I’m relatively new to mikrotik and really this level of networking. It’s crazy fun though which I guess is a bit odd. I kind of jumped in the deep end by buying an R720, a bunch of network gear and setting it all up.
I’m in the process of learning to secure it all and I’ve setup VLANs to help get it done. However, I think I’ve tangled myself up a bit and I could use a slight nudge in the right direction.
My network setup is below. Here are my questions.
I am I supposed to have to create firewall rules to prevent the VLANs from haveing access to each other?
How do I make everything coming in from a port automatically part of a specfic VLAN?
Is there a better way?
Internet Modem ↔ RB3011
RB3011 Port 1 → Internet Model
RB3011 Port 2 → Linksys Router in AP mode
RB3011 Port 5 → HP ProCurve 2910al 24
RB3011 Port 10 → cAP Lite
I have some of the VLANs setup and working but things seem wonky. I’ll try to go through how everything is setup the best I can.
cAP Setup
I have two wireless networks.
WLAN1 - no tag VLAN ID 20 ← The real interface in AP Bridge mode
WLAN2 - use tag VLAN ID 10 ← The virtual interface in AP Bridge mode
VLAN10 W2- VLAN ID 10 Service Tag is unchecked ← This is interfaced to Wlan2
ether 1
VLAN10 E1 - VLAN ID 10 Service Tag is unchecked ← This is interfaced to ether 1
VLAN20 E1 - VLAN ID 20 Service Tag is unchecked ← This is interfaced to ether 2
VBRIDGE 10 - VLAN Filtering not set – IP Address set in DHCP Client as 10.1.10.3
VLAN10 E1
VLAN10 WL3
VBRIDGE 20 - VLAN Filtering not set – IP Address set in DHCP Client as 10.1.20.3
VLAN 20 E1
wlan1
RB3011 Setup
ether 1 connected to internet router. — IP Address set in DHCP Client as my public IP
ether 2 physically connected to Linksys router in AP mode. — No IP address for ether 2.
VLAN20 ET2 - VLAN ID 20 use service tag unchecked
VLAN30 ET2 - VLAN ID 30 use service tag unchecked
VLAN40 ET2 - VLAN ID 40 use service tag unchecked
ether 5 physically connected to HP switch – No IP address for ether 5
VLAN30 ET5 - VLAN ID 30 use service tag unchecked
VLAN40 ET5 - VLAN ID 40 use service tag unchecked
ether 10 physically connected to cAP Lite – No ip address for ether 10
VLAN10 ET10 - VLAN ID 10 use service tag unchecked
VLAN20 ET10 - VLAN ID 20 use service tag unchecked
Bridge 0 – VLAN Filtering Unchecked No IP Assigned
ether 2 – PVID 1 admit all
ether 5 – PVID 1 admit all
ether 10 – PVID 1 admit all
VBridge 10 – VLAN Filtering Unchecked No IP Assigned
VLAN10 ET10 – PVID 1 admit all
VBridge 20 – VLAN Filtering Unchecked No IP Assigned
VLAN20 ET2 – PVID 1 admit all
VLAN20 ET10 – PVID 1 admit all
VBridge 30 – VLAN Filtering Unchecked No IP Assigned
VLAN30 ET2 – PVID 1 admit all
VLAN30 ET5 – PVID 1 admit all
VBridge 40 – VLAN Filtering Unchecked No IP Assigned
VLAN40 ET2 – PVID 1 admit all
VLAN40 ET5 – PVID 1 admit all
DHCP 10 - Pool 10.1.10.0/24 Gateway 10.1.10.1
DHCP 30 - Pool 10.1.20.0/24 Gateway 10.1.20.1
DHCP 40 - Pool 10.1.30.0/24 Gateway 10.1.30.1
DHCP 50 - Pool 10.1.40.0/24 Gateway 10.1.40.1
Which honestly I read before I had a user login. Now that I have a login I can see the files attached. They will likely answer my questions. I’m going to give that post a whack and then come back again if I get lost.
One bridge,
Assign all vlans to bridge.
Define all vlans
Add /interface bridge ports (acccording to wether or not they are access,trunk or rarely hybrid ports).
Hint. Dumb devices are access ports require PVID setting on bridge ports.
Add /interface bridge vlans to match.
Note: Do not assign any data vlans to bridge, if you want one, dont do it, just assign another vlan and send it where it needs to go.
For the caplite use this. https://forum.mikrotik.com/viewtopic.php?t=182276
Thanks. I’ve used a lot of your posts to setup the firewall before I tried doing VLANs.
I think I have everything working but, it doesn’t feel like it’s working the way it should. Maybe, because it still seems like magic.
So here is my questions.
A trunk port moves tagged packets between devices. It does not tag anything. So any device connected to it would have to tag it’s packet in order for it to move through the trunk. This means that the port has to be marked as tagged for anything moving through that port.
An access port connects devices that don’t know what a VLAN is and so it has to tag packets as they pass through. These would require the PVID be set.
A Hybrid is a mix of both. Any dumb devices would get set by the port any devices that tagged packets on their own would move through just fine. This would require the PVID be set to the VLAN for the dumb devices and the port marked tagged for all of the VLANs going through that port to devices that can understand VLAN.
Is that correct so far?
So if I was connecting all network devices (switch, router, AP) on a management VLAN I would need to mark the connected ports with the PVID. Additionally I would need to tag the ports for any VLAN going that direction.
For example Port 10 is connected to the AP. The AP has three SSIDs creating 3 VLANS (10, 20, 30). The management VLAN is 60. To make this work I need to add Port 10 to the bridge and set the PVID to 60. I also need to Tag port 10 for VLANs 10, 20, 30.
Is that correct?
I think I’m getting it a bit since I’m typing it out. The part that’s messing with me the most is the Ingress Filtering option, and the Frame types. I’m not understanding at all what those do.
The VLAN filtering on the Bridge is preventing any untagged packets from being on the bridge?
Why is the frame type “admit all”?
Finally, if I wanted to get rid of the default vlan could I set the PVID on the bridge to 60?
Remember keep the bridge out of it… it stays default, or you can change its name, the only thing needed is to set vlan-filtering to yes.
For the management vlan, its just like the other vlans coming across the trunk port to the capac as is the etherport on the capac.
In fact the management vlan is the ONLY vlan you need to identify on the capac and its interface is the capac bridge.
The rest are just carried along like a switch.
IEEE 802.1Q tags are really only defined by the IEEE standard when they are on the wire. What an IEEE Bridge device does internally is not really defined by the standard, which only describes how it must behave when viewing the bridge as a black box.
The bridge/switch must classify every received frame into a specific vlan, and then the bridge will only forward that frame to other ports that are “members” of the vlan.
So I would describe it almost exactly the opposite of you, where an access port sends and receives only untagged traffic, and classifies the untagged traffic into the vlan specified by the PVID. And when a trunk port has specified tagged vlan, it will ensure that the frame being transmitted for that vlan will have an IEEE 802.1Q tag, whether it entered the switch with a tag (on a tagged port) or untagged (on an access port).
Here is the best source of generic vlan information that I am aware of.
Head over to Ed Harmoush’s Practical Networking site https://www.practicalnetworking.net Ed has recently started a Networking Fundamentals course and he is putting the first module (with multiple videos) on Youtube. It’s a good intro with very little assumptions about previous knowledge, and even if you think you already know this stuff, if you watch it, and give it your utmost attention, you will probably get a deeper understanding than you currently have. Ed has some of the best explained info about vlans Virtual Local Area Networks (VLANs) See the challenge quiz if you think you understand vlans. Ed also have a video covering the same info VLANs – the simplest explanation Here’s an index to the vlan pages on PracticalNetworking And here’s a good starting point for Networking topics in general (don’t be put off by the CCNA, this is pretty generic info that you need to know, and explained in an easy to understand way. CCNA Index