Struggling to create a VLAN that can access the internet

Hi, bit of a newbie question here but I've wasted two days trying to do this already so figured it might be time to ask for some help...

The laptop that I am testing all of this on is directly connected to the third ethernet port (ether3) on the hEX S and I manage it over SSH in the terminal on this device too. My ultimate goal is to create a VLAN that can manage the hEX S over SSH and access the internet as per usual from ether3 and prevent devices not connected to ether3 from tampering with the hEX S.

Essentially,
Ethernet port 3 - Able to manage the hEX S and access the internet
Ethernet port(s) 2,4,5 - Unable to access the hEX but can still access the internet

So far I have failed at the first step - getting internet. I've started from default settings and here is everything that I've added so far:

\\\\\\\[admin@hEX\\\\\\\] /interface/bridge> print
[admin@hEX] /interface/bridge> print
Flags: Y - MANAGED; D - DYNAMIC; X - DISABLED, R - RUNNING 
 0   R ;;; defconf
       name="bridge" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto 
       mac-address=D0:EA:11:5D:83:BF protocol-mode=rstp fast-forward=yes igmp-snooping=no 
       auto-mac=no admin-mac=D0:EA:11:5D:83:BF ageing-time=5m priority=0x8000 
       max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no 
       dhcp-snooping=no dhcpv6-snooping=no ra-guard=no port-cost-mode=long 
       max-learned-entries=auto mlag-peer-port=none mlag-priority=128 mlag-heartbeat=5s 
\\\\\\\[admin@hEX\\\\\\\] /interface/bridge/port> print
[admin@hEX] /interface/bridge/port> print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, HORIZON, TRUSTED, TRUSTED-RA, TRUSTED-DHCPV6, FAST-LEAVE, 
         BPDU-GUARD, EDGE, POINT-TO-POINT, PVID
#    INTERFACE  BRIDGE  HW   HORIZON  TRUSTED  TRUSTED-RA  TR  FA  BP  EDGE  POIN  PVID
;;; defconf
0 IH ether2     bridge  yes  none     no       no          no  no  no  auto  auto     1
;;; defconf
1  H ether3     bridge  yes  none     no       no          no  no  no  auto  auto    10
;;; defconf
2  H ether4     bridge  yes  none     no       no          no  no  no  auto  auto     1
;;; defconf
3  H ether5     bridge  yes  none     no       no          no  no  no  auto  auto     1
;;; defconf
4 I  sfp1       bridge  yes  none     no       no          no  no  no  auto  auto     1
\\\\\\\[admin@hEX\\\\\\\] /interface/bridge/vlan> print detail
[admin@hEX] /interface/bridge/vlan> print detail
Flags: Y - MANAGED; X - DISABLED, D - DYNAMIC 
 0    bridge=bridge vlan-ids=10 tagged=bridge untagged=ether3 mvrp-forbidden="" current-tagged=""
      current-untagged="" 
\\\\\\\[admin@hEX\\\\\\\] /ip/address> print
[admin@hEX] /ip/address> print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE, VRF
#   ADDRESS          NETWORK       INTERFACE   VRF 
;;; defconf
0   192.168.88.1/24  192.168.88.0  bridge      main
1 D 192.168.1.80/24  192.168.1.0   ether1      main
2   10.10.10.1/24    10.10.10.0    management  main
\\\\\\\[admin@hEX\\\\\\\] /ip/dhcp-server/network> print
[admin@hEX] /ip/dhcp-server/network> print
Columns: ADDRESS, GATEWAY, DNS-SERVER
# ADDRESS          GATEWAY       DNS-SERVER  
0 10.10.10.0/24    10.10.10.1    10.10.10.1  
;;; defconf
1 192.168.88.0/24  192.168.88.1  192.168.88.1
\\\\\\\[admin@hEX\\\\\\\] /ip/firewall/filter> print
[admin@hEX] /ip/firewall/filter> print
Flags: X - DISABLED, I - INVALID; D - DYNAMIC 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept src-address=127.0.0.1 dst-address=127.0.0.1 in-interface=lo 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN 

12    chain=forward action=accept in-interface=management out-interface-list=WAN 


\\\\\\\[admin@hEX\\\\\\\] /ip/firewall/nat> print
[admin@hEX] /ip/firewall/nat> print
Flags: X - DISABLED, I - INVALID; D - DYNAMIC 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    chain=srcnat action=masquerade out-interface=management 

\\\[admin@hEX\\\] /interface/vlan> print detail
[admin@hEX] /interface/vlan> print detail
Flags: X - DISABLED, R - RUNNING; H - HW-OFFLOADED 
 0 R  name="management" mtu=1500 l2mtu=1592 mac-address=D0:EA:11:5D:83:BF arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off 
      loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=10 interface=bridge use-service-tag=no mvrp=no 

To test my configurations, I will always turn on safe mode then enable vlan-filtering in /interface/bridge. When I execute this command, my laptop remains connected to the ethernet network and I am as expected kicked out of SSH however, I cannot access the internet. Any attempt to look anything up fails.

I really can't figure out where I'm going wrong. If someone could point out what needs fixing, I would really appreciate it. At the moment, I'd just like to focus on getting internet working.

myconfig.rsc (6.6 KB)

Do you need the vlan? If you are going to isolate port 3 just for management I think the vlan is redundant. You could just remove it from the bridge.

Also, since both subnets would be accessing the internet through the same wan port the one masquerade rule should work fine.

I would start with the management subnet and dhcp server for it on port 3 and test for internet from port 3 to make sure that's working. Then I'd go in and setup the services to only allow connection from the management subnet. After that I'd add in whatever rule I wanted in terms of the management subnet talking to the main network subnet and vice versa. Presumably you could just drop the traffic between the two subnets, but you might want something different there, IDK.

Oh, and after you get all that working you might also want to specify port 3 for the winbox server so no one could connect by MAC on the other ports using winbox.

HTH

To be honest, your solution sounds a lot nicer than what I'm doing right now. I'll definitely look into this once I clear this mess up so thanks for suggesting it.

Apart from the masquerade rule, did anything else stand out to you that needs correcting? Maybe this is just sunken cost fallacy at this point, but I already feel like a complete n00b not knowing how to setup a VLAN after two whole days... I cannot walk away from this empty handed :smiling_face_with_tear: .

As suggested, both having your management access physically restricted to certain ports (if I understand correctly what you're trying to do) and setting up VLANS are worthwhile things, but they are sort of orthogonal.

What I see lots of people initially flailing about with is that in networking there is a sort of construction and hierarchy of building blocks, and going against this leads to frustration. This also means that a lot of things that start with "I simple want..." are not really easy or even possible, and it's much more useful to rephrase these asks in the established paradigms. (I put this plainly, but it's not my intention to be hurtful.)

The point here is that IP firewalling (which is about restricting who can talk to whom, essentially what you want) happens at the IP (layer 3) level of the networking stack. Specifying things by "which port can do what" is therefore not really useful for this: the more aligned way of thinking is: which network should have access to which others.

Therefore you will want to have your ether3 port not be a part of your default (192.168.88.0/24 as factory default) network, but create another, let's say "admin" network.

The easiest way to do this is without using vlans (it's perfectly okay with vlans as well - it's just easier to do it first without involving them.) You simply:

  • remove ether3 from the bridge
  • add an address on that port directly, thereby creating the new network, /ip address add interface=ether3 address=192.168.90.1/24
  • if you're running on the default configuration, you'll have to add ether3 to the LAN interface list

Now, if you configure an address on your PC manually, such as 192.168.90.10/24, you'll have access to both the admin interface and the Internet.

If you don't want to have to add the address manually, you can go on to configure a DHCP server for this new network on ether3.

This obviously does nothing to restrict admin access from the non-ether3-connected devices, but now you can modify your firewall rules to your liking to restrict access any way you wish.

Also, you don't have to worry about not understanding VLANs on your first try - setting them up on Mikrotiks has always been quite unintuitive due to the dual nature of a bridge (refer to: RouterOS bridge mysteries explained) as well as the difference between a VLAN interface and bridge VLAN filtering and when is the former necessary. Luckily, in later versions some things are added dynamically (certain bridge VLAN entries) if given criteria are met.

As for a general step-by-step approach for configuring VLANs (for when you start experimenting with them outside of your working network), it would look something like this:

Add PVIDs to the access ports -> Add corresponding VLAN interfaces on top of the bridge -> Add addresses to the VLAN interfaces -> (Configure DHCP) -> Add bridge VLAN entries for trunk ports only -> Enable VLAN filtering on bridge -> Manage inter-VLAN traffic through firewall rules via VLAN interfaces

The point is a requirements analysis should be done first, along with a network diagram and then one should consider starting a config to meet the physical equipment on hand, and the traffic flow, what users need to be able to accomplish.

I would probably do the following ether5 - WAN port / ether1 - off bridge management port ( here one has to physically plug your PC/laptop in, change ipv4 settings to specific LANIP like 192.168.77.2 and via winbox with username and password login to the router.

For the other ports, they can simply be on the bridge, with a different subnet and no need for vlans.
The need for vlans is if you have guest users, or want to plug in non-secure IOT devices etc, which you dont want to be able to access anyones computers etc...........

However, I would only proceed if step1 is articulated sufficiently, and right now you are in the rabbit hole of trying to config and explain your needs in terms of the configuration vice ignoring config and ONLY discussing what tasks from user and ADMIN perspective need to be accomplished.

Every vLAN requires its own IP subnet and [unless you go static] therefore its own dhcp pool and server. This should be set up as a network under [IP -> DHCP Server -> Networks]. You also need an address on your router for the vLAN [IP -> Addresses]. If you do all this successfully, the routing you need should set itself up dynamically and appear in [IP -> Routes]

Ether3 in your set up needs to have the PVID for the vLAN. Done like this, everything will speak to everything, which is not what you want. You then staunch off the connections you don't want with the firewall

Thanks for the reply. I forgot to add in the main post my VLAN interfaces (sorry!). They have since been added. I tried adding a vLAN IP subnet 10.10.10.0/24 for my "management" vLAN and assigned DHCP servers in the tab. For the PVID, my management VLAN ID is 10 so I've set ether3 to have PVID 10.

When I switch on filtering on the bridge, my laptop is still cut off from the internet sadly. Have you got any idea where I'm going wrong?

Where you are goin

I would say here that you are trying to run before you can walk [to be a bit blunt]. I took a long time to do vLANs, my first one was contained entirely within a router to connect 2Ghz and 5GHz wireless interfaces for a Guest network. I have done a lot more since and have 4 active vLANs after a year or so, but I have not found it necessary to do a management vLAN.

For your situation, I suggest that you vLAN ether3 as you have done and use that as the normal operating interface, ie on subnet 10.10.10.0/24 which should also allow you to ssh in from another port of your choice provided you configure a route and poke the required hole in the firewall. This requires you to become specific now about where you ssh from and should also meet your requirement that vLAN 10 is not generally accessible.

It would be interesting to see your output for /ip/route/print

I see also that you have given us the output for /ip/firewall/nat/print - have you changed anything here? I have never had to touch nat rulesdespite having 3 vLANs and the native LAN able to access the internet.

Yeah...definitely hear you on this one. No offence taken though, I can only thank you for having the patience to help.

Anyway, here is my ip route print

[admin@hEX] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
    DST-ADDRESS      GATEWAY        ROUTING-TABLE  DISTANCE
DAd 0.0.0.0/0        192.168.1.254  main                  1
DAc 10.10.10.0/24    management     main                  0
DAc 192.168.1.0/24   ether1         main                  0
DAc 192.168.88.0/24  bridge         main                  0

As for ip firewall nat print, I did add rule 1. I saw it on another post here that I can't remember however, some other people here have already pointed out that it's redundant so I'll probably remove it.

JFYI, generally It Is advised to post the full configuration, as opposed to snippets or print output (unless explicitly asked for).
Also, please do not refer to " I removed the second line of firewall" or similar, just post your current configuration, people that can give you good advice can parse It easily and this way they have a complete view of your configuration.

Alright my bad.

When you say post the full configuration, this means the file that I get when I do export hide-sensitive file=x right?

Hmm. Mine looks like this [abridged] all set up dynamically

[sysman@R1-Velingrad] > ip/route/print
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#     DST-ADDRESS        GATEWAY       ROUTING-TABLE  DISTANCE
0  ...
  DAv 0.0.0.0/0          WAN.pppoe     main                  1
  DAc 10.40.44.0/24      Local.Bridge  main                  0  
  DAc 192.168.30.0/24    EMN.vlan      main                  0
  ...
  DAc <public IP>/32     WAN.pppoe     main                  0

Yours seems to have ether 1 as a route to an RFC1918 address, which does not look right for a public IP address internet connection.

Actually, I go cross eyed and don't usually engage with full configs. I am much more able to engage with snippets, just that we have to request other snippets.

My hEX S is connected to my ISP router which doesn't have a bridge mode unfortunately.

A thought here. Have you tried pinging by IP address onto the internet from your laptop? Sometimes things work by IP address and unconfigured DNS can be the problem.

This:

Everyone has his/her own ways to deal with configurations :slightly_smiling_face:, but using ONLY snippets is "wrong" as it prevents from having a holistic approach.

And that is a violation of Rule #12 :wink::
The twelve Rules of Mikrotik Club

Sometimes, particularly with complex dynamic assignments, besides the COMPLETE configuration, the output of:
/ip address print
and
/ip route print
is needed, but the pre-requisite remains the whole configuration.

I feel free to ignore those rules. There is no right and wrong here.

Ok so I've gone through this and I think I'm really close now.

I've enabled VLAN-filtering. When I plug my laptop into ether3 i.e. the port that I want the VLAN on, I'm able to ping 10.10.10.1 and 8.8.8.8 successfully. However I can't search things up on my browser. I think you are right with the DNS issues. I will try to look into this.

Could the firewall be the issue?

(Updated config file attached in case)

myconfig.rsc (6.7 KB)