I’m new to the Mikrotik world and to the forums. After some days perusing the wiki and the reference thread on VLANs by pcunite user I still have some doubts on how to implement my setup.
I’m using a hEX S to implement a setup which is basically identical to the Router on a stick case described in the thread, with two VLANs on the LAN side (30-31), the major difference being that the WAN port is connected to a fiber ONT (a black box from our point of view, absolutely no way of accessing its configuration) which requires traffic to be exchanged on VLAN 7.
Eth2 to Eth5 are the LAN ports which are member of the bridge entity, while Eth1 goes to the fiber ONT.
Now, I have declared the desired VLANs in the bridge and their respective IP/L3 counterparts along with DHCP server and addresses for the LAN side (the only tagged member port for those vlans is bridge, which as far as I’ve understood is to grant access to the CPU, so probably I should also add the member ports eth2 to 5 there). No untagged ports on the bridge vlans as all the router ports’ are trunk (going to other switches which tag traffic correctly).
For the WAN, I have only added VLAN7 under “/interface/vlan” and the IP address of the hEX and the route to the gateway. At this point, all members of VLAN 30 and 31 can access the WAN and the internet correctly, although there’s no inter-VLAN traffic (as bridge vlan filtering is still off).
As soon as I turn on the VLAN filtering, the WAN is not accessible anymore. Here is where I’m a bit stuck. Here is the alternative options I am considering as a trial-and-error approach:
Adding eth2 to eth5 as tagged members of the vlan 30 and 31 under interface/bridge/vlan
Add VLAN7 under interface/bridge/vlan with eth1 as a tagged member, which should instruct RouterOS to add the egress tag?
Eth1 should be a member of the bridge itself in order to allow inter-VLAN traffic (VLAN7 is just another vlan in the end although only required between router and ont?) I have a hunch that this is very bad in terms of logical separation of domains
I don’t mind breaking things and I’m using this lesson mainly as my entrance to becoming more skilled in networking and especially Mikrotik products, so please bear with me if all sounds utterly stupid and the solution is more obvious than I thought.
I’ll paste here the relevant part of the current configuration:
As soon as you enable VLAN filtering, you cut off LAN ports from bridge … because default config is that bridge ports are access ports to VLAN ID 1 (implicit default setting of pvid=1). So you really have to do something about VLANs on LAN side … e.g. setting ether2 with pvid=30 should let an ordinary device (not aware of VLANs) to communicate in “workstations” LAN.
Thanks for the explanation about turning on vlan filtering, which is (albeit more accurate) what I was thinking.
So would it make sense just adding eth1 (which is physically connected to the ONT) as another port of the bridge? In the end, I just want members of VLAN30 and VLAN31 to be able to reach the ONT/gateway, and it can only be reached across VLAN7 on that port.
The WAN part (ether1) is pretty fine right now. It’s the LAN part (ether2-5) which lacks a little bit of configuration.
When you set bridge with vlan-filtering=yes, it actually starts to perform VLAN-related tasks. One of them is tagging/untagging frames passing bridge ports. Ezher2-5 (as per defsult which you dud not change) are untagged ports of VLAN 1 (pvid=1), but your bridge expects to work with VLANs 30 and 31. So try to set one of ether2-5 ports to pvid=30, then enable vlan-filtering and see if device, connected to that port can communicate with internet.
Beware that you don’t have any firewall hence both router and LAN devices will be exposed to possible attacks when connected to ONT (unless your ISP runs a firewall for you). Having WAN address of 10.x.y.z means ISP does NAT (again), but that doesn’t make your router nor LAN safe.
Regarding LAN: I didn’t really explain myself very well probably, but eth2-5 are meant to behave as trunk as they are already receiving tagged traffic from other switches. Hence I don’t think I should change their native pvid as the ingress tagging is not to be done by the hEX S.
However, shall they be tagged members of the bridge for vlans 30 and 31? That’s the part I don’t get.
Regarding L3/Firewall: thanks for mentioning, I do have already a basic drop everything from WAN if not tracked which I took from pcunite VLAN thread and it’s good enough for the moment, it’s just that I left it out of the pasted configuration to avoid adding too much noise.
Thank you, I really appreciate your help and it’s a great motivation to keep learning more about RouterOS.
VLAN settings under /interface bridge (both port and vlan) must reflect desired configuration. If ether2-5 are meant to be tagged ports, then you should configure them as such. Like this:
By setting ingress-filtering=no you indeed allow all tagged frames on ingress (which is what settings under port mostly are), but frames are not allowed on egress (which is what settings under vlan mostly are).
Regarding firewall: if you really do have that single firewall rule dropping packets not tracked, then it still allows everything. Packets are “not tracked” only if they are explicitly marked as such in raw firewall section (which comes before connection tracking machinery does its job).
I thought that ingress-filtering was just advancing the dropping operation for VLANs not in the table at the input, and not on egress, although as you say the eth2 to 5 ports should be added as tagged.
Regarding firewall, I’ll post the relevant part of the config which is pretty much the defconf rules. I got confused when mentioning untracked, what I meant was actually !dstnated:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=forward in-interface=vlan-smd-only-external out-interface=!vlan-ont-wan
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Update: adding eth2 to eth5 among the tagged interfaces for the vlans listed under /interfaces/bridge as suggested did the trick and I indeed have inter-vlan traffic now!
Thanks for the help.
PS: I can ping from all the VLANs the IP address of the hEX S (e.g. 10.30.0.1) and have internet access, although I cannot establish a winbox/webfig connection. It only works with a direct connection through an untagged port directly on the router. Wasn’t expecting this as no firewall rule should be getting in the way…
Check the interface list membership. Router’s L3 will see VLAN interfaces as ingress interfaces, so some of them should be made members of LAN interface list (there’s a general drop rule in chain=input with in-interface-list=!LAN). Same thing might be preventing winbox MAC access, check it under /tool/mac-server …
Indeed, only the bridge itself was a member of LAN, not the VLANs themselves. Very convenient as I can add only the ones I’m planning to give Winbox access to.
Hi all. I have cAP device. And I want to ask the community. Is it possible to use scenario where my access point can work as router on a stick?
Look at please the diagram to understand what I need to implement.