Ready to begin my VLAN adventure

OK, so maybe “adventure” is a little hyperbole . Maybe journey of discovery is better.
So I am lucky enough to have in front of me 2 separate hex routers until my son picks his up, so I figured this would be a perfect time to play around with one offline and learn VLANs so that I can properly set up 2 separate LANs the way that everyone is telling me is the correct way. Currently I set have it set up with 2 separate bridges and I have been told that, while that will work (and it is working fine), that is not the correct way to do it. VLANs is the correct way. I set it up the way that I did because I understood that way and I needed to get online ASAP. But now I have more time and an offline router to mess with so I am ready to learn.
As I understand it one of the main reasons to use VLAN as opposed to 2 bridges is that there is a switch chip which can only accommodate 1 bridge. If you have 2 bridges then the second bridge cannot use this chip and this results in slower performance. I did some speed test and found no difference in speed but again, I only have a small home LAN that does nothing really so I may not experience and performance degradation. But I still want to learn how to do things the preferred way.

My goal is very simple. I have a small home network with no fancy anything. I have a few PCs on LAN1 which is my personal LAN. I have a LAN2 that is for guests and all the various junk that you have to plug in nowadays like streaming stuff etc… which I prefer to keep separate.
I did read the often linked to thread that many say is the best topic on learning and setting up VLANs, but I’m sorry to say that, it might be a great thread for well versed people, it is not really that good for beginners; even a somewhat advanced beginner such as myself. I was not able to figure out what to do from that topic.

So I guess my first question is … assuming a stock default hex router with all factory default settings (only 1 default bridge, default DHCP, default firewall rules etc…) except for the admin password, how does one go about setting up 2 separate VLANs?

I assume that what I will have in the end is VLAN10 (192.168.88.x) which will be my personal LAN with 2 ports (ether4 & 5) and VLAN20 (192.168.2.x) which will be the “guest” LAN for lack of a better term (ether 2 & 3), all residing on the same bridge.

I’m guessing these directions are wrong or incomplete but at least it’s a starting point. What I’ve read is that I would …
starting with the second vlan first so as to not cut myself off…

1. create a vlan interface
   got to interfaces->vlan tab and click add new
   name = vlan20
   vlan ID = 20
   interface = bridge

2. add IP addresses to it
   IP->Addresses-> add new
   address = 192.168.2.0/24
   interface = vlan20

3. set up a dhcp server on that vlan interface wit appropriate pool for those addresses.

Am I getting warm here?

Before you dive into the fold check this out first http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 and here https://www.youtube.com/watch?v=4BOYqtV4MCY and come back when you are ready in mikrotik world there are many ways to make a vlan and largely depends on what model you have.

edit: since you are using hex this video should work for you https://www.youtube.com/watch?v=Rj9aPoyZOPo

Don’t see any blood coming from your knees yet, proceed down the learning road, rough as it is
Read the references and vids etc, take a stab at a config.

I’ve actually made a defconf script in my spare hours targeted at exactly the sort of situation you’re in. It’s run as a “run-after-reset” script either following a netinstall or reset-configuration.

The aim is to take the painful part out of vlan-ifying your network, in that it provides a ready-to-go config. It will of course have to be “salted to taste” afterwards, but the usual frustrations around locking yourself out, etc. should be avoided, and it provides a secure default firewall setup.

It actually configures 3 vlans:

• local - intended for local trusted devices
• mgmt - specifically for managing the router; management from the local vlan can also be allowed (as a setting)
• guest - for untrusted devices

It also optionally configures one or more trunk ports.

It’s very much beta - that means that it works for me on the devices I tested it on, but it just might attempt to microwave your cat.

If you want to test it out, I’ll post it with some instructions. I’m grateful if you’re willing to be a test subject, but be prepared that you might have to restore your current configuration from backup, etc.

loloski,
As I mentioned in my first post, I did already read that first link you linked, but, I guess the only way to say this is … simple enough? for beginners. I’m sure it makes perfect sense to you but I tried to read it a few times and I get lost. It appears to me that he has scenarios in there and your supposed to pick the scenario that is your situation and then download the appropriate rsc file. But I don’t get it. Hopefully when I’m done I’ll be able to write a vlan article that explains it to real beginners so that they might enjoy mikrotik as much as advanced people, but so far I have not found such a tutorial.
The next 2 links you posted I watched but again, they seem to be dealing with more complex situations. Something tells me that my situation is not that complex. They seem to be talking about separate switches (managed) and routers.

anav,
First thanks a bunch for the firewall rules thread help. I owe you another steak.
I am looking over the links you posted in that firs thread when I asking how to set up this thing and you first told me to do vlan instead of 2 bridges.

lurker888,
I am definitely willing to be test subject, at least until my son wants his router back. I would be grateful to see your script. If I can read it and understand it it might work. I appreciate you taking the time to try educate me on this topic. I hope that when I’m done I’ll be able to write a dumbed down basic vlan step by step how to for the average joe that just wants to have 2 separate lans and thats it.

I’m not completely ignorant to networking (anav might disagree LOL) so I think with a little dumbing down I’ll get it. Did you guys look at what I wrote above? Creating interfaces and such? Am I on the right track?

Oh and yes, I can reset this thing back to default config over and over until I figure it out, as long as it can do that.

Well, someone has to test it, so it might as well be you Encouraging, I know.

The basic idea is that this gives a basic VLAN-aware configuration for the router, configures ports and a firewall and a simple WAN connection - basically what you need to get started with a router for a VLAN’s network. It does the following:

• creates a vlan with id 100 for the local (normal, trusted)
• creates a vlan with id 110 for management (only for management functions) - it is a recurring theme here that people want to restrict access to the management interfaces to a single network/vlan, which in certain situations is a really good idea. The default in the script allow management access both from the management and local vlans
• creates a vlan with id 200, devices on this can access the internet, but have no access to the other two
• adds the ports on the device to either the local, mgmt or guest vlan, and establishes trunk port(s) if configured
• adds a simple wan connection (currently: dhcp, pppoe or pppoe-over-vlan)

That’s basically it. To run it:

1. read the first part of the script and set the settings to your liking
2. create a backup of your device, and save it on your computer
3. download the script to the router
4. do a system->reset configuration WITH

• “keep users” set,
• “no default configuration” set
• “do not backup” set (You have already done the backup manually as per (2) and saved it external to the router, haven’t you?)
• in “run after reset” select the script

The router restarts, users and passwords are kept. Connection should be possible from the local and mgmt ports.

I’m only posting the config part of the script in the text of the post, the full script is attached:

# Quick VLAN filtering based setup script for Mikrotik routers
# Version 0.1.0

# These are the settings you MUST configure in order for things to
# work out. Maybe the defaults are fine for you, but please look them
# over anyway.

# BASIC SYSTEM-WIDE SETTINGS

# qvSSH - enable ssh access (22/tcp)
# qvWinbox - enable winbox access (8291/tcp)
# qvWebfig - enable webfig access (80/tcp)
# qvWebfigSSL - enable webfig SSL access (443/tcp)
# qvMAC - enable MAC based access; this enableb MAC Winbox and its
#         associated discovery protocol (other MAC protocols are
#         disabled.)
#
# qvFasttrack - enable the fasttrack feature
# qvLogToDisk - enable logs to be written to the disk - this may help
#               with diagnosing some issues, but it also puts some
#               wear on the internal flash of your device

:local qvSSH true
:local qvWinbox true
:local qvWebfig true
:local qvWebfigSSL true
:local qvMAC true

:local qvFasttrack true
:local qvLogToDisk true

# WAN ACCESS
#
# The script attempts to configure the most common WAN access methods.
#
# qvWANPort - the port used for the WAN connection
# qvWANMode - selects the type of WAN access that will be configured:
#   0 - don't configure WAN access - the port specified in qvWANPort
#       will be left unconfigured. If you want it to be treated as the
#       other ports, set qvWANPort to "".
#   1 - DHCP (nothing else has to be specified)
#   2 - PPPoE (specify qvPPPoEUser and qvPPPoEPass)
#   3 - PPPoE over VLAN (specify user, pass and qvPPPoEVLAN)

:local qvWANPort "ether1"
:local qvWANMode 1
:local qvPPPoEUser ""
:local qvPPPoEPass ""
:local qvPPPoEVLAN 1

# VLAN SETUP
#
# The script creates a VLAN filtered bridge and assigns all ethernet
# ports (including SFP ports) to this, excluding the WAN port and
# wireless interfaces. Further the script creates the following VLANs:
#   vlan 100 - the local trusted VLAN - all ports are assigned to this
#              vlan unless otherwise assigned
#   vlan 110 - management VLAN 
#   vlan 200 - guest VLAN
#
# All VLANs will have internet access, however management 
# functionality will only be accessable from the management VLAN
# (unless qvLocalMgmt is set.) The guest VLAN cannot access either
# the local or the management VLAN. The management VLAN is not
# accessable from anywhere else.
#
# Additionally, trunk ports may be created that transit all of the
# above VLANs as tagged.
#
# The ports here are specified as lists, so multiple ports (or none)
# can be listed. The following are examples of valid syntax:
# :local qvWhateverPorts ({ }) # No ports in this role
# :local qvWhateverPorts ({ "ether2"; "ether3" }) # Two ports in this role
#
# Note: even if no port is assigned, the VLANs are still created and
# configured.

:local qvMgmtPorts ({ "ether2" })
:local qvGuestPorts ({ "ether3" })
:local qvTrunkPorts ({ "ether4" })

:local qvLocalMgmt true

# -------------------------------------

quickvlan-0-1-0.rsc (17.5 KB)

When using vlans work from an offbridge port, as noted many times.

Great. Thanks. I will read it over, understand it, and then mess around. Unfortunately I’m doing this in between other junk in life which gets in the way of me enjoing myself so I can only do this in my spare time. But I will post when I have a chance to focus.

anav,
Yes, will do. I am rereading that first post you did in the first topic warning me of exactly that.

OK first dumb question. Assuming I’m starting with a default config.
I am connected currently on a PC plugged into E2 which is 192.168.88.252 and the router is 192.168.88.1. If I leave that port as is and start playing around with the remaining ports E3,E4 & E5 will I get locked out of the router? It seems to me that that would be what anav suggested to keep one port out of the mix at least until your done.

I’m fine with having only 2 VLANs when I’m done with 2 ports on each. So VLAN10 let’s say would be my personal lan and really have only my PC on it anyway. VLAN20 would be for everything else so I don’ think I would need the 3 VLANs in your example.

VLAN10 - 192.168.1.x
VLAN20 - 192.168.2.x

So, in the end, the router would end up being 192.168.1.1 on VLAN10, no?

Yes, you will get locked out.

My first advice would be: be prepared for being locked out. If you have a configuration that currently works for you, create a backup before you start messing with things. The first few times I configured vlans, I had to reset the router to defaults at least five times. Be prepared to do that.

The usual problem is that the bridge has a setting “vlan-filtering”, which basically enables all vlan-aware behavior. If you have this turned off, the vlan related settings simply don’t take effect - so their effects cannot be observed. If you flip it, and your vlan relates settings are off, you may be (most likely will be) locked out. Safe mode doesn’t really help.

The often repeated solution is to select a port: I guess yours will be ether2.

1. Remove this port from the bridge (in bridge->port)
2. Add an address on this port - this should probably be something entirely unrelated to your current or intended networks, like 192.168.111.1/24
3. Add a firewall rule to allow all access to the router from this port: /ip firewall filter add chain=input action=accept in-interface=ether2 (Put this rule to the top of you input chain)

Now you can assign your computer (manually) an address like 192.168.111.10, and you have access to your router through this.

Verify your access to the router like this, and you can start configuring the vlan stuff. Hint: you’ll probably have to start with turning on vlan-filtering on the bridge.

In these scenarios it’s quite handy to have two laptops/computers available, while you’re configuring the router with one, you can do tests with the other.

Just a note: this is the journey that the script I posted is intended to save you. Doing it manually is fine, just slower and a bit frustrating; but you’ll certainly learn more doing it this way.

Oh yeah. As I said earlier I’m definitely going to get locked out a few times and I’m ready for that, paper clip in hand. Unless theres an easier way to reset?
Also why I’m starting with a completely default config. Not connected to the internet so password and user not important.

The often repeated solution is to select a port: I guess yours will be ether2.

1. Remove this port from the bridge (in bridge->port)
2. Add an address on this port - this should probably be something entirely unrelated to your current or intended networks, like 192.168.111.1/24
3. Add a firewall rule to allow all access to the router from this port: /ip firewall filter add chain=input action=accept in-interface=ether2 (Put this rule to the top of you input chain)

OK I’m about to do this but shouldn’t I make the firewall rule first, then #1 and 2? Because once I do 1 & 2 I’ll likely get locked out by the firewall right?

Yes, I have 3 PCs, once connected to the other outer that is online so I can come here , one that is connected to port E2 for admin of the other router and third PC is connected to what will be a VLAN port.

Yes, I’m guessing your script would make things easier but then I won’t learn and I need to know what I’m doing. Even if minimally.

The default config has ether2-4 bridged, so these ports are the same from a firewall perspective. Obviously you do the steps I outlined connected via one of ether3-ether5. Then you confirm that you can indeed access the router via ether2. Then you mess with the bridge (now containing ether3-5) connected via ether2. In this order. Simple.

Got it, it would not let me create the firewall rule first anyways LOL
So for step 2 you mean to go to IP->addresses and create like 192.168.3.1/24 and use interface ether2 right?

Yes, I am doing all this from port 4 currently. Once done I will unplug and replug into port 2.

OK, port E2 is no longer on the bridge and has an IP address of 192.168.3.2. Works fine, I can access the router from there.

So then I did the following…

1. interfaces->VLAN tab->New
   Created VLAN20 with VLAN ID of 20 on interface ether4
2. IP->Addresses->New
   created 192.168.2.1/24 on interface VLAN20
3. IP->DHCP server->New
   created DHCP server for 192.168.2.1/24
   4, Bridge->selected the default (only) bridge->VLAN section and enabled VLAN filtering
   it has a few settings there that I don’t know how to set. PVID is currently 1 and frame types is admit all

needless to say it is not working but I’m guessing that you saw that coming. So what am I doing wrong? I plug a PC into ether4 and it gets an IP address of 88.253 so that’s from the default dhcp server on the bridge I guess.

First of all, you’ve somewhat missed the point of the exercise with regard to what we did with ether2. It’s just there as an aid to have continuous access to the management of your router while you set up everything. With regard to ether2, we’re all done. After you’ve configured everything vlan to your liking, you may wish to leave this port alone, or it’s fine to incorporate it into your - by then vlanned - design. But as long as you’re not sure that everything else is set up correctly, don’t mess with ether2. (Some people like to set up a dhcp server on this port, just to avoid having to configure a manual address on their computer, but that’s really of no relevance)

When people talk about vlanning your network, they mean vlanning it in the bridge vlan filtering way. This means that all your interactions with vlans will happen somehow related to the bridge.

So adding a vlan to ether2 not only doesn’t really yield results, it’s entirely pointless. We are going to leave ether2 out of the vlan game for now - by choice. So focus on ether3-5.

The first step is to create the vlans themselves: this is not done in interface->vlan, but in bridge->vlan. Create the vlans individually, fill out the “vlan id”, and add an appropriate comment regarding what this vlan is going to be used for. For now, leave the tagged/untagged list empty.

You will next have to decide on how you want to use your different ports:

• access ports: the devices on these ports are basically unaware that they are part of a vlan. They get normal packets, and they transmit normal packets. That their packets come from and land in a vlan are configured in your bridge configuration. Particularly this means: packets coming in will be equipped with the given vlan tag on ingress and a packet can only egress this port if (internally) it has the corresponding vlan tag - this tag is stripped before the packet leaves.
• trunk port: on these ports vlan tagged packets are ingressed and egressed. These are almost always ports that connect to something switch-like, for example a vlan-aware switch, or an ap that present several ssids intending these to be for different vlans.
• hybrid ports - some people and certain vendors like ports where both tagged and untagged packets travel. The untagged ones travel as if the port was an access port with regard to the given vlan, and the other vlans travelling here are tagged - so it’s a trunk port for them. Most network engineers avoid these, but certain vendors (e.g. ubnt) almost force you to use these. If you have a choice regarding whether to use hybrid ports, don’t.

Create your vlans and decide which ports you want and in which roles. Remember, ether1 and ether2 are not part of the bridge, so these are off limits. Describe in some detail what you want to accomplish, and we’ll see.

No no, I didn’t do anything with ether2. I’m sorry if I wasn’t clear. I set up E2 just like you said and it’s working fine for administration. I did not try to set up a vlan on E2. I tried on E4.

OK so I went to bridge->VLANs-New
created new vlan with vlanid 20.
However, there is already a vlan in there that says “added by pvid” with a vlan ID of 1.

Should I go back to the interfaces and delete the VLAN I created in there?

Are far as ports … I don’t quite get the ports thing. Trunk ports carry traffic between routers/switches and VLANs and access ports carry traffic within a vlan?

I have the hex router that has a built in switch so I’m not quite sure what kind of ports I need. What I want in the end is to have E3 on LAN1(VLAN10) and E4 and E5 to be on LAN2 (VLAN20)

Eventually I’ll probably put E2 on LAN1 also but not until I have everything locked down. Not relevant now though.

I was the one not paying proper attention then. Sorry. Anyhow: all interactions with the vlans will happen through the bridge, so don’t add a vlan on ether4 either.

If you’re talking about the one you created on ether4, then yes, delete that. It won’t be needed.

As to dynamic entries: Mikrotik’s system tries to be helpful (it actually is), by adding entries that are implied by other configuration. As you go along configuring everything correctly, the dynamic entries will either disappear or line up with your configuration. Disregard them - they will change as you go along. In the end all will turn out fine.

For access ports, the devices on the other side are not aware of vlans, they only handle the traffic untagged. Their traffic is tagged/untagged when entering/leaving the router. Think of it like this: a simple naïve PC is connected: it has no idea about vlans. If the port it’s connected to is an access port to vlan 10, that means that the traffic received from it will appear in the router as tagged to vlan 10. The traffic that is sent it is also tagged in your router with vlan 10, but the tag is removed before it is sent to the PC. Therefore an access port only provides access to exactly one vlan.

Trunk ports are when you want to inter-connect vlan-aware devices. Usually several vlans are sent over a trunk port, and the tag travels with them: that’s what separates the traffic belonging to the different vlans.

That sounds like a fine configuration.

Disregard the switch chip thing. The whole point of doing the configuration in such a round-about way on Mikrotiks is that the configuration remains the same whether it is done is software or offloaded to the switch chip. If an appropriate switch chip is present, offloading is automatic and happens in the background - you don’t have to do anything differently.

After you have added your vlans (both) in bridge->vlan, the next step is setting up the access ports. This is done in the bridge->port part of the config. It happens thus:

/interface bridge port set X pvid=10 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged

and similarly for the other ports. The pvid specifies to which vlan they are access ports to. You should see dynamic vlan entries appear corresponding to the pvid values specified as you go along.

OK so playing around I went into the VLAN I created and changed the interface in it from E4 to bridge and it worked. I don’t don’t know how much but the PC I had plugged into E4 got the correct IP address.

However I am going to go back and remove some of the stuff I did and do it via the bridge interface as you say. Let’s see what happens there. I assume that I leave the DHCP server I set up for the VLAN and the address blocks?

I guess part of the confusion of trunk vs access ports is that all of the tutorials I see/read seem to deal with separate router and a managed switch. So the show the settings for trunk/access ports on each device. The hex is a router with a built-in switch so I’m confused as to whether I still have to contend with such settings.

Another thing that makes it a bit confusing is that I don’t see the word “trunk” or “access” anywhere. There appears to be no setting or drop down box that says “port role =” and then you can choose between trunk or access. What I do see is some places where it says tagged or untagged and I’m starting to think that that is it.

But first let me go change things the way you say and see what happens there. Then, as you say, we’ll move on to the port designations.

First of all the reference document separates when a Mikrotik device ( all with the same RoS) is used as a Router OR a switch or an AP/Switch etc. Of course a router has a built-in switch functionality, all do however the function, purpose of the device is what matters.

As for trunk or access or hybrid port is NOT up to the router its up to you to decide to setup an etherport as is required and thats part of a plan and network diagram work, and then you config accordingly. A combination of settings in /interface bridge ports and /interface bridge vlans communicates to the reader what is going on.