(ISP)====RB450g====(managed switche with 8 vlans)

Yesterday I got my brand new RB450g to manage internet access at my school. I did updated ROS to 6.7 and firmware to 3.10.

I have been reading whole day today about mikrotik setups, but see no light at the end of this RB tunnel.

I will want to manage RB from either

• port ether3 (when I am in the equipment room) or
• vlan2 otherwise.
  I will leave remaining ports ether4-5 empty.

So I leave port ether3 empty and connect switch to port ether2 with cable as following

(ISP)===(ether1-gateway-port)RB45(ether2)====(switch)

On the switch I configured the port to “tagged” so vlan tags get into the RB.

Now I am stuck and confused about what to do next.
The default setup of master/slave ether is confusing to me. Should I disable the “port switching” for this ?

 0    ether1-gateway       1500 D4:CA:6D:05:6A:65 enabled    none                     switch1            
 1 R  ether2-master-local  1500 D4:CA:6D:05:6A:66 enabled    none                     switch1            
 2  S ether3-slave-local   1500 D4:CA:6D:05:6A:67 enabled    ether2-master-local      switch1            
 3 RS ether4-slave-local   1500 D4:CA:6D:05:6A:68 enabled    ether2-master-local      switch1            
 4  S ether5-slave-local   1500 D4:CA:6D:05:6A:69 enabled    ether2-master-local      switch1

Where can I find a tutorial on vlans with RB, the mikrotik wiki I have already read.
Will someone please nudge me in the right direction or give a helping hand.

cheers

Post your full config. I’ll give you some advice tonight once I get back onto a computer.

Sent from my SCH-I545 using Tapatalk

Also maybe post a diagram of your network.

Sent from my SCH-I545 using Tapatalk

My network consists of RB and managed switch, RB connects to ISP through RJ45 cable.

ISP <==> RB <==> managed-swith-with-vlans
rb.rsc (2.66 KB)

Ok. I’ll check it out in a bit once I get back to my computer

Sent from my SCH-I545 using Tapatalk

Personally I would do it like this…

1. Set all of the master-ports to none.
2. Add bridges for each vlan
3. Add a vlan for each of your VLANs to ether2 (your trunk to the other switch)
4. Add all of the VLANs to the appropriate bridges… also bridge ether 3 into the management VLAN.
5. Disable the admin access from all networks except the management bridge…

Does that make sense?

-Eric

/interface ethernet
set [find] master-port=none

/interface vlan
add name=“vlanX-ether3” interface=ether2 vlan-id=X [FOR EACH VLAN]

/interface bridge
add name=bridge-vlanX [FOR EACH VLAN]

/interface bridge port
add bridge=bridge-vlan2 interface=ether3
add bridge=bridge-vlanX interface vlanX-ether2 [FOR EACH VLAN]Then you need to configure DHCP Servers, Firewall Rules, NAT, and whatever else you need for each VLAN.

If you want to give me remote access I can help you set it up remotely and we can chat via a google hangout or skype or whatever. Email me at my username @gmail.com if you want to go that way.

@efaden thanks a lot , I found this page http://sygard.no/2011/09/vlan-access-ports-on-mikrotik-routers/ and it sounds similar to what you wrote

I will try this tomorrow (I am in GMT+1 zone) as today my brain is gone, at the moment I only have RB and 1 komp my disposal, to check this out I will need to get the another komputer and the manage-switch into my setup.

For each vlan I only need DHCP server, NAT I think should be done at WAN (ether1) port, shouldn’t it ?

cheers

Depends on what your goal is with NAT… but for masq you can do it all with one rule. You also may want to add rules to block traffic between the VLANs, but thats up to you.

This is an example of what your final config will look like… I don’t know all of your network details… but this should get you going pretty well.
/interface ethernet
set [ find default-name=ether1 ] master-port=none name=ether1-gateway
set [ find default-name=ether2 ] master-port=none name=ether2-trunk
set [ find default-name=ether3 ] master-port=none name=ether3-vlan2
set [ find default-name=ether4 ] master-port=none name=ether4 disabled=yes
set [ find default-name=ether5 ] master-port=none name=ether5 disabled=yes

/interface vlan
add name=“vlanX-ether3” interface=ether2 vlan-id=X [FOR EACH VLAN]

/interface bridge
add name=bridge-vlanX [FOR EACH VLAN]

/interface bridge port
add bridge=bridge-vlan2 interface=ether3
add bridge=bridge-vlanX interface vlanX-ether2 [FOR EACH VLAN]

/ip pool
add name=pool-vlanX ranges=192.168.X.2-192.168.X.254 [FOR EACH VLAN]

/ip dhcp-server
add address-pool=vlanX disabled=no interface=bridge-vlanX name=dhcp-vlanX [FOR EACH VLAN]

/ip address
add address=192.168.X.1 interface=bridge-vlanX network=192.168.X.0 [FOR EACH VLAN]

/ip dhcp-server network
add address=192.168.X.0/24 dns-server=192.168.X.1 gateway=192.168.X.1 [FOR EACH VLAN]

/ip dns
set allow-remote-requests=yes

/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input in-interface=bridge-vlan2
add chain=input action=drop

add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway to-addresses=0.0.0.0

/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge-vlan2

/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge-vlan2

THis is what I did for my setup, in case this might be useful for somebody in the future
RB450G,

• eth1=isp, wan dhcp client
• eth2-4 bridged, ip 192.168.88.1 - ports used for diagnostics and setup only, I disabled dhcp server here 'cause I dont want any goofballs plugging any routers in these ports 'by mistake'
• eth5 802.1q trunk only, 802.1q tagged only, vlan2-id2, vlan3-id3, ...
• per each vlan there is dhcp server 10.1.x.x,
• routing between lans/vlans disabled, from lan/vlan side only access to the internet through wan interface
  left only winbox/ssh access (no www, ftp...)

This is working setup, I tested this with two vlans configured using SRW224G4

firewall default rules are DROP,
Router will have wan public IP, is there anything else I improve security ?

dec/25/2013 22:00:13 by RouterOS 6.7

/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2-lan
set [ find default-name=ether3 ] master-port=eth2-lan name=eth3-lan
set [ find default-name=ether4 ] master-port=eth2-lan name=eth4-lan
set [ find default-name=ether5 ] name=eth5-vlan
/interface vlan
add interface=eth5-vlan l2mtu=1516 name=vlan2-test vlan-id=2
add interface=eth5-vlan l2mtu=1516 name=vlan3-test vlan-id=3
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=pool-default ranges=192.168.88.10-192.168.88.254
add name=pool-vlan2-test ranges=10.1.102.10-10.1.102.240
add name=pool-vlan3-test ranges=10.1.103.10-10.1.103.240
/ip dhcp-server
add address-pool=pool-default interface=eth2-lan name=default
add address-pool=pool-vlan2-test disabled=no interface=vlan2-test name=
vlan2-test
add address-pool=pool-vlan3-test disabled=no interface=vlan3-test name=
vlan3-test
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=
eth2-lan network=192.168.88.0
add address=10.1.102.1/24 interface=vlan2-test network=10.1.102.0
add address=10.1.103.1/24 interface=vlan3-test network=10.1.103.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=
no interface=eth1-wan use-peer-ntp=no
/ip dhcp-server network
add address=10.1.102.0/24 comment=vlan2-test dns-server=10.1.102.1 gateway=
10.1.102.1
add address=10.1.103.0/24 comment=vlan3-test dns-server=10.1.103.1 gateway=
10.1.103.1
add address=192.168.88.0/24 comment="default configuration" dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment=ping protocol=icmp
add chain=input comment=dns dst-port=53 protocol=udp
add chain=input comment=dns dst-port=53 protocol=tcp
add chain=input comment=dhcp dst-port=67 protocol=udp
add action=drop chain=input comment="block vlans" src-address=10.0.0.0/8
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=
eth1-wan
add chain=forward comment=
"all outbound ok, default DROP will disable inter vlan traffic"
out-interface=eth1-wan
add chain=forward comment="default configuration" connection-state=
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="no inter-vlan" disabled=yes
dst-address=10.0.0.0/8 out-interface=!eth1-wan
add action=drop chain=forward comment="no inter-vlan" disabled=yes
dst-address=192.168.0.0/16 out-interface=!eth1-wan
add action=drop chain=forward comment="default configuration"
connection-state=invalid disabled=yes
add action=drop chain=forward comment="drop anyting else"
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration"
out-interface=eth1-wan to-addresses=0.0.0.0
/ip proxy
set parent-proxy=0.0.0.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=router-serv1
/system ntp client
set enabled=yes mode=unicast primary-ntp=212.244.36.228 secondary-ntp=
212.244.36.227
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=eth2-lan
add interface=eth3-lan
add interface=eth4-lan
add interface=eth5-vlan
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=eth2-lan
add interface=eth3-lan
add interface=eth4-lan
add interface=eth5-vlan