RB5009 router and VLAN - no internet on VLAN with vlan-filtering enabled

RouterOS Beginner Basics
1

I have a RB5009 router where the SFP is my WAN (internet service provider) and all other ports are bridged. Ethernet port 1 has a wireless AP and has a single Guest SSID with VLAN ID of 30. I have not extended other SSIDs with different VLANs yet. I’ve gone through the guide below (WAN yellow, all other ports purple). I also watched the youtube video which follows several of the steps in the guide. The rest of the devices on the RB5009 are on the ‘main’ network without a separate vlan assigned. Once I get the guest vlan working, I’ll add another one for IOT devices on a separate SSID from the wireless AP.

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

One of last steps in the guide is to enable vlan filtering on the bridge. If the vlan filtering is disabled, the guest vlan (192.168.30.x/24) is able to access the internet and is also isolated from the rest of the devices on the network (192.168.0.x/24). When I enable vlan filtering, the guest device loses internet access. I’m trying to understand why this is occurring. Maybe I do not understand the vlan-filtering feature but I thought this lets the switch chip perform the work instead of the cpu. The DNS is setup to go through the main router for all devices and vlans. I’ve included a copy of my config below:

# 2024-08-04 11:30:40 by RouterOS 7.13
# software id = XXXX
#
# model = RB5009UPr+S+
# serial number = XXXX
/interface bridge
add name=local
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment="GUEST VLAN" interface=local name=GUEST_VLAN_30 vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=VLAN
/ip pool
add name=dhcp_pool0 ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.30.50-192.168.30.254
add name=dhcp_pool4 ranges=192.168.30.2-192.168.30.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local lease-time=1d name=dhcp1
add address-pool=dhcp_pool4 interface=GUEST_VLAN_30 lease-time=23h59m name=\
    dhcp2
/interface bridge port
add bridge=local interface=ether1
add bridge=local interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
add bridge=local interface=ether6
add bridge=local interface=ether7
add bridge=local interface=ether8
/interface bridge vlan
add bridge=local tagged=local vlan-ids=30
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=local list=LAN
add interface=wireguard1 list=LAN
add interface=GUEST_VLAN_30 list=VLAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 comment=laptop interface=wireguard1 \
    public-key="XXXXXXXXX"
add allowed-address=192.168.100.3/32 comment=phone interface=wireguard1 \
    public-key="XXXXXXX"
/ip address
add address=192.168.0.1/24 interface=local network=192.168.0.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=192.168.30.1/24 comment=GUEST_VLAN_IP interface=GUEST_VLAN_30 \
    network=192.168.30.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=192.168.0.1
add address=192.168.30.0/24 dns-server=192.168.0.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=sfp-sfpplus1 \
    protocol=icmp
add action=accept chain=input comment="WG handshake" dst-port=13231 log=yes \
    log-prefix="Wireguard handshake: " protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop everything else from WAN port" \
    in-interface=sfp-sfpplus1
add action=fasttrack-connection chain=forward comment="defconf: fasttrace" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established, related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="drop invalid: "
add action=accept chain=forward comment="GUEST VLAN Internet Access Only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="internet traffic from LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Wireguard to LAN" in-interface=\
    wireguard1 log=yes log-prefix="Wireguard Forward: " out-interface-list=\
    LAN
add action=drop chain=forward comment="drop all else" log=yes log-prefix=\
    "forward drop all: "
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24,192.168.100.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
2

If you are going to use VLANs, then go VLAN all the way. My suggestion is to create one VLAN for your main/trusted network and one of the guests.

Also you didn’t tag or untag your VLAN on any port as far as I can see so while VLAN filtering is not enabled everything is working as you have address and dhcp assigned on the bridge but as soon as you enable VLAN filtering things go in the wrong direction.

Also why are you modifying defaut firewall rules ? They are working just fine. Get VLANs working then go modify firewall.

3

Thank you for the response. After reading your response, I realized I have some knowledge gaps on VLANs and understanding tagged vs untagged ports so I needed to take a step back first. I needed to go back and specify the tagged and untagged ports. I have not created a VLAN for my main/trusted network yet. I am currently working on transferring my IOT devices to the IOT network one at a time. Since my current main/trusted network is not on a vlan, would I perform the following:

  • Create new VLAN interface (VLAN_MAIN) with a VLAN id of 10 (for example) with interface set to local?
  • Would the IP address network (currently set to 192.168.0.1/24) interface change from ‘local’ to ‘VLAN_MAIN’?
  • Would the DCHP server ‘dhcp1’ which uses the pool 192.168.0.1/24 and interface set to ‘local’’ be changed to ‘VLAN_MAIN’?
  • I’m assuming any of the access ports that have devices hardwired on the MAIN network would require the PVID changed to 10. For example, ports 5-8 are devices on the MAIN network.
  • Go to Bridge → VLANs and change the current local VLAN id to 10? I believe the untagged entries would be modified to add ether 5, ether 6, ether 7, and ether 8? The tagged entries would include local and ether 1.
    I would probably need to disable VLAN filtering before making these changes and enable it after everything is modified. FYI, the wireless AP is on ether1 with multiple SSIDs for MAIN, Guest, and IOT each assigned a VLAN id. Am I missing anything?

For anyone else reading this, the link in my original post from mikrotik on vlans is helpful but I needed a visual understanding to better grasps the concepts in the link. The two videos helped be. The first link which is not mikrotik specific really helped me understand the vlan guide from mikrotik.

VLANS made easy: https://www.youtube.com/watch?v=JszGeQPTo4w
Mastering VLAN Configuration on Mikrotik: https://www.youtube.com/watch?v=4Z32oOPqCqc

4

The network berg is a good source for videos, but even better is the article you linked to in the first post.

To configure the router I always recommend doing it from a port that is OFF the bridge and then changing vlans and turning on or off bridge vlan filtering isnt a pain.

Simply remove a port on the bridge or take an unused port and give it an address.

/ip address
add address=192.168.55.1/30 interface=portX network=192.168.55.0

Then take a laptop put in the ipv4 schema with IP address 192.168.55.2 and plug into portX and you should be in.
Ensure that port is included in the LAN interface or Trusted interface as well prior to plugging in.

5

I’m better understanding the information in the link in my original post. Thank you for the idea of configuring a port for direct access and setting it up as a trusted interface. I locked myself out while setting up the vlans my first time and had to reset the router with a backup of my configs. I like this suggestion.