Routing VLAN Traffic

RouterOS Forwarding Protocols
1

I am trying to use a RB750 to route VLAN tagged traffic on our network and could use some help.

We currently have a HP 1800 series switch that is a layer2 vlan capable switch. We are setting up some Ubiquiti access points that are capable of broadcasting both a secured network and a guest network. The traffic from each would have a different vlan tag. So, I want to plug those into the HP 1800 switch and have my mikrotik route the traffic.

I would like the secured network traffic to be able to communicate with our network resources like our file server, printers, etc. The guest network should only have internet access.

We currently have an untangle firewall and we would like that to provide the internet/content filtering for both the secured wireless network and the guest network.

Could someone provide an example configuration for this? I am VERY new to mikrotik and have a lot of reading to do but I’m hoping someone can point me in the right direction.

Thanks.

2

Try to produce simple sheet of your network and post here first, we can’t say anything without light approach of your network

regards

3

OK, please see the attached file and let me know if you need any more info.
network.pdf (149 KB)

4

Vlan setup int he Mikrotik router in Winbox

  1. Interfaces add the Vlans you are going to be using
  2. Addresses list assign them IP address and subnet information
  3. Pool add address pools
  4. DHCP server add dhcp server (different DNS can be used here if needed)

That is done now Mikrotik will route between VLAN by default. You can use your UBNT Unifi guest control to segregate the traffic and isolate guests or you can use the routers firewall.
Here is an example of blocking Vlan routing in the router drop input src 192.168.0.0/24 dst 192.168.1.0/24 (add as many rules as needed)

That will get you most of the way there. You will still need to configure that switch to handle the VLAN traffic as needed.

5

Ok, I don’t now specific configuration of hp switch but I suppose i similar to Cisco switch so:

-the ethernet port of the switch where is connected AP1 must be a trunk that transport traffic of secured netowrk (I assume for example vlan 10) and traffic of guest network (I assume for example vlan 20).
-the other switch port where is connected server, other switch, and ap2 must be set in access mode on vlan 10
-the ethernet port of the switch where is connected the rb750 must be a trunk that transport vlan 10 and 20

Now on the RB750 you can define vlan 10 and vlan 20 on the ethernet port that is connected to trunk port of the switch.

Now you have one phisical and two separated logical network.

Bye

6

I’m mainly using winbox right now to configure as I’m new so the graphical interface helps.

How using Winbox, do I assign multiple interfaces to a VLAN? I figured out how to assign one, but I can’t figure out how to assign two.

7

Enslave the other interface

Example

Ethernet 5 has VLAN 10 and VLAN 20

Now we want to add Ethernet 4 to this.

Select Ethernet 4 and specify a master as Ethernet 5. (Now Ethernet 4 and 5 and VLANS on both are connected)

Remember Mikrotik will automatically try and route between vlans. You will need to add a firewall rule to prevent that if that is not the desired result.

8

BTW, what is the right way to prevent mikrotik from routing between vlans on L2?

I am getting troubles trying to catch and drop the traffic between different customer’s tagged vlan interfaces and untagged backbone network. My setup is similar to one noted above - RB951G with Internet connection and 2xLACP (802.3ad) bonding to an HP L2 manageable switch.