX S (but I do have a hEX S in my home lab).

My opinion is that the EdgeOS/vyatta commit-confirm is a better anti-lockout solution than safe mode in RouterOS, but it may be that I just don’t know the correct way to use safe mode (here’s the reason I am thinking of).

The other anti-lockout feature I miss on the hEX S (versus the ER-X) is the lack of access to a serial console. On the ER-X, (and the hEX) there are motherboard connections for the serial UART. On the ER-X there is are pre-soldered in header pins you can connect a “Rasperry Pi debug / console cable” to, and I find that extremely useful, and my lab ER-X lives with the cover off and the serial console connected. But the hEX has pads that a serial console connection could be soldered to, but from what I have read, the firmware does not enable console access via the UART, and in v7 even with a USB to serial device connected to the hEX’s USB port. See this for example. Here’s more about the serial console in this thread hEX (RB750Gr3) Serial Console

But the key to not locking yourself out is to always work from a port you are not making changes to. If you would have removed a port from the bridge, assigned an IP, allowed access and then logged into that port, you would have been able to change the bridge config without locking yourself out. Also, having a backup before making changes is important. It appears you can use WebFig files section to make backups but I didn’t try. I use WinBox. You can also use ssh and /system backup save name=mybackup and then using scp to copy the file from the router to your computer.

18

Well port forwarding is just an application of the functionality of dst-nat, which can be used in many ways.
If you dont need to do any port forwarding just remove the rule altogether.

19

Alright, I’m back and it seems to be working pretty well. I have DHCP working (at least on the management vlan), but I don’t seem to be able to access webfig from it.

Config:

[admin@MikroTik] > /export hide-sensitive 
# jan/02/1970 04:34:33 by RouterOS 7.3.1
# software id = 88SS-MGZU
#
# model = RB760iGS
# serial number = HCF086DZ0B5
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=GuestVLAN vlan-id=30
add interface=bridge name=HomeVLAN vlan-id=10
add interface=bridge name=MgmtVLAN vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=HomePool ranges=192.168.10.10-192.168.10.254
add name=MgmtPool ranges=192.168.20.10-192.168.20.254
add name=GuestPool ranges=192.168.30.10-192.168.30.254
/ip dhcp-server
add address-pool=HomePool interface=HomeVLAN name=HomeDHCP
add address-pool=GuestPool interface=GuestVLAN name=GuestDHCP
add address-pool=MgmtPool interface=MgmtVLAN name=MgmtDHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge comment="Make ether1 LAN, not WAN" frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,sfp1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether3,sfp1 untagged=ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether1,ether2,ether3,sfp1 vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether5 list=WAN
add interface=ether4 list=LAN
/ip address
add address=192.168.10.1/24 interface=HomeVLAN network=192.168.10.0
add address=192.168.20.1/24 interface=MgmtVLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GuestVLAN network=192.168.30.0
add address=192.168.99.1/24 interface=ether4 network=192.168.99.0
/ip dhcp-client
add interface=ether5
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.88.1 gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.88.1 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=192.168.88.1 gateway=192.168.30.1 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept all from LAN" in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet access on LAN" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.20.0/24,192.168.99.0/24
set ssh disabled=yes
set www-ssl address=192.168.20.0/24,102.168.99.0/24 certificate=*3 disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Note that I set up ether2 with pvid 20 and set it as an untagged port for mgmt vlan. I also allow the .20 subnet for the webfig service.

It seems like my traffic to webfig is being caught by the “drop all else” input chain rule. I can’t tell why. Ether2 is on the bridge and the bridge is on the LAN list…any ideas?

20

Webfig (and winbox) traffic is by default allowed only from LAN interface list. So you need to adjust firewall filter rules (for chain=input in particular) and/or interface list membership. I don’t recomend messing with firewall settings unless you understand fully what each individual rule does. MAC winbox access is set under /tools mac-server, have a look there as well.