VLAN access to Internet

BHollowell · April 18, 2013, 5:34pm

My office just purchased and installed a MikroTik RB2011UAS router, and so far it has been great. I’m absolutely new to MikroTik, but I’ve been working with other systems such as the UBNT routers and even Linksys routers with DD-WRT firmware on them for a while. It’s also worth mentioning that I’m not terribly comfortable with the MikroTik CLI just yet, and I’ve been using the Webfig to make all of the changes, so please make any recommendations with that in mind.

In our office we currently have all of our machines setup on one subnet. Previously we were using a DD-WRT setup and had 3 different VLANs setup: One for internal machines, one for lab machines where we repair client computers, and one for our public free wireless access, which is currently disabled until I figure out how to separate the VLANs properly with the new MikroTik.

The problem I’m having right now is getting the VLANs to access the Internet. I’ve been successful in getting the VLAN configuration setup so that it separates the internal computers from the lab computers. We also have a server that we use for deployment purposes as the domain controller, DHCP and DNS servers on our lab network, and it’s assigning addresses to clients properly. I just can’t access the Internet from any of the lab machines. I suspect it’s something simple like a firewall setting which is blocking all traffic OUT of ether3 (which is the VLAN interface) and IN to any other port, but I can’t say for certain. I tried to add a filter rule in the Firewall section that would allow traffic to travel between ether1 (gateway) and ether3 (VLAN) but it didn’t work, and I’m not entirely sure I did it properly.

Any help or advise that you guys might have would be much appreciate. I look forward to learning more about the MikroTik system and diving into some of the more advanced features.

CelticComms · April 18, 2013, 6:37pm

Upload the config - output from /export compact (block anything sensitive) and it will be easier to find the problem.

BHollowell · April 18, 2013, 7:00pm

I reverted the VLAN changes that I added yesterday just to get back to the baseline setup so I could export the config file for safe keeping. I just readded the VLAN setup and exported the information you asked for.

Here's the export you requested:
[admin@MikroTik] > /export compact

jan/04/1970 04:22:19 by RouterOS 5.23

software id = 222K-1NIS

/interface bridge
add admin-mac=D4:CA:6D:96:BF:50 auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
add name="Lab VLAN Bridge" protocol-mode=rstp
/interface ethernet
set 0 name=sfp1-gateway
set 1 name=ether1-gateway
set 6 name=ether6-master-local
set 7 master-port=ether6-master-local name=ether7-slave-local
set 8 master-port=ether6-master-local name=ether8-slave-local
set 9 master-port=ether6-master-local name=ether9-slave-local
set 10 master-port=ether6-master-local name=ether10-slave-local
/interface vlan
add interface=ether3 l2mtu=1594 name="Lab VLAN" vlan-id=1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.3.100-192.168.3.199
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge="Lab VLAN Bridge" interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge="Lab VLAN Bridge" interface="Lab VLAN"
/ip address
add address=192.168.3.1/24 comment="default configuration" interface=bridge-local
add address=192.168.4.1/24 interface="Lab VLAN Bridge"
/ip dhcp-client
add comment="default configuration" disabled=no interface=sfp1-gateway
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.3.0/24 comment="default configuration" dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.3.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
/ip neighbor discovery
set sfp1-gateway disabled=yes
set ether1-gateway disabled=yes
set "Lab VLAN" disabled=yes
/tool mac-server
add disabled=no interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=ether6-master-local
add disabled=no interface=ether7-slave-local
add disabled=no interface=ether8-slave-local
add disabled=no interface=ether9-slave-local
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
[admin@MikroTik] >

CelticComms · April 18, 2013, 8:08pm

Can you confirm that the lab machines are expected to present with tagged traffic - tagged VLAN1 on Ether3? How does the connection to Ether2 relate to the connection on Ether3?

You have a bridge bridging the VLAN interface with Ether3 - not sure on the opurpose. The VLAN interface should be attached to Ether3 and the IP address should be assigned to the VLAN interface since as as far as I can see there is nothing else you need to bridge that VLAN to. Unless you have a specific purpose with the bridge try removing that and moving the IP. Then comment on Ether2/3 and try pinging a “lab machine” IP from the router.

BHollowell · April 18, 2013, 9:54pm

I’m honestly not sure what you mean by this.

ether2 is connected to our internal switch, where all of our office machines, SIP phones, printers, ect are connected. ether3 is connected to a switch which runs to each of our cable lines for the workbench where we repair client computers. Eventually we’ll have ether4 configured to connect directly to our UniFi AP, which will have 3 SSIDs (one for internal, one for lab, and one for public access) but that’ll be a whole separate beast. Right now I’m just concerned with getting the lab isolated.

I had the bridge there because I noticed in the “ports” tab for Bridges that ether3 was assigned to bridge-local, so I created a bridge for Lab VLAN, connected Lab VLAN to the bridge, and then set ether3 to the Lab VLAN Bridge. If I don’t need it to make things work properly then that’s great because it just removes one more step from my setup process

I removed the bridge and set ether3 back to bridge-local as it was by default. Then I adjusted the IP address to be assigned to Lab VLAN instead of the bridge. I also configured a temp DHCP server to assign IP addresses from the router while I’m testing the setup since we have disabled DHCP on our lab server until we get the VLAN configured properly.

When I connected a client to ether3 it assigned a 192.168.3.* IP address instead of 4.* like it should. I expect this is because ether3 is still assigned to bridge-local, and our internal DHCP server is connected to ether2 (which is connected to ether3 via bridge-local) so it just thought that ether3 was a part of the same network and assigned the client an IP address to match.

When I removed ether3 from bridge-local on the ports page and tried /release and /renew I got nothing. Never assigned an IP address. So at this point I’m not sure what needs to be done.

BHollowell · April 18, 2013, 10:00pm

Here is the new export:

jan/04/1970 07:29:37 by RouterOS 5.23

software id = 222K-1NIS

/interface bridge
add admin-mac=D4:CA:6D:96:BF:50 auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface ethernet
set 0 name=sfp1-gateway
set 1 name=ether1-gateway
set 6 name=ether6-master-local
set 7 master-port=ether6-master-local name=ether7-slave-local
set 8 master-port=ether6-master-local name=ether8-slave-local
set 9 master-port=ether6-master-local name=ether9-slave-local
set 10 master-port=ether6-master-local name=ether10-slave-local
/interface vlan
add interface=ether3 l2mtu=1594 name="Lab VLAN" vlan-id=1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.3.100-192.168.3.199
add name="Lab VLAN Pool" ranges=192.168.4.100-192.168.4.199
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
add address-pool="Lab VLAN Pool" disabled=no interface="Lab VLAN" name="Lab VLAN DHCP"
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=ether3
/ip address
add address=192.168.3.1/24 comment="default configuration" interface=bridge-local
add address=192.168.4.1/24 interface="Lab VLAN"
/ip dhcp-client
add comment="default configuration" disabled=no interface=sfp1-gateway
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.3.0/24 comment="default configuration" dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.3.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=**** protocol=tcp to-addresses=InternalIP to-ports=****
/ip neighbor discovery
set sfp1-gateway disabled=yes
set ether1-gateway disabled=yes
set "Lab VLAN" disabled=yes
/tool mac-server
add disabled=no interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=ether6-master-local
add disabled=no interface=ether7-slave-local
add disabled=no interface=ether8-slave-local
add disabled=no interface=ether9-slave-local
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
[admin@MikroTik] >

CelticComms · April 19, 2013, 2:23am

If you can make a simple diagram of what is connected to each port it would help to interpret the config.

BHollowell · April 23, 2013, 4:06pm

I apologize for the late reply. We’ve been pretty busy lately.

Here’s the network diagram you asked for. This diagram is how we WANT everything to be configured when it’s all said and done with.

Presently we have the wireless AP disabled and the lab and internal networks are both receiving IP addresses from our internal DHCP server since the lab DHCP has been disabled.

Our end goal is to have a setup like this:

ether1: gateway - accessible by all networks.
ether2: Internal network
ether3: Lab Network (VLAN, isolated)
ether4: Wireless AP - separated into 3 SSIDs - no crosstalk - Public SSID isolated

CelticComms · April 23, 2013, 7:42pm

I see that you have a VLAN interface on Ether 3 (VLAN 1) - that will pick any traffic tagged “VLAN 1” on Ether 3 - but what in the lab is actually tagging traffic to that VLAN?

BHollowell · April 23, 2013, 8:16pm

If the router isn’t doing it, then nothing is. Like I said, this is my first MikroTik router setup so I’m not terribly great with the configuration. The DD-WRT VLANs were setup by a co-worker of mine, and based on what he was telling me it wasn’t nearly as complicated of a setup as the MikroTik VLANs are.

CelticComms · April 23, 2013, 9:17pm

The router will tag the VLAN traffic as it leaves the router via the VLAN interface/Ether 3 - but that VLAN interface will only see traffic coming into Ether 3 which is tagged to VLAN 1, so unless the switch or those virtual machines are originating tagged traffic for VLAN 1 the VLAN interface on the router will not see it.

When you add a VLAN interface to an Ether port on RouterOS think of it this way:

The VLAN interface tag its traffic to the VLAN ID set on the VLAN interface and will only receive traffic from devices attached to Ether 3 which are likewise tagging their traffic to the same VLAN ID.

BHollowell · April 23, 2013, 9:53pm

Ok, so then maybe I’m not going about this the proper way.

Basically I just want to isolate the lab network so that ONLY machines assigned to the lab network (192.168.4.0 network) can communicate. I don’t want the lab machines to have ANY access to machines or hardware on the internal network (192.168.3.0 network).

Also, I need to configure a public wifi network (192.168.5.0) that only has access to the internet and nothing else.

What is the proper method to accomplish this with my MikroTik?

BHollowell · May 1, 2013, 4:14pm

Bump. Anyone?

CelticComms · May 1, 2013, 9:07pm

The router will route all connected networks by default. You use filters in the forward chain to control what traffic is forwarded. If the unit is acting as any kind of firewall you would typically have a “drop all” rule at the end of the forward chain then add specific “accept” rules above it to allow various types of traffic.

At the moment your router has no forward chain filters at all so you need to start there.

Also for general securing of your router check here:

http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router