VLAN AP over Mikrotik to Mikrotik

RouterOS General
1

Hi.
There is a need to use a separate subnet for IoT, but there are complications. very please help.
The architecture is as follows
AP(192.168.254.X)<->hap2ac(works only in bridge mode. all ports into one bridge 192.168.254.Y)<->hap3ax(192.168.254.Z main router, hap2 is inserted into ether3 port of hap3ax).
The AP (W39AP-Pro) has VLAN 1100 set for the wifi network
The final goal is that the devices that connect to the wifi network ap get ip from the subnet 192.168.154.0/24.
Settings:

  • vlan for wifi network vlan1100 is set on AP

  • on hap2ac vlan interface to ether5 port (Where AP is switched on) is created.

  • ip 192.168.154.Y is assigned to vlan1100 interface on hap2ac

  • dhcp-relay is enabled on hap2ac which directs to 192.168.154.Z(hap3ax)

  • on hap3ax a vlan-iot-interface is created and bound to bridge-lan

  • on hap3ax vlan-iot-interface is assigned ip 192.168.154.Z

  • on hap3ax a dhcp server is enabled on vlan-iot-interface interface
    Bottom line. ping through vlan work in both directions 192.168.154.Y-192.168.154.154.Z + Torch icmp traffic sees, but when connecting to wifi AP, devices can not get an address.
    What is missing? What is wrong?
    Or is the configuration sequence wrong? But why does ping work then?

2

Post the exports of configurations of both Mikrotiks - as usually, without public addresses, serial numbers, passwords etc.

3

I decided to simplify a little, because on the second Mikrotik never succeeded.
I decided to try to connect the AP with the TL-SG108E, and it in turn with the ether3 port of Mikrotik.
AP is a simple home router HUAWEI in bridge mode. but with vlan 1100.
As a result now. devices that connect via wifi to AP, get ip
So,
TL-SG108E settings:
3.png
2.png
1.png
Настройки Mikrotik
-interfaces

/interface bridge
add arp=proxy-arp name=bridge-lan port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] mtu=1560
set [ find default-name=ether2 ] arp=local-proxy-arp
/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=\
    disabled .width=20/40mhz configuration.country=Russia .mode=ap .ssid=\
    /dev/null .tx-chains="" datapath.bridge=bridge-lan disabled=no mtu=1500 \
    security.authentication-types=wpa2-psk,wpa3-psk .disable-pmkid=yes .ft=\
    yes .ft-over-ds=yes .group-key-update=1h .management-protection=allowed
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether5 keepalive-timeout=\
    disabled max-mtu=1500 name=vrn.tv user=ripab238
/interface wireguard
add comment=WB disabled=yes listen-port=13333 mtu=1420 name=WB
add disabled=yes listen-port=13256 mtu=1420 name=WireguardHome
add listen-port=13331 mtu=1420 name=wireguard-alpina
add comment="FineVPN interface" disabled=yes listen-port=51820 mtu=1420 name=\
    wireguard2
add listen-port=13232 mtu=1420 name=wireguard2ccc
add comment="WG Pro" listen-port=51828 mtu=1420 name=wireguard3
/interface vlan
add arp=proxy-arp interface=bridge-lan name=vlan-iot-interface vlan-id=1100
/interface list
add include=all name=WAN-LIST
add name=LAN-LIST
add name=BRIDGES
/interface wifi channel
add band=5ghz-ax disabled=no name=ch-5 skip-dfs-channels=10min-cac width=\
    20/40/80mhz
/interface wifi datapath
add bridge=bridge-lan disabled=no name=zero2brige
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes name=\
    wifisecprofile
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=\
    5220,5240,5260 .skip-dfs-channels=disabled .width=20/40/80mhz \
    configuration.antenna-gain=6 .country=Russia .mode=ap .ssid=/dev/zero \
    disabled=no name=wifi5 security=wifisecprofile
/interface bridge filter
add action=drop chain=output mac-protocol=ip out-interface=ether2 \
    packet-type=multicast
/interface bridge port
add bridge=bridge-lan interface=wifi5 point-to-point=no
add bridge=*18 interface=vlan-iot-interface
add bridge=bridge-lan interface=LAN-LIST internal-path-cost=10 path-cost=10
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether5,ether3 vlan-ids=1
/interface detect-internet
set lan-interface-list=LAN-LIST wan-interface-list=WAN-LIST
/interface list member
add interface=ether2 list=LAN-LIST
add interface=ether3 list=LAN-LIST
add interface=vrn.tv list=WAN-LIST
add interface=bridge-lan list=LAN-LIST
add interface=ether5 list=WAN-LIST
add interface=ether1 list=LAN-LIST
add interface=wireguard2 list=LAN-LIST
add interface=wireguard-alpina list=LAN-LIST
add interface=wireguard2ccc list=LAN-LIST
add interface=WB list=LAN-LIST
add interface=*F list=BRIDGES
add interface=bridge-lan list=BRIDGES

-bridges 
/interface bridge
add ageing-time=5m arp=proxy-arp arp-timeout=auto auto-mac=yes dhcp-snooping=no disabled=no fast-forward=yes forward-delay=15s igmp-snooping=no max-message-age=20s mtu=auto mvrp=no name=bridge-lan port-cost-mode=short \
    priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface bridge filter
add action=drop chain=output mac-protocol=ip out-interface=ether2 packet-type=multicast
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none ingress-filtering=yes interface=wifi5 !internal-path-cost learn=auto \
    multicast-router=temporary-query mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=no priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=LAN-LIST internal-path-cost=10 learn=auto \
    multicast-router=temporary-query mvrp-applicant-state=normal-participant mvrp-registrar-state=normal path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface bridge vlan
add bridge=bridge-lan disabled=no mvrp-forbidden="" tagged=bridge-lan,ether5,ether3 untagged="" vlan-ids=1


/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none ingress-filtering=yes interface=wifi5 !internal-path-cost learn=auto \
    multicast-router=temporary-query mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=no priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=LAN-LIST internal-path-cost=10 learn=auto \
    multicast-router=temporary-query mvrp-applicant-state=normal-participant mvrp-registrar-state=normal path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes




/interface vlan
add arp=proxy-arp arp-timeout=auto disabled=no interface=bridge-lan loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 mvrp=no name=vlan-iot-interface use-service-tag=no vlan-id=1100

/interface bridge vlan
add bridge=bridge-lan disabled=no mvrp-forbidden="" tagged=bridge-lan,ether5,ether3 untagged="" vlan-ids=1

What else do you need?

4

The actual question is what else do you need, given that you wrote:

Do I understand properly that you have replaced the hAP ac² by the TL-GS108E in the setup just for test purposes, to see whether the configurations of the hAP ax³ and of the W39AP-Pro are correct, but that the intended setup is the original one that includes the hAP ac²?

Also, do I read it right that the single code block in your post holds the configurations from both Mikrotiks?

5

Not really.

  1. The fact is that while I am waiting for an answer, I want to figure it out on my own, the configuration is changing.
  2. The target result that you would like to get is indicated on the diagram for the post. I will explain
    It is required that:
    a) all devices connected to the AP (port 7 TL-SG108E) received the subnet address 192.168.154.0/24 and had access to the Internet.
    It already works, but I don’t understand how. Devices connected to this network have the right access and address. Although it seems to me that the port tag should be removed when passing through TL-SG108E
    b) devices that are connected to TL-SG108E to ports 5-8(TV1 as example, TV2 potencially) also fell into the same VLAN as AP devices, and also had access to the Internet - this does not work now. Devices receive an address from the desired subnet, but do not see either their own gateway, or the custom subnet 192.168.254.0/24 (for example, the DHCP settings specify the gateway 192.168.154.1, but the ping does not reach it after receiving the address. it looks like the subnet is not set correctly, or blocks the Firewall. however, I disabled ALL the deny rules, and it did not help)
    c) there are no problems with the client subnet (192.168.254.0/24)
    e) TL-SG108E has ip 192.168.154.2
    I am publishing the current version of the hap AX3 and TL-SG108E configuration, while I will not make changes, waiting for your advice.
/interface ethernet
set [ find default-name=ether1 ] mtu=1560
set [ find default-name=ether2 ] arp=local-proxy-arp
/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=\
    disabled .width=20/40mhz configuration.country=Russia .mode=ap .ssid=\
    /dev/null .tx-chains="" datapath.bridge=bridge-lan disabled=no mtu=1500 \
    security.authentication-types=wpa2-psk,wpa3-psk .disable-pmkid=yes .ft=\
    yes .ft-over-ds=yes .group-key-update=1h .management-protection=allowed
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether5 keepalive-timeout=\
    disabled max-mtu=1500 name=vrn.tv user=ripab238
/interface vlan
add arp=proxy-arp interface=ether3 name=vlan-iot-interface vlan-id=1100
/interface list
add include=all name=WAN-LIST
add name=LAN-LIST
add name=BRIDGES
/interface wifi channel
add band=5ghz-ax disabled=no name=ch-5 skip-dfs-channels=10min-cac width=\
    20/40/80mhz
/interface wifi datapath
add bridge=bridge-lan disabled=no name=zero2brige
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes name=\
    wifisecprofile
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=\
    5220,5240,5260 .skip-dfs-channels=all .width=20/40/80mhz \
    configuration.antenna-gain=6 .chains="" .country=Russia .mode=ap .ssid=\
    /dev/zero .tx-chains="" .tx-power=16 disabled=no mtu=1500 name=wifi5 \
    security=wifisecprofile
/ip dhcp-server option
add code=42 name="NTP Server" value="'192.168.254.1'"
add code=119 name=Domain_Search_value value="'DUNE.ZONE'"
add code=15 name="Domain_Name value" value="'DUNE.ZONE'"
add code=66 name=pxe value="'192.168.254.5'"
add code=6 name=CloudFireDNS value="'1.1.1.1'"
add code=15 name=IOT_HOME_DOMAIN value="'DUNE-IOT.ZONE'"
/ip dhcp-server option sets
add name=iot options="CloudFireDNS,IOT_HOME_DOMAIN,NTP Server"
/ip pool
add name=dhcp_pool0 ranges=192.168.254.25-192.168.254.229
add name=dhcp2-pool ranges=192.168.154.0/24
add name=dhcp_pool3 ranges=192.168.154.3-192.168.154.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 comment="domain=dune.zone" interface=\
    bridge-lan lease-script=""
add add-arp=yes address-pool=dhcp_pool3 interface=vlan-iot-interface name=\
    dhcp-iot
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
set *0 change-tcp-mss=no
/queue simple
add dst=vrn.tv max-limit=400M/400M name=WAN-Limit queue=\
    pcq-upload-default/pcq-download-default target=""
/routing table
add fib name=tovpn
/interface bridge port
add bridge=bridge-lan interface=wifi5 point-to-point=no
add bridge=bridge-lan interface=ether2 pvid=1100
add bridge=bridge-lan interface=LAN-LIST internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN-LIST protocol=""
/interface bridge vlan
add bridge=bridge-lan tagged=ether3,bridge-lan vlan-ids=1100
/interface detect-internet
set lan-interface-list=LAN-LIST wan-interface-list=WAN-LIST
/interface list member
add interface=ether3 list=LAN-LIST
add interface=vrn.tv list=WAN-LIST
add interface=bridge-lan list=LAN-LIST
add interface=ether5 list=WAN-LIST
add interface=ether1 list=LAN-LIST
add interface=*F list=BRIDGES
add interface=bridge-lan list=BRIDGES
/ip address
add address=192.168.254.1/24 interface=bridge-lan network=192.168.254.0
add address=192.168.154.1/24 interface=vlan-iot-interface network=\
    192.168.154.0
/ip dhcp-client
add disabled=yes interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.154.0/24 dns-server=192.168.254.250 gateway=192.168.154.1
add address=192.168.254.0/24 dns-server=192.168.254.250 domain=DUNE.ZONE \
    gateway=192.168.254.1 ntp-server=192.168.254.1
/ip firewall filter
add action=log chain=input disabled=yes in-interface=vlan-iot-interface
add action=accept chain=input in-interface=vlan-iot-interface
add action=accept chain=input src-address=192.168.154.0/24
add action=accept chain=forward dst-address=45.90.28.0 log=yes protocol=tcp
add action=drop chain=input comment=Invalid-DROP connection-state=invalid \
    log-prefix=Invalid
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge-lan \
    log=yes log-prefix=LAN_!LAN src-address-list=!LOCAL_LAN
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=vrn.tv log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=vrn.tv \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=input comment="DNS BLOCK UDP" disabled=yes \
    dst-address-list=!DNS_SERVERS dst-port=53,853,5353 log=yes log-prefix=\
    "DNS BLOCK TCP" protocol=udp src-address-list=LOCAL_LAN
add action=drop chain=input comment="DNS BLOCK TCP" disabled=yes \
    dst-address-list=!DNS_SERVERS dst-port=53,853,5353 log=yes log-prefix=\
    "DNS BLOCK TCP" protocol=tcp src-address-list=LOCAL_LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes in-interface-list=\
    BRIDGES out-interface-list=WAN-LIST
add action=accept chain=forward dst-address-list=DNS_SERVERS dst-port=\
    53,5353,853 log-prefix=aero protocol=tcp src-address-list=LOCAL_LAN
add action=fasttrack-connection chain=forward comment=FASTTRACK_IOT_LAN \
    connection-mark=no-mark connection-state=established,related disabled=yes \
    hw-offload=yes in-interface-list=WAN-LIST log-prefix=FASTTRACK_IOT_LAN \
    out-interface=*F
add action=accept chain=input comment="allow wireguard" dst-port=13256 \
    protocol=udp
add action=accept chain=forward comment=ALLOW_LOCAL_LAN_TRAFFIC \
    dst-address-list=LOCAL_LAN log-prefix=ALLOW_LOCAL_LAN_TRAFFIC \
    src-address-list=LOCAL_LAN
add action=drop chain=output log-prefix=RST protocol=tcp tcp-flags=rst
add action=accept chain=input comment="Accept All DEBUG" disabled=yes \
    log-prefix="ALLOW ALL DEBUG"
add action=accept chain=forward comment="Accept All DEBUG" disabled=yes \
    log-prefix="ALLOW ALL DEBUG"
add action=accept chain=input dst-address=10.10.10.0/30 log-prefix=CCC!
add action=accept chain=input dst-address=192.168.154.0/24 log-prefix=\
    CC23232C!
add action=accept chain=input dst-address=10.100.100.0/24 log-prefix=CCC! \
    protocol=udp
add action=accept chain=input comment="DISABLE 14/02" in-interface=\
    wireguard-alpina log=yes log-prefix=alpina
add action=accept chain=input comment="DISABLE 14/02" in-interface=\
    wireguard2ccc log=yes log-prefix=alpina
add action=drop chain=input dst-port=53 in-interface-list=WAN-LIST log=yes \
    log-prefix=DROP_DNS_WEB protocol=udp src-address-list=!LOCAL_LAN
add action=reject chain=forward disabled=yes in-interface=bridge-lan log=yes \
    log-prefix=DROP_NOT_INCOMING_FROM_LAN reject-with=\
    icmp-network-unreachable src-address-list=!LAN+WIFI
add action=accept chain=input connection-state=established,related,untracked \
    in-interface-list=WAN-LIST
add action=accept chain=forward comment=\
    "1.1. Forward and Input Established and Related connections" \
    connection-state=established,related,untracked in-interface-list=WAN-LIST
add action=accept chain=input comment=BGP log=yes log-prefix=BGP protocol=tcp \
    src-address=51.75.66.20
add action=accept chain=input comment="Allow IGMP" in-interface-list=WAN-LIST \
    protocol=igmp
add action=accept chain=input comment="Allow LAN Traffic" in-interface-list=\
    LAN-LIST
add action=accept chain=input dst-port=53 in-interface-list=LAN-LIST \
    protocol=udp
add action=accept chain=input comment=\
    "Allow Discover in LAN,DISABLE 14/02 zero trafic" disabled=yes \
    in-interface-list=LAN-LIST port=5678 protocol=udp
add action=accept chain=input comment="Allow SNMP" dst-port=161 \
    in-interface-list=WAN-LIST log-prefix=SNMPF protocol=udp
add action=accept chain=input comment=IOT-TUYA-Broadcast dst-address=\
    255.255.255.255 dst-port=6667 log-prefix=IOT-TUYA protocol=udp \
    src-address-list=IOT-LAN
add action=drop chain=input comment="DROP Mikrotik Discovery" log-prefix=\
    "DROP Mikrotik Discovery" protocol=udp src-address-list=!LOCAL_LAN \
    src-port=5678
add action=accept chain=input comment="Allow API" dst-port=8728 \
    in-interface-list=WAN-LIST log-prefix="API Prometheus" protocol=tcp \
    src-address=178.20.41.20
add action=accept chain=forward comment=WG dst-port=13256 in-interface-list=\
    WAN-LIST log-prefix=WG protocol=udp src-address=0.0.0.0
add action=accept chain=input comment="Access Normal Ping" in-interface-list=\
    WAN-LIST limit=50/5s,2:packet protocol=icmp
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=4w2d chain=input comment="Port Scanners" \
    in-interface-list=WAN-LIST protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=4w2d chain=input comment="NMAP FIN Stealth scan" \
    in-interface-list=WAN-LIST protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=4w2d chain=input comment="SYN/FIN scan" \
    in-interface-list=WAN-LIST protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=4w2d chain=input comment="SYN/RST scan" \
    in-interface-list=WAN-LIST protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=4w2d chain=input comment="FIN/PSH/URG scan" \
    in-interface-list=WAN-LIST protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=4w2d chain=input comment="ALL/ALL scan" \
    in-interface-list=WAN-LIST protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=4w2d chain=input comment="NMAP NULL scan" \
    in-interface-list=WAN-LIST protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Honeypot Hacker" \
    address-list-timeout=4w2d chain=input comment=\
    "block honeypot ssh rdp winbox" connection-state=new dst-port=\
    22,3389,8291,25,21,8728 in-interface-list=WAN-LIST protocol=tcp
add action=drop chain=input comment="drop 8.217.255.5" src-address=\
    8.217.255.5
add action=drop chain=forward comment="drop 8.217.255.5" src-address=\
    8.217.255.5
add action=accept chain=input in-interface=!bridge-lan log-prefix=ddd1 \
    protocol=udp src-port=68
add action=drop chain=input comment="Drop All Other" disabled=yes \
    in-interface-list=WAN-LIST log-prefix=DEF_DROP
add action=log chain=output disabled=yes log=yes
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes log=yes log-prefix=\
    CHANGE-MSS-OUT new-mss=clamp-to-pmtu out-interface-list=WAN-LIST \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1300-65535
add action=change-mss chain=forward new-mss=1420 out-interface-list=WAN-LIST \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1421-65535
add action=change-mss chain=forward in-interface-list=WAN-LIST log-prefix=\
    CHANGE-MSS-OUT new-mss=clamp-to-pmtu passthrough=no protocol=tcp \
    tcp-flags=syn tcp-mss=1300-65535
add action=mark-connection chain=prerouting comment=DNS-Mark \
    connection-state=new disabled=yes dst-port=53,853,5353 \
    new-connection-mark=via-dns passthrough=yes protocol=tcp src-address=\
    192.168.254.0/24
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
    dst-port=53,853,5353 new-connection-mark=via-dns passthrough=yes \
    protocol=udp src-address=192.168.254.0/24
add action=change-mss chain=forward disabled=yes new-mss=1400 out-interface=\
    WB passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
    dst-address-list=WB in-interface=bridge-lan new-connection-mark=to_WB \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to_WB disabled=yes \
    new-routing-mark=toWB passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat comment="TELEKOM-SERVICE MAIN_SRC_NAT" \
    log-prefix="MAIN SRC NAT" out-interface=vrn.tv src-address-list=LOCAL_LAN \
    to-addresses=185.23.83.133
add action=dst-nat chain=dstnat comment="DNS forward UDP" disabled=yes \
    dst-port=53,853,5353 log-prefix="DNS forward UDP" protocol=udp \
    src-address=192.168.154.0/24 to-addresses=192.168.254.250
add action=dst-nat chain=dstnat comment=piholeNAT1 disabled=yes dst-port=\
    53,853,5353 log-prefix="DNS forward" protocol=udp src-address=\
    192.168.154.0/24 to-addresses=192.168.254.250
add action=dst-nat chain=dstnat comment=piholeNAT1 disabled=yes dst-port=\
    53,853,5353 log-prefix="DNS forward" protocol=tcp src-address=\
    192.168.154.0/24 to-addresses=192.168.254.250
add action=masquerade chain=srcnat comment=test disabled=yes log=yes \
    log-prefix=LOCAL_2_IOT_ACCESS out-interface=vlan-iot-interface
add action=masquerade chain=srcnat comment=LOCAL_2_IOT_ACCESS dst-address=\
    192.168.154.0/24 log-prefix=LOCAL_2_IOT_ACCESS out-interface=\
    vlan-iot-interface src-address=192.168.254.250
add action=masquerade chain=srcnat comment=LOCAL_2_IOT_ACCESS dst-address=\
    192.168.154.0/24 log-prefix=LOCAL_2_IOT_ACCESS out-interface=\
    vlan-iot-interface src-address=192.168.254.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.154.8 \
    log=yes log-prefix=!!!!192.168.154.8 out-interface=*F src-address=\
    192.168.254.250
add action=masquerade chain=srcnat comment=TELEKOM-SERVICE-IOT disabled=yes \
    dst-address=!192.168.154.0/24 log-prefix=IOT out-interface=vrn.tv \
    src-address=192.168.154.0/24 to-addresses=185.23.83.133
add action=dst-nat chain=dstnat comment="Forward All TCP DNS to Pi" disabled=\
    yes dst-address-list=!DNS_SERVERS dst-port=53,853,5353 log-prefix=\
    ForwardTCP_DNS protocol=tcp src-address-list=LOCAL_LAN to-addresses=\
    192.168.254.250
add action=dst-nat chain=dstnat comment="Forward All UDP DNS to Pi" disabled=\
    yes dst-address-list=!DNS_SERVERS dst-port=53,853,5353 log-prefix=\
    ForwardUDP_DNS protocol=udp src-address-list=LOCAL_LAN to-addresses=\
    192.168.254.250
add action=masquerade chain=srcnat comment=WG_VPN_NAT log-prefix=WG_VPN_NAT \
    out-interface=wireguard3 src-address=192.168.254.0/24
add action=masquerade chain=srcnat comment=WG_CCC_NAT log-prefix=WG_CCC_NAT \
    out-interface=wireguard2ccc src-address=192.168.254.0/24
add action=masquerade chain=srcnat comment=WG_WB_NAT log-prefix=WG_WB_NAT \
    out-interface=WB src-address-list=2-WB
add action=masquerade chain=srcnat comment=WG_VPN_ALPINA log-prefix=\
    WG_VPN_ALPINA out-interface=wireguard-alpina src-address=192.168.254.0/24
add action=masquerade chain=srcnat comment="MASQL CCC TO_DELETE" disabled=yes \
    dst-address=10.10.10.0/23 dst-address-list="" log=yes log-prefix=1
add action=src-nat chain=srcnat comment=TO_DELETE disabled=yes src-address=\
    10.2.0.2 to-addresses=192.168.254.1
add action=dst-nat chain=dstnat comment="PROMETHEUS DST_NAT" dst-address=\
    185.23.83.133 dst-port=9221 log-prefix="PROMETHEUS DST_NAT" protocol=tcp \
    to-addresses=192.168.254.250 to-ports=9100
add action=dst-nat chain=dstnat comment=----------- dst-address=185.23.83.133 \
    dst-port=14620 protocol=tcp to-addresses=192.168.254.23 to-ports=14620
add action=dst-nat chain=dstnat comment=PROMETHEUS_ADGUARD_EXPORTER \
    dst-address=185.23.83.133 dst-port=9617 log-prefix=\
    PROMETHEUS_ADGUARD_EXPORTER protocol=tcp to-addresses=192.168.254.250 \
    to-ports=9617
add action=dst-nat chain=dstnat comment=PROMETHEUS_BLACK_BOX dst-address=\
    185.23.83.133 dst-port=9515 log-prefix=PROMETHEUS_BLACK_BOX protocol=tcp \
    to-addresses=192.168.254.23 to-ports=9115
add action=dst-nat chain=dstnat comment=TO_DELETE dst-address=185.23.83.133 \
    dst-port=3344 protocol=tcp to-addresses=192.168.254.23 to-ports=443
add action=dst-nat chain=dstnat comment=TO_DELETE disabled=yes dst-address=\
    185.23.83.133 dst-port=53,853,5353 log-prefix=vps protocol=udp \
    src-address=95.142.47.131 to-addresses=192.168.254.250 to-ports=53
add action=dst-nat chain=dstnat comment="ZABBIX PC" dst-address=185.23.83.133 \
    dst-port=12350 log-prefix=zabbix-ps protocol=tcp src-address=178.20.41.20 \
    to-addresses=192.168.254.38 to-ports=10050
add action=dst-nat chain=dstnat comment=DNS_REDIRECT disabled=yes dst-port=\
    5353 protocol=tcp to-addresses=192.168.254.250 to-ports=5353
add action=dst-nat chain=dstnat comment=PROMETHEUS_ADGUARD_EXPORTER \
    dst-address=185.23.83.133 dst-port=8334 log-prefix=mtproto protocol=tcp \
    to-addresses=192.168.254.250 to-ports=8224
/ip firewall raw
add action=drop chain=prerouting in-interface=vrn.tv src-address-list=\
    "Honeypot Hacker"
add action=drop chain=prerouting in-interface=vrn.tv src-address-list=\
    "Hacker Scanners"
add action=drop chain=prerouting dst-port=137,138,139 in-interface-list=\
    WAN-LIST protocol=udp
add action=drop chain=prerouting dst-address-list=ddos-target \
    src-address-list=ddos-attackers
add action=drop chain=prerouting dst-port=137,138,139 in-interface-list=\
    WAN-LIST protocol=udp
add action=drop chain=prerouting comment=\
    "TCP invalid combination of flags attack (7 rules)" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" \
    protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" \
    protocol=udp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=udp
add action=drop chain=prerouting comment="IP option loose-source-routing" \
    ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" \
    ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option loose-source-routing" \
    ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" \
    ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" \
    ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" \
    ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=\
    timestamp
add action=drop chain=prerouting comment=\
    "IP options left, except IP Stream used by the IGMP protocol" \
    ipv4-options=any protocol=!igmp
add action=drop chain=prerouting comment="IP option loose-source-routing" \
    ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" \
    ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" \
    ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" \
    ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=\
    timestamp
add action=drop chain=prerouting comment=\
    "IP options left, except IP Stream used by the IGMP protocol" \
    ipv4-options=any protocol=!igmp
/ip firewall service-port
set ftp disabled=yes
/ip route
add blackhole dst-address=172.16.0.0/12
add blackhole dst-address=192.168.0.0/16
add disabled=no distance=1 dst-address=45.90.28.199/32 gateway=vrn.tv \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

3.png
2.png
4.png

6

Sorry, neither from your response nor form the drawing it is clear to me whether the hAP ac² should ever return to the scheme or whether the TL-SG108E may stay there forever in its place.

Another point is that your text decription does not match your drawing - on the drawing, the Huawei AP is connected to port 6 of the TL-SG108E whereas the text says it is connected to port 7.

As for the configuration - I won’t read the hAP ax³ once again yet, assuming that you haven’t changed it, and will concentrate on the TL-SG108E and the Huawei AP for the moment.

I don’t understand the reason why some vendors deem it useful to allow to configure the mode for the same VLAN on the same port differently for the ingress (cable->silicon) direction and for the egress (silicon->cable) direction, but the reality is that many vendors, including Mikrotik, do allow this. So when you configure ports 5-8 as tagged members of VLAN 1100, it means that the VLAN tag is not removed when a frame tagged with VID 1100 leaves the switch through that port to the wire. But if you set the PVID of that port to 1100 (which is currently the case for ports 6 and 7), it means that tagless frames that enter the switch through that port will get tagged with VLAN ID 1100. Only the designer of the switch knows what happens to frames that have come from the wire already tagged with VID 1100, but most likely they slip in without any change.

To make things even more confusing, most Windows network card drivers and even some Linux ones accept frames with any VLAN tags and silently strip them before handing the frame over to the IP stack, so if you connect a Windows machine to a port that is configured this wrong way, i.e. tagged (aka trunk) for egress and untagged (aka access) for ingress, they communicate normally.

Regarding the Huawei - does it have a VLAN for management and you can place the SSID into another VLAN or is it totally dumb and just transparently bridges frames between the Ethernet port and the wireless one? If you do configure the SSID to use VLAN 1100, the AP has to be connected to a trunk port of the TL-SG108E, i.e. one which is a tagged member of VLAN 1100 and its pvid is not 1100.

7

To avoid confusion.
mikrotik2 - forget, turn off
TL-SG108E now:
port 7 - TV1
port 6 HUAWEI APouter
port 5 link from mikrotik ether3
port 4 - RockPi (Raspberry Pi-family device as dns-serverdnsproxy)
port 1 pc.

I recently made backups of the Mikrotik and TL-SG108E configurations at the time of writing the previous post and decided to continue experiments (to be able to return to the original configuration).
I thought that the confusion with the ethernet access point connection is due to the fact that traffic ALREADY comes to port 6 from VLAN 1100, and on port 7 it is assigned by Mikrotik itself.
Then I asked the AP to do all the same settings as before, but without specifying the VLAN on the AP side.
Naturally, it didn’t work right away, but after “playing” with tagged and Untagged ports, everything worked out.
As I understand it, one of the errors was that the AP itself received an address from the 254.0 network. because after the collection, when the AP received an address from zone 154.0, it helped to see at least the gateway.
Before this, as I understand it, traffic went from any device on the 154.0 subnet along the route device-154.1-254.1-ext_network, instead of the route to 254.1 immediately. Although I may be wrong, because the AP gateway is now 154.1. one way or another, but now the devices on this network are successfully connecting to the network.

However, if you don’t mind, I would like to understand the terminology and logic of what is happening… I understand that the question is already beyond the topic of Mikrotik only, but if you have the opportunity, please answer.
As I see it according to the configuration. See screenshot one.
As I understand it, any device that can VLAN sends traffic either without VLAN, if the user has not configured anything, or puts a “tag” on each header with the VLAN number. As I understand it, this is called tagged vlan. those. I tag it on one device and tell the second receiving device what to do with the traffic that contains this tag.
Is this how it works or am I wrong?
If so, how does untagged work? According to my logic, if I specify untagged for any port, it means the traffic goes without a tag at all. (i.e. either without a tag at all, or with the VLAN=1 tag).
Or, as soon as I enable VLAN, for example on the TL-SG108E, all traffic specified for the port can take two values, but with one VLAN? for example VLAN1100-Tagged, VLAN-1100-untagged. and it turns out that for the same vlan, I can create two conditions on the receiver device (for example, send 1100-tagged to one dhcp server, 1100-untagged to another)
Is this true, or am I confused? how really?
or in general, does this setting indicate which particular vlan to pass through, blocking the rest, including those without VLAN?

Further. what I said related to screenshot 1.
Let’s move on to screenshot 2. There is a pvid there, which, in my opinion, partially duplicates the previous screenshot.
Previously, I thought that only the settings as in the previous screenshot were enough, but in reality, all this does not work without what is in screenshot 2.
Why? After all, we have already set VLAN_ID, as we see in screenshot 1, what does PVID do in this case?
A separate question, what does PVID do in the bridge port settings in Mikrotik? forcibly assigns all traffic received via ethernet to the port to which the vlan interface is bound - VLAN?

I’ve read the documentation and a lot of discussions on this topic in Mikrotik and in particular. but the more I read, the less I understand.
2.png
1.png

8

As a first attempt, I’ll try to explain VLANs from scratch rather than answering individual questions, maybe the bits will click together better if you have an overview.

On a single switch, you could define several groups of ports, which would only be allowed to talk to other ports within the same group. This is called “port based” VLAN approach and does not require any modification of the contents of the Ethernet frames.

If you wanted to connect two such switches together, you would need to use one port from each group to connect that group to the matching group on the other switch, which would be “expensive”. Hence the idea of adding a “tag” to the frames has been introduced. The “tag” are four bytes, the first two contain 3 bits of priority, 1 bit whose purpose I never understood and 12 bits of VLAN ID where values 0 and 4095 are reserved, and the last two indicate the payload protocol moved from the original ethertype because the original ethertype now contains 0x8100 (for 802.1Q VLANs) to indicate that the following contents begins with a VLAN tag. So on hardware level, the tag is inserted between the MAC addresses and the ethertype, first the two “new ethertype” bytes 0x8100 and following them the other two bytes with priority and VLAN ID.

“Inside” the switch, all frames run tagged. So

  • when a tagless frame arrives over the cable or fiber, the switch must know what VID to set in the tag that it adds as it receives the frame; this value is configured as “pvid” or “native VLAN” od “default VLAN” depending on the vendor
  • when a tagged frame arrives over the cable or fiber, the switch accepts it “as-is”
  • when the switch sends out a frame through a port that is configured as a tagged (trunk) member of the VLAN indicated in the tag of that frame, the frame gets to the wire “as-is”
  • when the switch sends out a frame through a port that is configured as a tagless (untagged, access) member of the VLAN, it removes the tag before sending the frame to the wire.

The associated terminology is a mess. Most commonly, only tagless frames can pass through an “access” port and, therefore, an access port can only belong to exactly one VLAN; only tagged frames can pass through a “trunk” port, and the number of VLANs on such a port is not limited as the information regarding which VLAN a give frame belongs to is expressed by the tag. And then there is a notion of a “hybrid” port which behaves as an access one for exactly one VLAN and as a trunk one for an unlimited number of other VLANs. However, e.g. Cisco does not distinguish between a trunk and hybrid port.
And to introduce more confusion, many vendors permit that frames belonging to multiple different VLANs get untagged on egress (i.e. as the switch sends them out to the wire) on the same port, whereas in the opposite direction (ingress), incoming tagless frames may get a VLAN ID that matches neither of those being untagged on egress. But as said earlier, the practical use cases for such a behavior are niche ones and the effect for an average user is just the large space for misunderstanding and consequent misconfiguration.

Mikrotik’s configuration is at least nice in the aspect that you do not have to specify membership of a given port in a VLAN explicitly by putting it to the untagged list for that VLAN ID under /interface bridge vlan, it is enough to set the pvid parameter of that port under /interface bridge port and RouterOS adds that port to the untagged list dynamically. But to allow for those niche use cases, you can override that by putting the port to the tagged list for a VLAN indicated in the pvid of that port (so on egress, the tag is not stripped off the frames belonging to this VLAN), or by putting a port to the untagged list for a VLAN ID that does not match the pvid of that port, which makes the tag be stripped off on egress.

9

Based on the above, whether I understand correctly that in order to add to the VLAN1100 Ethernet port Mikrotik (Ether2), which, for example, is installed a laptop that does not know about VLAN, I need:

  1. Create a new Bridge Interface /Interface /Bridge, without additional settings, let’s call it Bridge2
  2. Create a VLAN interface as a child from Ether2 /Interface /VLAN with vlan_id = 1100, call it VLAN1100
  3. in/interface/bridge/ports Add to Bridge2 - VLAN1100 and put down PVID = 1100
  4. On Interface Add Bridge1 as Tagged, Ether2 as Untragged
    ?
    But as I understand it, this is not all, because On L3, you should somehow make the main bridge ‘Bridge-Lan’ see the traffic from Bridge1, but how to do it?
    Add the bridge to the bridge? It doesn’t sound very right …
    Perhaps the new bridge also needs to assign a static address from the Bridge-Lan DHCP server range?

Or do not create a bridge and just add a) Ether2 C PVID = 1100 as a port of the Bridge-Lan bridge, and in/Interface/Bridge/VLANS/Add Ether2 as Untagged?
In the latter case, it is not clear how Mikrotik should understand what you need to ‘throw’ from Ether2 in Bridge-Lan. Because through the PVID we hung a tag 1100 on Ether2 (and coming to Bridge-Lan), but marked in Bridge-Lan that Ether2 is Untagged, which means to take unchanges. And in such a configuration, if I understood correctly, the device connected to the port of Ether2 will receive an address from the range of the main network DHCP server, and not from the server that is already hanging on the VLAN-IOT-INTERFACE VLAN-interface.
Thus, the question sounds quite simple. How to add a physical interface to VLAN (to be precise, then mark all the traffic from this interface with a tag 1100), and force to get the address from the DHCP-Iot network, provided that the existing VLAN-Iot-Interface is already tied to Ether3 for which TL-SG108E is already located, which gives traffic with vlan = 1100

10

This second way is correct to make ether2 an access port to VLAN 1100 (so that the laptop connected to it would get and address from 192.168.154.0/24):

The fact that you place ether2 to the untagged list for vlan-ids=1100 under /interface/bridge/vlan tells the bridge to remove the tag from frames belonging to VLAN 1100 when sending them out through ether2, which is what you want. But you actually do not need to add ether2 to the untagged list manually - as you have set pvid to 1100 for ether2 under /interface/bridge/port, RouterOS will do that automatically; what is important is not to put ether2 to the tagged list for vlan-ids=1100.

Of course, the rest remains as it was, so the internal port of the bridge must be a tagged member of VLAN 1100, and the IP address and DHCP server must be attached to a VLAN interface attached to the internal interface connected to the bridge:

/interface bridge vlan add bridge=Bridge-Lan vlan-ids=1100 tagged=Bridge-Lan untagged=ether2
/interface bridge port add bridge=Bridge-Lan interface=ether2 pvid=1100
/interface bridge set Bridge-Lan vlan-filtering=yes
/interface vlan add name=Bridge-Lan.1100.IoT interface=Bridge-Lan vlan-id=1100
/ip address add address=192.168.154.1/24 interface=Bridge-Lan.1100.IoT
/ip pool …
/ip dhcp server network …
/ip dhcp-server add interface=Bridge-Lan.1100.IoT …

Since you currently don’t use the hAP ac², I would recommend to debug these settings on it first, before touching the configuration of the main router. It is too easy to lock yourself out of the device by misconfiguration.

11

A) Please clarify what filtering does in this case?

    1. discards all traffic marked PVID. those. ‘skip everything except PVID’
    1. or vice versa leaves only the traffic that has the specified PVID? those. ‘only pass PVID’

B) in your version there is a line that reassigns the address of the existing “vlan-iot-interface” interface, through which traffic comes from the AP via the TL-SG108E.
Those. if there is no address on the vlan interface, devices connected to the AP will not receive an address from 192.168.154.0/24. I’m right?
In this case, do I understand correctly that it is also necessary to add vlan-iot-interface to Bridge-Lan.1100.IoT as a tagged interface (since the tag was previously affixed to TL-SG108E)?
or what is correct in this case? as I understand it, the use of these parameters discards the presence of vlan-iot-interface on ether3 connected to the TL-SG108E

12

Have you seen this?

The /interface/bridge/vlan and /interface/bridge/port settings only control the tagging and untagging of frames as they enter or leave the bridge itself via its member ports. These settings are only taken into account if vlan-filtering on the bridge is set to yes.

The functional block created using /interface/vlan/add is not a part of any bridge, so the vlan-filtering setting of a bridge has no effect on it. It is just a pipe that tags frames in one direction and untags them in the other one. The “tagged” end of the pipe is attached to some existing L2 interface (in this particular case, the internal interface of the bridge Bridge-Lan), the “tagless” end is an interface itself (in this particular case, Bridge-Lan.1100.IoT). On the tagged end, it ignores frames tagged with any other VLAN ID than the one it has been configured with.


Sorry for the confusion, the configuration I have posted was a “from scratch” one, intended to show just the bare minimum required, not a modification of your existing one, as ether2 is also not an access port to VLAN 1100 in our current setup. Of course you do not need to replace one VLAN interface by another that only differs by name.

13

Do I understand correctly that in this case, in my configuration it is enough to do the following:
/Interface Bridge VLAN Add Bridge = Bridge-Lan Vlan -ids = 1100 Tagged = Bridge-Lan Untagged = Ether2-In the current configuration, add Ethere2 as not tagged, because VLAN already has it.
/Interface Bridge Port Add Bridge = Bridge -Lan Interface = Ether2 PVID = 1100 - Add the physical port to VLAN, and say mark the entire traffic mark 1100
/Interface Bridge Set Bridge-Lan Vlan-Filtering = Yes-turn on the filtering on the ‘Physical’ bridge
/Interface VLAN Add Name = Bridge-Lan.1100.Iot Interface = Bridge-Lan Vlan-Vlan -id = 1100-this has already been done because it was done for VLAN-IOT-INTERFACE
/IP Address Add Address = 192.168.154.1/24 Interface = Bridge-Lan.1100.iot this has already been completed. The address is configured to Vlan-Iot-Interface

looks logical. The only thing I’m afraid of is turning on filtering. default. Enabling filtering automatically implies the value PVID=1. those. I think the bridge should discard all not equal to 1 vlan. and in this case it turns out that he will ignore everything that concerns 1100.
Although on the other hand, by setting 1100 as untagged, we are saying to untag. then everything should work.

Regarding tests - I do everything in safe mode. although sometimes, I think this is not correct, when the bridge is reconfigured, the connection is lost and the changes are rolled back, although they were applied correctly.
Or, if used correctly, the connection should not break?
also I’m expecting WOOBM soon for peace of mind :slight_smile:

14

Have you read the link I suggested above, and did you understand from there that when you add a “bridge” to the configuration and add two Ethernet ports as its members, you actually get a bridge (as in “virtual switch”) with three ports in total (etherX, etherY and a virtual one) and a virtual interface of a router that is connected to the virtual port of the virtual switch using a virtual cable? The pvid on “bridge” and the pvid on etherX have the same meaning and purpose. So if you place “bridge-the-virtual-port” to the tagged list for vlan-ids=1100 for the “bridge-the-virtual-switch”, the tagged frames for this VLAN will be able to egress through bridge-the-virtual-port via the virtual cable to bridge-the-virtual-router-interface and hit the tagged end of the /interface/vlan pipe attached to bridge-the-virtual-router-interface.


Indeed, when you change the switch configuration, the connection may break which the Safe Mode evaluates as a command to revert the configuration changes. Worse than that, I had cases where Safe Mode did not revert the changes when it should. That’s why I am usually using /system/scheduler to manually set the parameter I am going to change back to its current value in 15 minutes from now. So if the change I make cuts me off, I go make myself a coffee and wait until the scheduler “reverts” the change.

In your case, it is best to remove one physical interface from the bridge and make sure that mac-telnet and mac-winbox are allowed on that interface (setting the interface-list to all for both is the easiest way). So whatever you break on the bridge will not cut you off.

15

Yes, I have read your link. I’m trying to understand. but as always there is not enough practice. logical I understand what I’m doing in winbox, but when it doesn’t work as you logically imagine, questions arise. It would be very helpful to visualize these parts “virtual interface of a router that is connected to the virtual port of the virtual switch using a virtual cable”))) when you imagine this virtual switching, everything becomes more or less clear, but not completely (for example that part that the device does automatically for the user).
With your help, I was able to successfully configure the configuration I wanted. however, there are a couple more clarifying questions.

  1. I’m seeing funny behavior in the TL-SG108E logs. its address ‘jumps’ between subnets. it either receives the address 154.0/24, or from 254.0/24. what could cause this behavior?
    I assumed that this might be due to a ‘loop’, but there is nothing in the logs about arp conflicts or loops

  2. Do I understand correctly that in the same way as I did with the AP, I can route the provider’s VLAN that provides access via pppoe? those. for example, hang a tag for a port on one Mikrotik and “catch” it on the second, and initiate a pppoe session on it. after all, vlan works at level 2 and knows nothing about access protocolsVPN, etc.

16

That’s exactly why the explanation starts from a drawing of separate physical devices, router and VLAN-aware switch, connected by a physical patchcord. All those physical components on that picture have their exact virtual equivalents.


Could it be that it simply attaches a DHCP client to each VLAN and thus has both addresses all the time, except that it renews them at different times? What if you ping both from the Mikrotik simultaneously (each from another window), do they really work one at a time or both respond simultaneously?


Indeed you can bridge a VLAN through one device to another and attach a PPPoE client to an /interface/vlan on that other one.


BTW, do you use a translator or do you write directly in English? It is hard to understand what you mean by повесить метку для порта на одном Микротике и “поймать” ее на втором even in Russian… Does your ISP use VLANs on the uplink to separate internet from IPTV and VoIP?

17

ping is available only for the address that is currently in the DHCP server in leases.
In this case, the connection with the device is not lost. There are no problems or lags, but it worries me. This shouldn’t happen.
I believe that it is possible that at the time of lease renewal, the dhcp server proceeds from the first packet that arrives - with or without a tag, and based on this, it “switches” to another dhcp server.
Also, I don’t observe any kind of systematicity. this (the procedure itself disconnected from one server and connected to another) can happen several times every 10 minutes, or maybe once every two to three hours. time intervals are different. Moreover, the gap between unbinding and binding to the dhcp server can be significant. for example in the screenshot.
PS. I’ll add that on both servers, the TL-SG108E has a reserved address on the DHCP server





Yes, I use a Russian translator. I have to correct the translation, but it doesn’t always work out correctly. In this case, the provider does not use vlan. Due to the specific of the room, I’m simply considering the possibility of moving the device itself to another location. And the provider’s cable does not come to this place and I am considering the possibility of changing Mikrotik and TL-SG108E, and raising the pppoe session already on top of the vlan (i.e. provider cable - TL-SG108E+tagging - VLAN-untaging in Mikrotik- pppoe session - bridge -lan).

By this expression “hang a tag for a port on one Mikrotik and “catch” it on the second” I mean the procedure for adding a tag on one device and removing the tag on another

2.png
2.png1806×149 46.3 KB

18

When you finally decide on what your setup will be like, equipment etc, so that you can actually provide a coherent detailed diagram, then at that time
list your requirements and the diagram will be helpful in understanding, those requirements

Requirements: (without mentioning config or hardware)
a. list all the user(s)/device(s), groups of users/devices - including both external and internal and admin user
b. list all the traffic they need to achieve/execute.

Detail the WAN connection(s), type, public or private, static or dynamic and if multiwan, details on primary/secondary/load balancing/vpns..

Trying to follow this thread is impossible because you have not made enough firm decisions yet on either networking equipment or requirements, to be at a point where we can render efficient assistance. Note it would appear the title of this thread is no longer relevant.

@Sindy didnt know you like playing whackamole :wink:
https://www.youtube.com/shorts/lSHjBqPsskc
https://vimeo.com/3577929
https://www.dailymotion.com/video/x1s55ej

19

We are not discussing a possible scheme now. we are discussing the current one, which is described in sufficient detail, including screenshots. and the remaining problem is getting TL-SG108E addresses from different dhcp servers

20

We are not discussing a possible scheme now. we are discussing the current one, which is described in sufficient detail, including screenshots. and the remaining problem is getting TL-SG108E addresses from different dhcp servers