Using RouterOS to VLAN your network

RouterOS Useful user articles
136

Thanks everyone for this great topic! It helped me set up my own network where I have a combined router+switch in one with a trunk port to my VLAN-aware access point. I have two questions I hope you can help me with :slight_smile:


  1. In my situation, should I have L2 or L3 switch? I.e. should bridge1 be tagged on all VLANs or not? Why?
  2. How do I know whether I use ‘hardware acceleration’ or not? I’m a bit confused by the many webfig/terminal locations where ‘vlan’ appears.

My setup is as follows:


  1. VLAN99 is management (172.16.99.0/24), VLAN20 for IoT (no WAN access, only access to server in VLAN99, 172.16.20.0/24), VLAN10 for guest use (only WAN access, 172.16.10.0/24)
  2. ether1 is used as trunk with VLAN 10 & 20 tagged and VLAN99 untagged for connection to my access point
  3. ether3 & ether4 are part of VLAN 10, all other ethers are part of VLAN99
  4. The access point broadcasts one SSID for each VLAN 10, 20, 99
  5. sfp1 is used for WAN and tagged with VLAN34 (dictated by ISP)
  6. I’m running an IPSec server (not shown here) serving clients on 172.16.30.0/24, hence for some firewall rules filter on 172.16.0.0/16 to distinguish WAN and VPN traffic

My config:


###############################################################################

Topic: Using RouterOS to VLAN your network

Example: Router-Switch-AP all in one device

Web: > http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

RouterOS: 6.43.12

Date: Mar 28, 2019

Notes: Start with a reset (/system reset-configuration)

Thanks: mkx, sindy

###############################################################################

#######################################

Naming

#######################################

name the device being configured

/system identity set name=“rb2011”

#######################################

VLAN Overview

#######################################

10 = Guest

20 = IoT

99 = BASE (MGMT) VLAN

#######################################

Bridge

#######################################

create one bridge, set VLAN mode off while we configure

/interface bridge add name=bridge1 protocol-mode=none vlan-filtering=no

#######################################

– Access Ports –

#######################################

ingress behavior

/interface bridge port

Purple Trunk to AP. PVID is only needed when combining tagged + untagged

trunk (vs fully tagged), but does not hurt so enable.

add bridge=bridge1 interface=ether1 pvid=99

Guest VLAN

add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=10

IoT VLAN

BASE_VLAN / Full access

add bridge=bridge1 interface=ether2 pvid=99
add bridge=bridge1 interface=ether5 pvid=99
add bridge=bridge1 interface=ether6 pvid=99
add bridge=bridge1 interface=ether7 pvid=99
add bridge=bridge1 interface=ether8 pvid=99
add bridge=bridge1 interface=ether9 pvid=99
add bridge=bridge1 interface=ether10 pvid=99

Tim: WAN VLAN tagging is not set here because it’s not part of bridge

egress behavior

/interface bridge vlan

Guest, IoT, & BASE VLAN + Purple uplink trunk (ether1)

L3 switching so Bridge must be a tagged member

In case of fully tagged trunk, set ether1 to tagged for vlan 99 as well (instead of untagged)

add bridge=bridge1 vlan-ids=10 tagged=bridge1,ether1 untagged=ether3,ether4
add bridge=bridge1 vlan-ids=20 tagged=bridge1,ether1
add bridge=bridge1 vlan-ids=99 tagged=bridge1 untagged=ether1,ether2,ether5,ether6,ether7,ether8,ether9,ether10

#######################################

IP Addressing & Routing

#######################################

LAN facing router’s IP address on the BASE_VLAN

/interface vlan add interface=bridge1 name=BASE_VLAN vlan-id=99
/ip address add address=172.16.99.1/24 interface=BASE_VLAN

DNS server, set to cache for LAN

/ip dns set allow-remote-requests=yes servers=“172.16.99.1”

From > http://forum.mikrotik.com/t/rb951g-2hnd-vlan-tag-on-wan-port/81791/1

/interface vlan add interface=sfp1 name=WAN_VLAN vlan-id=34

Set DHCP WAN client on ether6 AND WAN_VLAN

/ip dhcp-client
add disabled=no interface=WAN_VLAN

#######################################

IP Services

#######################################

Guest VLAN interface creation, IP assignment, and DHCP service

/interface vlan add interface=bridge1 name=GUEST_VLAN vlan-id=10
/ip address add interface=GUEST_VLAN address=172.16.10.1/24
/ip pool add name=GUEST_POOL ranges=172.16.10.100-172.16.10.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=172.16.10.0/24 dns-server=172.16.99.1 gateway=172.16.10.1

IoT VLAN interface creation, IP assignment, and DHCP service

/interface vlan add interface=bridge1 name=IoT_VLAN vlan-id=20
/ip address add interface=IoT_VLAN address=172.16.20.1/24
/ip pool add name=IoT_POOL ranges=172.16.20.100-172.16.20.254
/ip dhcp-server add address-pool=IoT_POOL interface=IoT_VLAN name=IoT_DHCP disabled=no
/ip dhcp-server network add address=172.16.20.0/24 dns-server=172.16.99.1 gateway=172.16.20.1

Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.

/ip pool add name=BASE_POOL ranges=172.16.99.100-172.16.99.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=172.16.99.0/24 dns-server=172.16.99.1 gateway=172.16.99.1

#######################################

Firewalling & NAT

A good firewall for WAN. Up to you

about how you want LAN to behave.

#######################################

Use MikroTik’s “list” feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN2WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=sfp1 list=WAN
add interface=WAN_VLAN list=WAN
add interface=BASE_VLAN list=VLAN2WAN
add interface=GUEST_VLAN list=VLAN2WAN

add interface=IoT_VLAN list=VLAN2BASE

add interface=BASE_VLAN list=BASE

add interface=BASE_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=IoT_VLAN list=VLAN

VLAN aware firewall. Order is important.

##################

INPUT CHAIN

##################
/ip firewall filter
add chain=input action=accept connection-state=established,related comment=“Allow Estab & Related”

Allow BASE_VLAN full access to the device for Winbox, etc.

add chain=input action=accept in-interface-list=BASE comment=“Allow BASE VLAN router access”

Allow IKEv2 VPN server on router

add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp

Allow clients to do DNS, for both TCP and UDP

add chain=input action=accept dst-port=53 src-address=172.16.0.0/16 proto=tcp comment=“Allow all LAN and VPN clients to access DNS”
add chain=input action=accept dst-port=53 src-address=172.16.0.0/16 proto=udp comment=“Allow all LAN and VPN clients to access DNS”

add chain=input action=drop comment=“Drop”

##################

FORWARD CHAIN

##################
/ip firewall filter
add chain=forward action=accept connection-state=established,related comment=“Allow Estab & Related”

Allow selected VLANs to access the Internet

add chain=forward action=accept connection-state=new in-interface-list=VLAN2WAN out-interface-list=WAN comment=“VLAN Internet Access only”

Allow IoT IoT_VLAN to access server in BASE_VLAN, but no WAN.

add chain=forward action=accept connection-state=new in-interface=IoT_VLAN out-interface=BASE_VLAN dst-address=172.16.99.2 comment=“Allow IoT_VLAN → server in BASE_VLAN”
add chain=forward action=accept connection-state=new in-interface=BASE_VLAN out-interface=IoT_VLAN comment=“Allow all of BASE_VLAN → IoT_VLAN”

Allow IPSec traffic from 172.16.30.0/24

add action=accept chain=forward comment=“DEFAULT: Accept In IPsec policy.” ipsec-policy=in,ipsec src-address=172.16.30.0/24
add action=accept chain=forward comment=“DEFAULT: Accept Out IPsec policy.” disabled=yes ipsec-policy=out,ipsec

add chain=forward action=drop comment=“Drop”

##################

NAT

##################
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN comment=“Default masquerade”
add action=masquerade chain=srcnat comment="Hairpin NAT > https://www.steveocee.co.uk/mikrotik/hairpin-nat/> " dst-address=172.16.99.2 out-interface=BASE_VLAN src-address=172.16.0.0/16

##################

Disable unused service ports, whatever this is

##################
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set sctp disabled=yes

#######################################

VLAN Security

#######################################

Only allow ingress packets without tags on Access Ports

/interface bridge port

Only

set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether9]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether10]


/interface bridge port

For tagged + untagged trunk (management VLAN being untagged), we allow both type of frames

set bridge=bridge1 ingress-filtering=yes frame-types=admit-all [find interface=ether1]

Only allow tagged packets on WAN port

set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp1]

#######################################

MAC Server settings

#######################################

Ensure only visibility and availability from BASE_VLAN, the MGMT network

/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE

#######################################

Turn on VLAN mode

#######################################
/interface bridge set bridge1 vlan-filtering=yes