RB5009 VLANs

Hello.

I am trying to move my home network (with VLANs) from pfSense with Zyxell GS1900-24 to RB5009 with two CSS326.
I have read several guides including the “Using RouterOS to VLAN your network” post (http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1) on this forum and prepared the configuration for RB5009. It seems to generally work - at least I get an IP address from the correct VLAN’s range when I connect my computer to ether7, but there are 2 problems:

1. I cannot access the web-interface of RB5009 (or using WinBox) from ether7 after I add “vlan-filtering=yes” to the config.
2. I still cannot understand what is the right way to change the IP address of RB5009 from 192.168.88.1 to the Base VLAN range.

Could you please help me with this?

I build the following network:

RB5009:
ether1 - WAN
ether2 - Trunk port with the first CSS326 connected
ether3 - Trunk port with the second CSS326 connected
ether4 - Access port, untagged, VLAN4
ether5 - Access port, untagged, VLAN4
ether6 - Access port, untagged, VLAN5
ether7 - Access port, untagged, VLAN2
ether8 - Access port, untagged, VLAN7

List of VLANS:
Home vlan-id=2
Kids vlan-id=3
Smart vlan-id=4
Cams vlan-id=5
Media vlan-id=6
PVE vlan-id=7
WIFi_IoT vlan-id=8
WIFi_home vlan-id=9
WIFi_guests vlan-id=10
Base vlan-id=99

# model = RB5009UG+S+

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=LAN_bridge vlan-filtering=no

/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_Switch_1
set [ find default-name=ether3 ] name=ether3_Switch_2
set [ find default-name=ether4 ] name=ether4_SmartHome_Controller1
set [ find default-name=ether5 ] name=ether5_SmartHome_Controller2
set [ find default-name=ether6 ] name=ether6_NVR
set [ find default-name=ether7 ] name=ether7_Synology
set [ find default-name=ether8 ] name=ether8_ProxMox

/interface vlan
add interface=LAN_bridge name=VLAN2_Home vlan-id=2
add interface=LAN_bridge name=VLAN3_Kids vlan-id=3
add interface=LAN_bridge name=VLAN4_Smart vlan-id=4
add interface=LAN_bridge name=VLAN5_Cams vlan-id=5
add interface=LAN_bridge name=VLAN6_Media vlan-id=6
add interface=LAN_bridge name=VLAN7_PVE vlan-id=7
add interface=LAN_bridge name=VLAN8_WIFi_IoT vlan-id=8
add interface=LAN_bridge name=VLAN9_WIFi_home vlan-id=9
add interface=LAN_bridge name=VLAN10_WIFi_guests vlan-id=10
add interface=LAN_bridge name=VLAN99_Base vlan-id=99

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=LAN_Pool ranges=192.168.88.10-192.168.88.254
add name=VLAN99_Base_Pool ranges=10.246.201.8-10.246.201.50
add name=VLAN2_Home_Pool ranges=10.246.202.2-10.246.202.50
add name=VLAN3_Kids_Pool ranges=10.246.203.2-10.246.203.50
add name=VLAN4_Smart_Pool ranges=10.246.204.2-10.246.204.50
add name=VLAN5_Cams_Pool ranges=10.246.205.2-10.246.205.50
add name=VLAN6_Media_Pool ranges=10.246.206.2-10.246.206.50
add name=VLAN7_PVE_Pool ranges=10.246.207.2-10.246.207.50
add name=VLAN8_WIFi_IoT_Pool ranges=10.246.208.2-10.246.208.50
add name=VLAN9_WIFi_Home_Pool ranges=192.168.9.2-192.168.9.50
add name=VLAN10_WIFi_Guests_Pool ranges=172.16.10.2-172.16.10.50

/disk settings
set auto-media-interface=LAN_bridge auto-media-sharing=yes auto-smb-sharing=\
    yes

/interface bridge port
add bridge=LAN_bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether2_Switch_1
add bridge=LAN_bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether3_Switch_2
add bridge=LAN_bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4_SmartHome_Controller1 pvid=\
    4
add bridge=LAN_bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5_SmartHome_Controller2 pvid=4
add bridge=LAN_bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6_NVR pvid=5
add bridge=LAN_bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7_Synology pvid=2
add bridge=LAN_bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether8_ProxMox pvid=7
add bridge=LAN_bridge comment=defconf interface=sfp-sfpplus1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=LAN_bridge tagged=ether3_Switch_2,ether2_Switch_1,LAN_bridge \
    untagged=ether8_ProxMox vlan-ids=7
add bridge=LAN_bridge tagged=ether2_Switch_1,ether3_Switch_2,LAN_bridge \
    untagged=ether7_Synology vlan-ids=2
add bridge=LAN_bridge tagged=ether3_Switch_2,ether2_Switch_1,LAN_bridge \
    untagged=ether6_NVR vlan-ids=5
add bridge=LAN_bridge tagged=ether3_Switch_2,ether2_Switch_1,LAN_bridge \
    untagged=ether4_SmartHome_Controller1,ether5_SmartHome_Controller2 vlan-ids=4
add bridge=LAN_bridge tagged=ether3_Switch_2,ether2_Switch_1,LAN_bridge \
    vlan-ids=3
add bridge=LAN_bridge tagged=ether3_Switch_2,ether2_Switch_1,LAN_bridge \
    vlan-ids=6
add bridge=LAN_bridge tagged=ether3_Switch_2,ether2_Switch_1,LAN_bridge \
    vlan-ids=8
add bridge=LAN_bridge tagged=ether3_Switch_2,ether2_Switch_1,LAN_bridge \
    vlan-ids=9
add bridge=LAN_bridge tagged=ether3_Switch_2,ether2_Switch_1,LAN_bridge \
    vlan-ids=10
add bridge=LAN_bridge tagged=ether2_Switch_1,ether3_Switch_2,LAN_bridge \
    untagged="ether4_SmartHome_Controller1,ether5_SmartHome_Controller2,ether6_NVR,ether7_Synology,ethe\
    r8_ProxMox" vlan-ids=99

/interface list member
add comment=defconf interface=LAN_bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=LAN_bridge network=\
    192.168.88.0
add address=10.246.201.1/24 interface=VLAN99_Base network=10.246.201.0
add address=10.246.202.1/24 interface=VLAN2_Home network=10.246.202.0
add address=10.246.203.1/24 interface=VLAN3_Kids network=10.246.203.0
add address=10.246.204.1/24 interface=VLAN4_Smart network=10.246.204.0
add address=10.246.205.1/24 interface=VLAN5_Cams network=10.246.205.0
add address=10.246.206.1/24 interface=VLAN6_Media network=10.246.206.0
add address=10.246.207.1/24 interface=VLAN7_PVE network=10.246.207.0
add address=10.246.208.1/24 interface=VLAN8_WIFi_IoT network=10.246.208.0
add address=192.168.9.1/24 interface=VLAN9_WIFi_home network=192.168.9.0
add address=172.16.10.1/24 interface=VLAN10_WIFi_guests network=172.16.10.0

/ip dhcp-client
add comment=defconf interface=ether1_WAN

/ip dhcp-server
add address-pool=LAN_Pool interface=LAN_bridge lease-time=1d name=LAN_DHCP \
    parent-queue=*FFFFFFFF
add address-pool=VLAN99_Base_Pool interface=VLAN99_Base lease-time=1d name=\
    VLAN99_Base_DHCP parent-queue=*FFFFFFFF
add address-pool=VLAN2_Home_Pool interface=VLAN2_Home lease-time=1d name=\
    VLAN2_Home_DHCP parent-queue=*FFFFFFFF
add address-pool=VLAN3_Kids_Pool interface=VLAN3_Kids lease-time=1d name=\
    VLAN3_Kids_DHCP parent-queue=*FFFFFFFF
add address-pool=VLAN4_Smart_Pool interface=VLAN4_Smart lease-time=1d name=\
    VLAN4_Smart_DHCP parent-queue=*FFFFFFFF
add address-pool=VLAN5_Cams_Pool interface=VLAN5_Cams lease-time=1d name=\
    VLAN5_Cams_DHCP parent-queue=*FFFFFFFF
add address-pool=VLAN6_Media_Pool interface=VLAN6_Media lease-time=1d name=\
    VLAN6_Media_DHCP parent-queue=*FFFFFFFF
add address-pool=VLAN7_PVE_Pool interface=VLAN7_PVE lease-time=1d name=\
    VLAN7_PVE_DHCP parent-queue=*FFFFFFFF
add address-pool=VLAN8_WIFi_IoT_Pool interface=VLAN8_WIFi_IoT lease-time=1d \
    name=VLAN8_WIFi_IoT_DHCP parent-queue=*FFFFFFFF
add address-pool=VLAN9_WIFi_Home_Pool interface=VLAN9_WIFi_home lease-time=1d \
    name=VLAN9_WIFi_home_DHCP parent-queue=*FFFFFFFF
add address-pool=VLAN10_WIFi_Guests_Pool interface=VLAN10_WIFi_guests \
    lease-time=1d name=VLAN10_WIFi_guests_DHCP parent-queue=*FFFFFFFF

/ip dhcp-server network
add address=10.246.201.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.246.201.1
add address=10.246.202.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.246.202.1
add address=10.246.203.0/24 dns-server=77.88.8.7,77.88.8.3 gateway=\
    10.246.203.1
add address=10.246.204.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.246.204.1
add address=10.246.205.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.246.205.1
add address=10.246.206.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.246.206.1
add address=10.246.207.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.246.207.1
add address=10.246.208.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.246.208.1
add address=172.16.10.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=172.16.10.1
add address=192.168.9.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.9.1
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    10.246.202.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

/system identity
set name=Router
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

/interface bridge set LAN_bridge vlan-filtering=yes

__

1. More or less full access to your router is allowed via interfaces, members of LAN interface list (due to firewall filter rules and service definition for mac-server). Interfaces are entities with IP address set, in your case that’s not LAN_bridge, they are VLAN* interfaces. So at least you want to add VLAN2_Home to LAN interface list.
2. not sure I understand your question … router will have several IP addresses, one per VLAN. All of them are basically treated the same unless you try really hard to make it otherwise.
   BTW, you have an error in your config for bridge vlan ID 99 … there are multiple ports set as untagged members but all of them have PVID (in bridge port settings) set to different values. Both config sections should be in sync … unless you are trying to make something funky.

re:vlan ID 99

The board parser shows them in green (as if they were a comment and not a valid setting):

add bridge=LAN_bridge tagged=ether2_Switch_1,ether3_Switch_2,LAN_bridge \
    untagged="ether4_SmartHome_Controller1,ether5_SmartHome_Controller2,ether6_NVR,ether7_Synology,ethe\
    r8_ProxMox" vlan-ids=99

they seem to be enclosed in double quotes, whilst other untagged entries are not, example:

add bridge=LAN_bridge tagged=ether3_Switch_2,ether2_Switch_1,LAN_bridge \
    untagged=ether4_SmartHome_Controller1,ether5_SmartHome_Controller2 vlan-ids=4

Hello mkx,

Thank you very much. This solved my problem!

1. Added more Interfaces to the Interface List and now I have access to the web-interface.
2. Yes, my question was not correct, sorry.
   Fixed this error ID99 in the config - thank you!

Hello jaclaz,
Thank you! I have fixed this error in the config.