Simple VLAN setup - Please help!

rkrisi · May 8, 2020, 9:00am

Hi everyone!

I have bought a new RB4011iGS+5Hac router.
I want to create multiple VLANs to seperate Guest network from my Private network. Ethernet ports on the router (except eth1 which is used as DHCP client to connect to my modem) should be an access port to my private VLAN (vlan_private).
I have also created 2 virtual wlan ap (one 2.4GHz and one 5GHz) which should be in the guest_vlan.

So basically guest_vlan should be only accesible through the virtual ap-s, the private vlan should be accessible from all the Ethernet ports + its own wlan ap-s (I have also created these).

Firstly, is this possible or am I missing something?
Secondly, someone can point me to a tutorial which explains it? All tutorials are used with another switch and trunk ports (I know that ideally vlan switching should occur on switches, but I hope that somehow I can use the many ports on the router for this as well) and also no one shows how to create wlan with vlan tag (now I just set it to use tag and set the correct tag on the wlan interface).

Thanks for your help!

sindy · May 8, 2020, 1:38pm

Since you don’t need VLAN tagging on ethernet ports, using a VLAN configuration is just one of possible approaches - the VLAN tag manipulation on wireless frames is done by the CPU in software anyway.

So if you prefer to use the VLAN approach for the guest subnet, set vlan-mode of the virtual wireless interfaces for the guest WLAN to use-tag and vlan-id to some ID you like (e.g. 1234), and make these interfaces member ports of the common LAN bridge. Then, create an /interface vlan with vlan-id=1234 and interface=the-name-of-the-LAN-bridge, and attach the guest IP configuration (own address, DHCP server etc.) to this /interface vlan.

But you can also create a dedicated bridge for the guests, make the virtual wireless interfaces for the guest WLAN member ports of this dedicated bridge, and attach the guest IP configuration to this dedicated bridge.

Bear in mind that the router normally routes between all subnets, so dedicating a subnet for the guests is not enough, you have to add firewall rules to allow the guests to get only to internet but not to your main LAN subnet.

rkrisi · May 8, 2020, 3:14pm

Since you don’t need VLAN tagging on ethernet ports, using a VLAN configuration is just one of possible approaches - the VLAN tag manipulation on wireless frames is done by the CPU in software anyway.

So if you prefer to use the VLAN approach for the guest subnet, set vlan-mode of the virtual wireless interfaces for the guest WLAN to use-tag and vlan-id to some ID you like (e.g. 1234), and make these interfaces member ports of the common LAN bridge. Then, create an /interface vlan with vlan-id=1234 and interface=the-name-of-the-LAN-bridge, and attach the guest IP configuration (own address, DHCP server etc.) to this /interface vlan.

But you can also create a dedicated bridge for the guests, make the virtual wireless interfaces for the guest WLAN member ports of this dedicated bridge, and attach the guest IP configuration to this dedicated bridge.

Bear in mind that the router normally routes between all subnets, so dedicating a subnet for the guests is not enough, you have to add firewall rules to allow the guests to get only to internet but not to your main LAN subnet.

Thanks!
Yes that was my intention too… I could do that also with bridges but I wanted to try out VLANs - hope the performance is the same. I have found a really great example on how to do it and it is working! Firewall rules are also working correctly!

The speed is also great… at least on LAN.

Now I’m struggling with Wi-Fi. Can you help me point me to some meaningful Wi-Fi configuration? 2.4GHz and 5 GHz are also really slow. I have tried to change settings, setting exact frequency, changing channel width… On 2.4GHz I can only get max. 15Mbps, on my iPhone only 1 Mbps
5GHz is now not visible and in the config shows “slave - disabled” and I don’t know how I could re-enable it. Pushing the tick button won’t help. Anyway before I got here I could also only get around 150Mbps on 5GHz on my computer and only 10Mbps on my phone. It might be some misconfig, but I can’t really figure out… or not? Might be because of the VLANs?

Can you help me?

This is my current config:

Flags: X - disabled, R - running 
 0  R name="wlan_atlas" mtu=1500 l2mtu=1600 mac-address=C4:AD:34:E9:0F:B9 arp=enabled 
      interface-type=QCA9984 mode=ap-bridge ssid="atlas" frequency=5180 band=5ghz-n/ac 
      channel-width=20/40/80mhz-XXXX secondary-channel=auto scan-list=default wireless-protocol=802.11 
      vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 
      default-client-tx-limit=0 hide-ssid=no security-profile=profile_private compression=no 

 1    name="wlan_atlas_guest" mtu=1500 l2mtu=1600 mac-address=C6:AD:34:E9:0F:B9 arp=enabled 
      interface-type=virtual master-interface=wlan_atlas mode=ap-bridge ssid="atlas-Guest" 
      vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 
      default-client-tx-limit=0 hide-ssid=no security-profile=default 

 2  R name="wlan_fujijama" mtu=1500 l2mtu=1600 mac-address=C4:AD:34:BB:5A:E3 arp=enabled 
      interface-type=Atheros AR9300 mode=ap-bridge ssid="fujijama" frequency=auto band=2ghz-b/g/n 
      channel-width=20/40mhz-XX secondary-channel="" scan-list=default wireless-protocol=802.11 
      vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 
      default-client-tx-limit=0 hide-ssid=no security-profile=profile_private compression=no 

 3    name="wlan_fujijama_guest" mtu=1500 l2mtu=1600 mac-address=C6:AD:34:E9:0F:BA arp=enabled 
      interface-type=virtual master-interface=wlan_fujijama mode=ap-bridge ssid="fujijama-Guest"

sindy · May 8, 2020, 3:46pm

As for wireless speed, there are a lot of possible issues (other wi-fi networks in the neighborhood are the first one to look at, the channel numbering is confusing, as in 2.4 GHz band the numbers are assigned to 5 MHz wide channels whilst 20 MHz wide ones are actually used as a minimum, newer devices often aggregate two or four 20 MHz channels). In many countries, 5 GHz channels have to check for minutes for eventual presence of radar signals to prevent interference. So if you have set a particular 5 GHz frequency, radar detection may have received a radar signal and disabled it.

And some iPhone users report interworking issues with some Mikrotik models here on the forum - I can’t confirm this, as on my APs of this type, iPhone users don’t kill the AP, but I don’t say they have the proper iPhone models.

As for the “slave-disabled”, I can see the 5 GHz master interface to be running in what you’ve posted… so export the configuration as per the suggestion in my automatic signature below.

rkrisi · May 8, 2020, 4:15pm

As for wireless speed, there are a lot of possible issues (other wi-fi networks in the neighborhood are the first one to look at, the channel numbering is confusing, as in 2.4 GHz band the numbers are assigned to 5 MHz wide channels whilst 20 MHz wide ones are actually used as a minimum, newer devices often aggregate two or four 20 MHz channels). In many countries, 5 GHz channels have to check for minutes for eventual presence of radar signals to prevent interference. So if you have set a particular 5 GHz frequency, radar detection may have received a radar signal and disabled it.

And some iPhone users report interworking issues with some Mikrotik models here on the forum - I can’t confirm this, as on my APs of this type, iPhone users don’t kill the AP, but I don’t say they have the proper iPhone models.

As for the “slave-disabled”, I can see the 5 GHz master interface to be running in what you’ve posted… so export the configuration as per the suggestion in my automatic signature below.

I don’t know why, the slave became available again after waiting a few mins.
So you are saying that there is a bug in between Apple devices and Mikrotik? Tested with my iPad I get much better speeds - around 150Mbps but I assumed that I could get around 500Mbps with this router.
Also, not counting in Apple devices, on my PC I also only can get around 170Mbps.
Anyway here is my config. I would really appriciate if you can give at least some points which I could try out and see if I can get better speeds…

 /export hide-sensitive 
# may/08/2020 18:14:39 by RouterOS 6.46.6
# software id = CK9Q-MRSJ
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D1460B1C119B
/interface bridge
add name=vlan_bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=vlan_bridge name=vlan_base vlan-id=99
add interface=vlan_bridge name=vlan_guest vlan-id=20
add interface=vlan_bridge name=vlan_private vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment="Guest Profile" eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed mode=\
    dynamic-keys name=profile_private supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX country=hungary disabled=no \
    installation=indoor mode=ap-bridge name=wlan_atlas secondary-channel=auto security-profile=\
    profile_private ssid=atlas wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:B9 master-interface=wlan_atlas \
    multicast-buffering=disabled name=wlan_atlas_guest ssid=atlas-Guest wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=no_country_set \
    disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan_fujijama \
    security-profile=profile_private ssid=fujijama wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:BA master-interface=wlan_fujijama \
    multicast-buffering=disabled name=wlan_fujijama_guest ssid=fujijama-Guest wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip pool
add name=dhcp_pool_private ranges=10.0.0.50-10.0.0.254
add name=dhcp_pool_guest ranges=10.0.3.2-10.0.3.254
add name=dhcp_pool_base ranges=10.0.99.2-10.0.99.254
/ip dhcp-server
add address-pool=dhcp_pool_private disabled=no interface=vlan_private name=dhcp_private
add address-pool=dhcp_pool_guest disabled=no interface=vlan_guest name=dhcp_guest
add address-pool=dhcp_pool_base disabled=no interface=vlan_base name=dhcp_base
/interface bridge port
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether2 pvid=10
add bridge=vlan_bridge interface=sfp-sfpplus1
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether3 pvid=10
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether4 pvid=10
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether5 pvid=10
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether6 pvid=10
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether7 pvid=10
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether8 pvid=10
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether9 pvid=20
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=wlan_atlas pvid=10
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=wlan_fujijama pvid=10
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=wlan_fujijama_guest pvid=20
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=wlan_atlas_guest pvid=20
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether10 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=vlan_bridge tagged=vlan_bridge untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    vlan-ids=10
add bridge=vlan_bridge tagged=vlan_bridge untagged=ether9 vlan-ids=20
add bridge=vlan_bridge tagged=vlan_bridge untagged=ether10 vlan-ids=99
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=vlan_base list=VLAN
add interface=vlan_private list=VLAN
add interface=vlan_guest list=VLAN
add interface=vlan_base list=BASE
add interface=vlan_private list=BASE
/ip address
add address=10.0.99.1/24 interface=vlan_base network=10.0.99.0
add address=10.0.0.2/24 interface=vlan_private network=10.0.0.0
add address=10.0.3.2/24 interface=vlan_guest network=10.0.3.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.0.99 mac-address=78:11:DC:55:9E:00 server=dhcp_private
add address=10.0.0.100 client-id=1:0:4:20:f0:af:64 mac-address=00:04:20:F0:AF:64 server=dhcp_private
add address=10.0.0.195 mac-address=EC:FA:BC:12:83:9F server=dhcp_private
add address=10.0.0.85 mac-address=DC:4F:22:C0:7A:BB server=dhcp_private
add address=10.0.0.84 mac-address=DC:4F:22:C0:74:57 server=dhcp_private
add address=10.0.0.83 mac-address=DC:4F:22:C0:73:5B server=dhcp_private
add address=10.0.0.131 client-id=1:8:62:66:bc:8c:bf mac-address=08:62:66:BC:8C:BF server=dhcp_private
add address=10.0.0.59 mac-address=EC:FA:BC:86:CD:DD server=dhcp_private
add address=10.0.0.107 client-id=1:90:e:b3:6:6e:a7 mac-address=90:0E:B3:06:6E:A7 server=dhcp_private
add address=10.0.0.135 client-id=1:dc:a6:32:d:4b:73 mac-address=DC:A6:32:0D:4B:73 server=dhcp_private
add address=10.0.0.93 mac-address=78:11:DC:EB:54:08 server=dhcp_private
add address=10.0.0.101 mac-address=40:31:3C:D0:D9:30 server=dhcp_private
add address=10.0.0.105 mac-address=98:F4:AB:B8:64:0F server=dhcp_private
add address=10.0.0.110 mac-address=98:F4:AB:B8:6D:01 server=dhcp_private
add address=10.0.0.112 mac-address=C8:2B:96:10:AB:53 server=dhcp_private
add address=10.0.0.89 mac-address=08:9E:08:C0:BA:67 server=dhcp_private
add address=10.0.0.109 mac-address=04:CF:8C:15:BD:5E server=dhcp_private
add address=10.0.0.120 mac-address=C8:2B:96:11:4F:B4 server=dhcp_private
add address=10.0.0.87 mac-address=E4:F0:42:20:42:53 server=dhcp_private
add address=10.0.0.103 mac-address=04:CF:8C:25:61:92 server=dhcp_private
add address=10.0.0.138 mac-address=98:F4:AB:F3:43:E2 server=dhcp_private
add address=10.0.0.175 mac-address=EC:FA:BC:14:83:26 server=dhcp_private
add address=10.0.0.86 mac-address=DC:4F:22:C0:75:0A server=dhcp_private
add address=10.0.0.111 mac-address=C8:2B:96:10:AF:4F server=dhcp_private
add address=10.0.0.98 mac-address=34:CE:00:FB:DB:F3 server=dhcp_private
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.3 gateway=10.0.0.2
add address=10.0.3.0/24 dns-server=10.0.0.3 gateway=10.0.3.2
add address=10.0.99.0/24 dns-server=8.8.8.8 gateway=10.0.99.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=vlan_base
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Access Pi-hole DNS from VLANs UDP" dst-address=10.0.0.3 \
    dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=forward comment="Access Pi-hole DNS from VLANs TCP" dst-address=10.0.0.3 \
    dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked disabled=yes
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new \
    in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS dst-port=22 in-interface=ether1 protocol=tcp to-addresses=\
    10.0.0.252 to-ports=18022
add action=dst-nat chain=dstnat comment="Transmission Web Interface" dst-port=19091 in-interface=ether1 \
    protocol=tcp to-addresses=10.0.0.252 to-ports=9091
add action=dst-nat chain=dstnat comment=Transmission dst-port=49850 in-interface=ether1 protocol=tcp \
    to-addresses=10.0.0.252 to-ports=49850
add action=dst-nat chain=dstnat comment=HTTPS dst-port=61443 in-interface=ether1 protocol=tcp \
    to-addresses=10.0.0.252 to-ports=443
/system clock
set time-zone-name=Europe/Budapest
/system leds
set 0 type=on
add interface=wlan_fujijama leds="wlan_fujijama_signal1-led,wlan_fujijama_signal2-led,wlan_fujijama_signal\
    3-led,wlan_fujijama_signal4-led,wlan_fujijama_signal5-led" type=wireless-signal-strength
add interface=wlan_fujijama leds=wlan_fujijama_tx-led type=interface-transmit
add interface=wlan_fujijama leds=wlan_fujijama_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org
/tool graphing interface
add allow-address=10.0.0.0/24
/tool graphing resource
add allow-address=10.0.0.0/24
add allow-address=10.0.99.0/24
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Ps.: Also I don’t know why but my filter rules got messed up. When I tested the device I was not able to access different vlans… Now I can. Maybe if you can help me with that one, that would be also great!

Thanks!

anav · May 8, 2020, 4:51pm

In summary,
So far I see most ports are access ports to devices that are not vlan aware on the private LAN, and ether 9 being a wired guest port??, eth10 a base port).
You have an SFP port which is most likely a trunk port which may carry all three vlans?
You have 4 wlans, two private (Atlas and fuji) and two guest (Atlas and fuji) (assuming private 1x5gh, 1x2ghz and same with guest)
The private are standard wlans the guest are virtual wlans.

So far so good! (I guess the SFP is not attached to anything at the moment).

(1) Now lets look at the one of the usual got you places… See the missing bits!!
/interface bridge vlan
add bridge=vlan_bridge tagged=vlan_bridge untagged=wlan_atlas,wlan_fujijama,ether2,ether3,ether4,ether5,ether6,ether7,ether8
vlan-ids=10
add bridge=vlan_bridge tagged=vlan_bridge untagged=wlan_atlas_guest,wlan_fujijama_guest,ether9 vlan-ids=20
add bridge=vlan_bridge tagged=vlan_bridge untagged=ether10 vlan-ids=99

Next fw rules…standby

(2) This is a holdover hard to find to get rid of from default rules - hint check static DNS…
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(3) Only comment is that I usually put the allow vlan rules after the default rules in place… So slight change in location with negligible effect (in other words you dont have to change them).
I do want to know the purpose of your ALLOW VLAN to the router. I would not let any tom dick and harry access to the router.
The only reason they need access is to access services the router provides. Typically I only allow port 53 for DNS services for example.
I believe you have this covered for pi-hole already right? So you could get rid of the VLAN rule.
If you still need it for DNS, then just make it for DNS (two rules port 53 udp/tcp etc.)

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=accept chain=input comment=“Allow Base_Vlan Full Access” in-interface=vlan_base
add action=accept chain=forward comment=“Access Pi-hole DNS from VLANs UDP” dst-address=10.0.0.3
dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=forward comment=“Access Pi-hole DNS from VLANs TCP” dst-address=10.0.0.3
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=forward comment=“defconf: accept established,related, untracked”
connection-state=established,related,untracked disabled=yes
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“VLAN Internet Access only” connection-state=new
in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=
!dstnat connection-state=new in-interface-list=WAN

(4) Look fine, dont need to ports if same as dest ports (implied). Noticed you had two translated so that is good.
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS dst-port=22 in-interface=ether1 protocol=tcp to-addresses=
10.0.0.252 to-ports=18022
add action=dst-nat chain=dstnat comment=“Transmission Web Interface” dst-port=19091 in-interface=ether1
protocol=tcp to-addresses=10.0.0.252
add action=dst-nat chain=dstnat comment=Transmission dst-port=49850 in-interface=ether1 protocol=tcp
to-addresses=10.0.0.252
add action=dst-nat chain=dstnat comment=HTTPS dst-port=61443 in-interface=ether1 protocol=tcp
to-addresses=10.0.0.252 to-ports=443

rkrisi · May 8, 2020, 5:02pm

In summary,
So far I see most ports are access ports to devices that are not vlan aware on the private LAN, and ether 9 being a wired guest port??, eth10 a base port).
You have an SFP port which is most likely a trunk port which may carry all three vlans?
You have 4 wlans, two private (Atlas and fuji) and two guest (Atlas and fuji) (assuming private 1x5gh, 1x2ghz and same with guest)
The private are standard wlans the guest are virtual wlans.

So far so good! (I guess the SFP is not attached to anything at the moment).

(1) Now lets look at the one of the usual got you places… See the missing bits!!
/interface bridge vlan
add bridge=vlan_bridge tagged=vlan_bridge untagged=wlan_atlas,wlan_fujijama,ether2,ether3,ether4,ether5,ether6,ether7,ether8
vlan-ids=10
add bridge=vlan_bridge tagged=vlan_bridge untagged=wlan_atlas_guest,wlan_fujijama_guest,ether9 vlan-ids=20
add bridge=vlan_bridge tagged=vlan_bridge untagged=ether10 vlan-ids=99

Next fw rules…standby

(2) This is a holdover hard to find to get rid of from default rules - hint check static DNS…
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

Thank you! Regarding the Filter Rules I have managed to get it going! Now Guest VLAN cant access private vlan.
Yes everything you wrote is correct regarding what I wanted to configure!

I have to apply these commands you sent?

PS.: I just saw the firewall rules! I will do exactly what you said! Yes I have pihole setup as DNS service, so I will remove that line which adds access to the router.
Thanks!

anav · May 8, 2020, 5:06pm

The FW rules are fine as they are.
I just question why you give the VLAN full access to the router.
I would not, I would eliminate that input chain rule.
YOu need access as the admin and you have provided that with your BASE VLAN rule.
I prefer to create an access list which includes the likely IPs I would use to access the router (desktop on private, laptop on base for example) and add that to the BASE-VLAN rule as a source address list. In this way only me the admin from my own PCs, not everyone on the private or base vlan has access to the router for admin purposes.

No worries, WLANs and VWLANs get tricky when adding to vlans and vlan bridge filtering.

rkrisi · May 8, 2020, 5:14pm

You are completely right! I just messed something up during config and this rule got trapped in. I also don’t want the guest network to access the router. I have removed it, restricted IPs and it seems that the IP filter rules works completely as I would want! Thank you!

Now I only need to figure out why Wi-Fi speed is slow

rkrisi · May 8, 2020, 5:27pm

Anyway, what is the problem with these?

add bridge=vlan_bridge tagged=vlan_bridge untagged=wlan_atlas,wlan_fujijama,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
vlan-ids=10
add bridge=vlan_bridge tagged=vlan_bridge untagged=wlan_atlas_guest,wlan_fujijama_guest,ether9 vlan-ids=20

I mean you highlighted the wlan interfaces? I also want to tag packets coming from WLAN in order for WLAN to work there also. Or do I need to remove this and set the VLAN Tag in the Wireless Interface setting?

https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless

This tutorial says that. But I think this applies to WLAN VLAN Trunks?

anav · May 8, 2020, 6:40pm

No I highlighted them because they were missing in your original config.
They are now good if you included them.
Concur, only have to work on wifi speed and that is probably accomplished with some wifi tweaking.

rkrisi · May 8, 2020, 7:05pm

Thank you very much!
The config now seems great for me, now I just have to fiddle with Wi-Fi settings. Hope I can get better rates or someone who can have a look at this config because I’m not sure about it…

anav · May 9, 2020, 1:18am

Here are the settings on my capac if they help…
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b=“” country=canada
disabled=no distance=indoors installation=indoor mac-address=
CC: mode=ap-bridge name=Devices rate-set=configured
scan-list=2412,2437,2462 security-profile=devices_only ssid=DEV
supported-rates-b=“” wireless-protocol=802.11 wmm-support=enabled
wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac
channel-width=20/40mhz-Ce country=canada disabled=no mode=ap-bridge name=
Inside5G rate-set=configured scan-list=5175-5185,5195-5205,5215-5225
security-profile=Hallway_wifi ssid=Hallway wireless-protocol=
802.11 wmm-support=enabled wps-mode=disabled