vlan change based on mac

gjniewenhuijse · March 13, 2025, 7:03am

I would like everyone on ether23 to be in guest vlan 40. Except mac address 98:FA:9B:AD:85:35, which should be on vlan 20.

I have tried to arrange this with a switch rule, but it does not work. Anyone have an idea?

# 2025-03-13 07:59:11 by RouterOS 7.18.2
# model = CRS326-24G-2S+
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name="vlan guest" vlan-id=40
add interface=bridge1 name="vlan iot" vlan-id=30
add interface=bridge1 name="vlan lan" vlan-id=20
add interface=bridge1 name="vlan mgmt" vlan-id=10
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool_iot ranges=10.0.30.2-10.0.30.254
add name=dhcp_pool_guest ranges=10.0.40.2-10.0.40.254
add name=dhcp_pool_lan ranges=10.0.20.2-10.0.20.254
add name=dhcp_pool_mgmt ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp_pool_iot interface="vlan iot" name="dhcp iot"
add address-pool=dhcp_pool_guest interface="vlan guest" name="dhcp guest"
add address-pool=dhcp_pool_lan interface="vlan lan" name="dhcp lan"
add address-pool=dhcp_pool_mgmt interface="vlan mgmt" name="dhcp mgmt"
/port
set 0 name=serial0
/user group
add name=api policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!t\
    est,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether2
add bridge=bridge1 disabled=yes interface=ether3
add bridge=bridge1 disabled=yes interface=ether4
add bridge=bridge1 disabled=yes interface=ether5
add bridge=bridge1 disabled=yes interface=ether6
add bridge=bridge1 disabled=yes interface=ether7
add bridge=bridge1 disabled=yes interface=ether8
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether9 pvid=30
add bridge=bridge1 disabled=yes interface=ether10
add bridge=bridge1 disabled=yes interface=ether11
add bridge=bridge1 disabled=yes interface=ether12
add bridge=bridge1 disabled=yes interface=ether13
add bridge=bridge1 disabled=yes interface=ether14
add bridge=bridge1 disabled=yes interface=ether15
add bridge=bridge1 disabled=yes interface=ether16
add bridge=bridge1 disabled=yes interface=ether17
add bridge=bridge1 disabled=yes interface=ether18
add bridge=bridge1 disabled=yes interface=ether19
add bridge=bridge1 disabled=yes interface=ether20
add bridge=bridge1 disabled=yes interface=ether21
add bridge=bridge1 disabled=yes interface=ether22
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether23 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether24 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp-sfpplus1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether9 \
    vlan-ids=30
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether24 \
    vlan-ids=10
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether23 \
    vlan-ids=20
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether23 \
    vlan-ids=40
/interface ethernet switch rule
add new-vlan-id=20 ports=ether23 src-mac-address=\
    98:FA:9B:AD:85:35/FF:FF:FF:FF:FF:FF switch=switch1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface="vlan mgmt" list=LAN
add interface="vlan guest" list=LAN
add interface="vlan iot" list=LAN
add interface="vlan lan" list=LAN
/ip address
add address=10.0.40.1/24 interface="vlan guest" network=10.0.40.0
add address=10.0.30.1/24 interface="vlan iot" network=10.0.30.0
add address=10.0.20.1/24 interface="vlan lan" network=10.0.20.0
add address=10.0.10.1/24 interface="vlan mgmt" network=10.0.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.0.10.0/24 list=Local-Networks
add address=10.0.20.0/24 list=Local-Networks
add address=10.0.30.0/24 list=Local-Networks
add address=10.0.40.0/24 list=Local-Networks
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="accept webmanagement" dst-port=80,8291 \
    in-interface-list=WAN protocol=tcp src-address-list=ITN
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=\
    !WAN protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment="vlan input accept" dst-address=\
    10.0.10.0/24 in-interface="vlan mgmt"
add action=accept chain=input dst-address=10.0.20.0/24 in-interface="vlan lan"
add action=accept chain=input dst-address=10.0.30.0/24 in-interface="vlan iot"
add action=accept chain=input dst-address=10.0.40.1 in-interface="vlan guest"
add action=accept chain=input connection-state=new dst-address=10.0.20.0/24 \
    src-address=10.0.10.0/24
add action=accept chain=input connection-state=new dst-address=10.0.30.0/24 \
    src-address=10.0.10.0/24
add action=drop chain=input comment="vlan block traffic between networks" \
    connection-state=new dst-address-list=Local-Networks src-address-list=\
    Local-Networks
add action=drop chain=forward connection-state=new out-interface="vlan guest"
add action=drop chain=forward connection-state=new in-interface="vlan guest" \
    out-interface-list=!WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
[admin@MikroTik] >

TheCat12 · March 14, 2025, 9:30pm

That would be your explanation:

MAC-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the > pvid > property for the bridge port will be always used instead of > new-vlan-id > from ACL rules.

Quote is from the docs:

https://help.mikrotik.com/docs/spaces/ROS/pages/30474317/CRS3xx+CRS5xx+CCR2116+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-VLAN