[SOLVED] Native VLAN support for MikroTik Hex S RB760iGS

Yehonatan · February 26, 2020, 3:24pm

Hi all!
I’m installing this router as my primary one in my SOHO env.
I’ve got 2 PC’s (1x Win OS & 1x Linux OS) + 2 Meraki AP’s with multiple VLANs on them.
Currently I’m starting to configure my SOHO env. for Smart home - I don’t want the Smart devices to access my network by default.

I’ve got 2x PC’s + 1x Internet ETH connected to the MikroTik “bridge” without any special configuration.
I’ve created another Bridge (VLAN-Bridge) which configured to the 2x ETH ports the AP’s connected to - they are all tagged with multiple VLANs.
I would like 1PC to be able to communicate with the other PC - while I’ll configure on a Docker VM a container on a specific VLAN that should access a specific VLAN (ID 200) to manage the smart things - the Smart things network should be without Internet access (I’ve configured it in the FW already).

I’ll be more than glad to hear your tips about doing it!

anav · February 26, 2020, 6:23pm

Your explanation is confusing, a diagram would be helpful and a copy of your config once you have made progress (for review).
I have my home setup similarly done.
I have everything on VLANs and on one bridge connected to multiple smart switches, unmnaged switches and APs that can handle multiple vlans.
The APs have smart devices on some of the vlans that are not allowed access to the rest of my network…
I have no need for more than one bridge etc…

Yehonatan · February 28, 2020, 2:18pm

I would like to know, what is the preferred way to configure the router, on ETH3 to accept both Native VLAN traffic and VLAN 200 traffic - so ETH 3 VLAN 200 will be able to communicate with the APs on VLAN 200.

@Anav, sorry for the delay, attached is my on-going network diagram
Thanks in advance.

Yehonatan · February 28, 2020, 2:25pm

Here’s my router configuration

/export

feb/28/2020 16:19:32 by RouterOS 6.46.4

software id = A534-W2FM

model = RB760iGS

serial number = SECRET

/interface bridge
add name=VLAN-Bridge
add admin-mac=SECRET auto-mac=no comment=“Default bridge” name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=“WAN interface - Server3 temp.” name=ETH1
set [ find default-name=ether2 ] comment=“HP Switch” name=ETH2
set [ find default-name=ether3 ] comment=Server4 name=ETH3
set [ find default-name=ether4 ] comment=“Shon’s room AP” name=ETH4
set [ find default-name=ether5 ] comment=“Office room AP” name=ETH5 poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=VLAN-Bridge name=vlan99 vlan-id=99
add interface=VLAN-Bridge name=vlan100 vlan-id=100
add interface=VLAN-Bridge name=vlan200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_pool100 ranges=192.168.100.30-192.168.100.254
add name=dhcp_pool200-HASS ranges=192.168.200.30-192.168.200.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool100 always-broadcast=yes interface=vlan100 name=dhcp100
add add-arp=yes address-pool=dhcp_pool200-HASS disabled=no interface=vlan200 name=“dhcp 200-HASS”
/interface bridge port
add bridge=VLAN-Bridge interface=ETH4
add bridge=VLAN-Bridge interface=ETH5
add bridge=bridge interface=ETH1
add bridge=bridge interface=ETH2
add bridge=bridge interface=ETH3
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=VLAN-Bridge vlan-ids=99,100,200
add bridge=bridge tagged=vlan200 vlan-ids=“”
/interface detect-internet
set lan-interface-list=LAN
/interface list member
add interface=ETH1 list=WAN
/ip address
add address=192.168.0.100/24 interface=bridge network=192.168.0.0
add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0
add address=192.168.200.1/24 interface=vlan200 network=192.168.200.0
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip dhcp-client

DHCP client can not run on slave interface!

add comment=defconf disabled=no interface=ETH1
/ip dhcp-relay
add dhcp-server=192.168.0.5 disabled=no interface=vlan100 local-address=192.168.100.1 name=relay100
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.100 netmask=24
add address=192.168.100.0/24 dns-server=192.168.0.4,192.168.0.5 gateway=192.168.100.1 netmask=24
add address=192.168.200.0/24 dns-server=192.168.0.4,192.168.0.5 gateway=192.168.200.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.0.100 name=router.lan
/ip firewall filter
add action=accept chain=forward comment=“Allow HASS to communicate with DNS servers” connection-state=established,related,new dst-address=192.168.0.4 dst-port=53 in-interface=vlan200 protocol=udp
add action=accept chain=forward comment=“Allow HASS to communicate with DNS servers” connection-state=established,related,new dst-address=192.168.0.5 dst-port=53 in-interface=vlan200 protocol=udp
add action=accept chain=forward comment=“Allow Bridge SW to ICMP Vlan200” connection-state=“” in-interface=vlan200 out-interface=bridge protocol=icmp
add action=drop chain=forward comment=“Block all traffic” in-interface=vlan200
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,new,untracked
add action=accept chain=input comment=“defconf: accept ICMP”
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=invalid,established,related,new,untracked
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,new,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid disabled=yes log=yes
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment=“defconf: accept out ipsec policy” disabled=yes ipsec-policy=out,ipsec log=yes
add action=accept chain=forward comment=“defconf: accept in ipsec policy” disabled=yes ipsec-policy=in,ipsec log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none log=yes out-interface-list=WAN
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add
add dst-address=192.168.0.100
add dst-address=192.168.0.100
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

pe1chl · February 28, 2020, 2:32pm

You need to decide between “everything in a single bridge with VLAN filtering in the bridge” and “a separate bridge for every network, VLAN subinterfaces on the ether ports and put each of them in the appropriate bridge”.
The mixed way as you are trying to construct is not going to work.

Yehonatan · February 28, 2020, 3:04pm

I think that the “everything in a single bridge with VLAN filtering in the bridge” will be a more hardware-wise - per my router.
How can I do that? I’ve tried to configured it without luck - before started to use the 2nd bridge - so I did missed something.

mkx · February 28, 2020, 5:26pm

This tutorial might help you …

anav · February 28, 2020, 7:56pm

Just to confirm your diagram and intentions…
Q1. The MT router will be the router attached to the INTERNET?
Q2a. Will it receive a dynamic or static WANIP from the ISP
Q2b. The WANIP looks like a LANIP at the moment in the diagram so will your router be connected to an ISP Modem receiving a WANIP (‘normal’ kind) or will it be attached to an ISPs router and getting a bastardized WANIP that looks more like a LANIP lol.

Design.
So you want ONE BRIDGE call it HOMEBRIDGE (its default pvid of 1 can remain).
Eth4 and eth4 are assigned to the bridge as TRUNK PORTS
Eth2 is setup to the Bridge as an Access Port

ETHER 3 connection is confusing. How many ethernet cables from it are attached to the MT router? Assuming one and thus how does it get multiple IPs??
In any case if like a switch and it has ethernet cards for other devices okay. Then a TRUNK Port.

ETH 1 seems like an ACCESS PORT.

What is not identified clearly on the map are the vlans that cover the HP side of the house and what vlan is used by the device attached at ETH1

IF YOU HAVE A NORMAL LAN…192.168.0.X then simply call this VLANHOME
IF you need a VLAN for smart devices call it VLANSMART for example

Yehonatan · February 29, 2020, 9:34am

Anav, thanks for your informative\detailed reply

Q1.

The MT router will be the router attached to the INTERNET?

Yes, it will be - but this is step #2 (configuring smart FW rules may take me some time).

Q2a.

Will it receive a dynamic or static WANIP from the ISP?

The IP I’m receiving from the ISP is a Public IP address (DHCP client will be enabled on ETH1 port).

Q2b.

The WANIP looks like a LANIP at the moment in the diagram so will your router be connected to an ISP Modem receiving a WANIP (‘normal’ kind) or will it be attached to an ISPs router and getting a bastardized WANIP that looks more like a LANIP lol.

The “default bridge” IP address will be set to 192.168.0.1 once I’ll connect the ISP to the MT router.

ETHER 3 connection is confusing. How many ethernet cables from it are attached to the MT router? Assuming one and thus how does it get multiple IPs??
In any case, if like a switch and it has ethernet cards for other devices okay. Then a TRUNK Port.

ETH3 in the MT router is directly connected, using 1x Ethernet cable, to a Server with Linux OS.
In Linux, it is very easy to configure multiple IP addresses & VLANs - In Windows, it is a bit advanced but can be done - via a supported Ethernet adapter is a MUST.

This is my “example ETH configuration” in 1x if my Linux OS (Ubuntu 19.04):

yehonatan@server004:~$ cat /etc/network/interfaces

interfaces(5) file used by ifup(8) and ifdown(8)

auto lo
iface lo inet loopback

enp0s31f6 configuration

auto enp0s31f6
iface enp0s31f6 inet static
address 192.168.0.4
netmask 255.255.255.0
gateway 192.168.0.100

VLAN 200 configuration

auto enp0s31f6.200
iface enp0s31f6.200 inet static
address 192.168.200.99
netmask 255.255.255.0
gateway 192.168.200.1
vlan-raw-device enp0s31f6

.

What is not identified clearly on the map are the VLANs that cover the HP side of the house and what VLAN is used by the device attached at ETH1

Ports ETH1 & ETH2 should be Access ports only
Port ETH3 should be Native VLAN 1 (if I can describe PVID 1 like that) and Tagged for VLAN 200 and any future VLAN I’ll require.
Ports ETH4 & ETH5 are tagged only (VLANs 99, 100 & 200) - for now

Yehonatan · February 29, 2020, 10:41am

Great!
pe1chl, thanks for your tip! I’ve made the configuration to work as needed!
I’m attaching my current configuration - if it may help anybody else in the future.
I’ve also changed my temp. router IP to use a different LAN pool 172.16.32.0/24 - so I can start to configure the Firewall rules.

/export

feb/29/2020 12:35:27 by RouterOS 6.46.4

software id = A534-W2FM

model = RB760iGS

serial number = SECRET

/interface bridge
add disabled=yes name=VLAN-Bridge
add admin-mac=SECRET auto-mac=no comment=“Default bridge” name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=“WAN interface” name=ETH1
set [ find default-name=ether2 ] comment=“HP Switch” name=ETH2
set [ find default-name=ether3 ] comment=Server4 name=ETH3
set [ find default-name=ether4 ] comment=“Shon’s room AP” name=ETH4
set [ find default-name=ether5 ] comment=“Office room AP” name=ETH5 poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge name=vlan99 vlan-id=99
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_pool100 ranges=192.168.100.30-192.168.100.254
add name=dhcp_pool200-HASS ranges=192.168.200.30-192.168.200.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool100 always-broadcast=yes interface=vlan100 name=dhcp100
add add-arp=yes address-pool=dhcp_pool200-HASS disabled=no interface=vlan200 name=“dhcp 200-HASS”
/interface bridge port
add bridge=bridge interface=ETH2
add bridge=bridge interface=ETH3
add bridge=bridge interface=ETH4
add bridge=bridge interface=ETH5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=VLAN-Bridge vlan-ids=99,100,200
add bridge=bridge vlan-ids=99,100,200
/interface detect-internet
set lan-interface-list=LAN
/interface list member
add interface=ETH1 list=WAN
/ip address
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
add address=192.168.200.1/24 interface=vlan200 network=192.168.200.0
/ip dhcp-client
add comment=defconf disabled=no interface=ETH1
/ip dhcp-relay
add dhcp-server=192.168.0.5 disabled=no interface=vlan100 local-address=192.168.100.1 name=relay100
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.100 netmask=24
add address=192.168.100.0/24 dns-server=192.168.0.4,192.168.0.5 gateway=192.168.100.1 netmask=24
add address=192.168.200.0/24 dns-server=192.168.0.4,192.168.0.5 gateway=192.168.200.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.0.100 name=router.lan
/ip firewall filter
add action=accept chain=forward comment=“Allow HASS to communicate with DNS servers” connection-state=established,related,new dst-address=192.168.0.4 dst-port=53 in-interface=vlan200 protocol=udp
add action=accept chain=forward comment=“Allow HASS to communicate with DNS servers” connection-state=established,related,new dst-address=192.168.0.5 dst-port=53 in-interface=vlan200 protocol=udp
add action=accept chain=forward comment=“Allow Bridge SW to ICMP Vlan200” connection-state=“” in-interface=vlan200 out-interface=bridge protocol=icmp
add action=accept chain=forward dst-address=192.168.200.2 log=yes src-address=192.168.100.43
add action=accept chain=forward dst-address=192.168.100.43 log=yes src-address=192.168.200.2
add action=drop chain=forward comment=“Block all traffic” in-interface=vlan200
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,new,untracked
add action=accept chain=input comment=“defconf: accept ICMP”
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=invalid,established,related,new,untracked
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,new,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid disabled=yes log=yes
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment=“defconf: accept out ipsec policy” disabled=yes ipsec-policy=out,ipsec log=yes
add action=accept chain=forward comment=“defconf: accept in ipsec policy” disabled=yes ipsec-policy=in,ipsec log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none log=yes out-interface-list=WAN
/ip traffic-flow
set enabled=yes
/system package update
set channel=stable
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

pe1chl · February 29, 2020, 11:32am

yes, you can now delete the VLAN-bridge it is no longer required.
note that this solution does not use hardware acceleration. although that should have been possible.
maybe later MikroTik will add support for that and it will magically become available when RouterOS is updated.
(you can now set the “hw offload” checkmarks on the bridge ports but when you check the status you will see hw offload is not actually active)

anav · February 29, 2020, 1:52pm

I see some issues with that config…

Although I see the VLAN99 setup
/interface vlan
add interface=bridge name=vlan99 vlan-id=99
/ip address
add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0

Where is the corresponding configuration…
A. IP Pool??
B. IP DHCP Serve?
C. IP DHCP Server Network?

Where did this mysterious unknown subnet come from 192.168.0 ???
/ip address
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.100 netmask=24

a. its not defined in vlan?
b. its not defined in ip pool or ip dhcp server
c. WORSE you have attached it to the interface bridge arggg…
(If this is another subnet or homelan for example create vlan100 and simply add it to the mix.
I do not recommend using the bridge for any addressing dhcp service etc…)
Also its not clear what the purpose of this subnet is so it needs to be explained…

3. I see where you have identified all the eth ports as trunk ports
/interface bridge port
add bridge=bridge interface=ETH2
add bridge=bridge interface=ETH3
add bridge=bridge interface=ETH4
add bridge=bridge interface=ETH5

But the vlan bridge setup is confusing…
/interface bridge vlan
add bridge=bridge vlan-ids=99,100,200

Normally one states what is tagged and untagged here… ??
add bridge=bridge tagged=bridge,eth2,eth3,eth4,eth5 vlan-ids=99,100,200

The firewall rules at first glance look butt ugly but not concerned as you said you were working on them and would rather see a later version but would want the above addressed first.
I may be missing something as pe1chl didnt make the same comments…