Hi Everyone,
First of all i am an ultra newbie, so patience would be appreciated . This is my first Mikrotik Setup using the winbox setup and after 2 days of messing around, i turning to the experts.
The Hardware that i am using is a RB750R2 upgraded to the latest firmware.
I watched this video - https://www.youtube.com/watch?v=lIiqnGQDmxA&t=51s, as i am trying to do a really basic setup (see attached picture).
Starting form the factory reset configuration.
The issue i am having is that i cannot get the ports seperated as I can ping from port 4 to port 5 but since they are on seperate vlan’s shouldn’t i NOT be able to?
I feel like there is a rule that is allowing traffic between vlans that i need to disable… but then why would there be a rule to allow it since that is what vlans are for?
It seems so easy… but turns out not for me.
One follow up question, do i need to do anything special on Port 1 (include both vlan 10 and 20 on port 1) so that the traffic can exit the switch and move out towards to ISP… or is that a silly question.
I am a EE so this is all upside down to me.
Would really appreciate any guidance on this setup.
One thing to keep in mind: ROS device is a router and will happily route traffic between all of its L3 interfaces unless that’s blocked by firewall filters. L3 interfaces are essentially interfaces with IP address configured.
Above stated thought put aside … post full config (execute /export hide-sensitive) - put it inside [__code][/code] tags - so we can see what you actually configured and what might be wrong.
Since nobody knows, what exactly you did, it’s hard to judge whether it’s right or wrong.
Post
/export hide-sensitive
from terminal here, and somebody will take a look.
But the thing you definitely wrong about is the assumption, that by default router will block traffic between different interfaces/vlans/etc. On contrary, router’s purpose is to route, so by default it will try to do so, if able and if not told to do otherwise.
In other words, if you don’t want it to route between two vlans, you need to explicitly forbid it in
Looking at the network diagram, I don’t understand why you want to complicate things with Vlans. Just remove ether 5 from bridge, configure separate IP subnet on this and block traffic between the 2 LANs with firewall rules
There is nothing wrong with setting up using vlans especially to get use to them and also to avoid the default vlan=1 syndrome LOL.
That being said, CZFAN is boringly correct.
In my case I have an access point that is vlan capable and serves both guest wifi and house wifi at the same time and thats where VLANS come in real handy.
In your case, it would probably be the case where they are just straight consumer access points or old wifi routers being used as access point/switches so less complicated.
As he stated you only need two subnets with a properly configured firewall rule.
Sorry for the late reply,
I was swamped over the weekend.
Thanks for all the responses
# jan/02/1970 00:02:53 by RouterOS 6.45.7
# software id = ABLU-NWF5
#
# model = RouterBOARD 750 r2
# serial number = 67D30852D5DD
/interface bridge
add admin-mac=CC:2D:E0:3C:02:87 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add ports=ether2,ether3 switch=switch1 vlan-id=200
add ports=ether4,ether5 switch=switch1 vlan-id=50
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
i could do 2 Lans with firewall rules however i want to learn how to setup VLAN’s since it really does open doors for future projects. Especially VLAN Trunking
ANAV i will Read that tonight thanks… feels like i looked high and low for example but did not run across that post
Thanks again for the replies and sorry for the delay
. This is my first Mikrotik Setup using the winbox setup and after 2 days of messing around, i turning to the experts.