VLAN Configuration !HELP!

lmichael · November 29, 2018, 11:52am

Hi Guys,

i got a CCR1009-8G-1S-1S+ and two RBwAPG for free, so i decided to build a homenetwork. I have to say im not the specialist of networks and now im on a spot where i get stuck.

Maybe i start what i have already done, what works..
Update to 6.43.4
On eth1 is the WANport, it gets a IP from the Internet-Router
I created one bridge, in this bridge are the ports eth2 - eth8 with a DHCP Server 192.168.0.1/24
On eth5 and eth 6 the two AP are connected and controlled by CAPsMAN
Firewall has the default configuration
Firewall NAT

Now i want to seperate the ports in different VLANs, the two APs should work with all 3 VLANs and it would be best if it would work with CAPsMAN
VLAN10 “trusted” 192.168.10.1/24 Port:2-4 and APs
VLAN20 “untrusted” 192.168.20.1/24 Port:7-8 and APs
VLAN30 “Guest-WLAN” 192.168.20.1/24 APs

Where do i start to configure? The interfaces, the vlans in the bridge? Im lost
I looked a few videos and read some forum articles, i think i have to config the bridge and not the switch?
Do i need still the one bridge and the dhcp with 192.168.0.1?

Im very thxful for all informations you can give me and maybe someone can guide me through this, i dont want just a how to, i also want to understand this

Greetings
Michael

Jotne · November 29, 2018, 2:23pm

On what parts do you like this nett? 192.168.0.1/24

Make a drawing, it makes it easier to understand what to do,

lmichael · November 29, 2018, 4:36pm

I thought, i need a “default Network 192.168.0.1 / VLAN1”

In my case i dont need this “default VLAN”

Here is a drawing where you can see how the configuration should look like at the end. https://ibb.co/v42nVG5

In the meanwhile i configured the ports: wan ether 1, vlan10 ether 2-4 and vlan20 ether7-8. But i have no idea how i should configure the W-Lan and the two ports ether 5 and 6 to get it to work with CAPsMAN

One other question, when i connect my computer now to one of the VLAN ports 10 or 20, i get per DHCP the correct adress and winbox also show me now the 10.1 or 20.1 as the adress for the router, but i cant connect with ip, just with the mac.
Maybe a missconfiguration?

WeWiNet · November 29, 2018, 5:24pm

Be aware lot (if not all) videos still show the way of doing VLANs before the 6.xx change when it was migrated
to bridge.
Look at the Wiki page to use the right method (not the Videos .

You mention 3 IP address ranges/DHCP servers on your CCR but only one bridge? So DHCP are sitting where?
Normally you put on DHCP on the bridge.

Can you ping the IP of the router?

Jotne · November 29, 2018, 6:27pm

Some like this using 6.41+ RouterOS

/interface bridge
add name=Bridge1 vlan-filtering=yes

/interface vlan
add  interface=Bridge1 name=VLAN10 vlan-id=10
add  interface=Bridge1 name=VLAN20 vlan-id=20
add  interface=Bridge1 name=VLAN30 vlan-id=30

/interface bridge port
add bridge=Bridge1 interface=ether2 pvid=10
add bridge=Bridge1 interface=ether3 pvid=10
add bridge=Bridge1 interface=ether4 pvid=10
add bridge=Bridge1 interface=ether7 pvid=20
add bridge=Bridge1 interface=ether8 pvid=20
add bridge=Bridge1 interface=wlan1 pvid=30

/interface bridge vlan
add bridge=Bridge1 tagged=Bridge1 untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=Bridge1 tagged=Bridge1 untagged=ether7,ether8 vlan-ids=20

/ip pool
add name=DHCP-vlan10 ranges=192.168.10.100-192.168.10.200
add name=DHCP-vlan20 ranges=192.168.20.100-192.168.20.200
add name=DHCP-vlan30 ranges=192.168.30.100-192.168.30.200

/ip address
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0

/ip dhcp-server
add address-pool=DHCP-vlan10 disabled=no interface=VLAN10 lease-time=7d  name=DHCP-vlan10
add address-pool=DHCP-vlan20 disabled=no interface=VLAN20 lease-time=7d  name=DHCP-vlan20
add address-pool=DHCP-vlan30 disabled=no interface=VLAN30 lease-time=7d  name=DHCP-vlan30

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.1 gateway=192.168.30.1

anav · November 29, 2018, 7:54pm

Hi Jotne, a few possible typos

/ip pool
add name=DHCP-vlan10 ranges=192.168.10.100-192.168.10.200
add name=DHCP-vlan20 ranges=192.168.20.100-192.168.20.200
add name=DHCP-vlan10 ranges=192.168.30.100-192.168.30.200

/ip address
add address=192.168.10.1/24 interface=VLAN20 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN20 network=192.168.20.0

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.1 gateway=192.168.30.1

anav · November 29, 2018, 8:00pm

You only need 2 vlans, the trusted vlan is your bridge lan, and runs on the default pvid of 1. It is much easier to let this one work under the default.
I recently had a managed switch that reset to defaults during a power outage (I had forgotten to save the config to flash). The end result is all my vlans didnt work but all the traffic on all non vlan networks (which means all vlanid=1) and connected computers still worked. Not that you will run into that issue but for trusted members you dont need to create a vlan… the Vlans are for the untrusted LOL.

In addition it simplifies the rest of your rules…

anav · November 29, 2018, 9:11pm

Here is how I would set it up.
Assumptions 2 radios in your APs (using one radio for normal personal use, the second radio will run two VLAN, one on the main radio and the other on a virtual radio.
Not using APs for any wired connections to other devices but that could be added easily.

The Main Router config:

/Interface list
Lan
Wan

/Interface list members
Lan=Bridgehome
Lan=vlan10 (guest wifi)
Lan=vlan20 (untrusted users)
Wan=eth1

/interface bridge
add name=Bridgehome vlan-filtering=yes

/interface vlan
add interface=Bridgehome name=VLAN10 vlan-id=10
add interface=Bridgehome name=VLAN20 vlan-id=20

/interface bridge port
add bridge=Bridgehome interface=ether2
add bridge=Bridgehome interface=ether3
add bridge=Bridgehome interface=ether4
add bridge=Bridgehome interface=ether5 (trunk type port to AP1)
add bridge=Bridgehome interface=ether6 (trunk type port to AP2)
add bridge=Bridgehome interface=ether7 pvid=20 ingress filtering=yes (untrusted users)
add bridge=Bridgehome interface=ether8 pvid=20 ingress filtering=yes (untrusted users)

/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome untagged=ether7,ether8, vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10,20

/ip pool
add name=DHCP-home ranges=192.168.0.100-192.168.0.200
add name=DHCP-vlan10 ranges=192.168.10.100-192.168.10.200
add name=DHCP-vlan20 ranges=192.168.20.100-192.168.20.200

/ip address
add address=192.168.0.1/24 interface=Bridgehome network=192.168.0.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.1 gateway=192.168.20.1

/ip dhcp-server
add address-pool=DHCP-home disabled=no interface=Bridgehome lease-time=7d name=Home_Server
add address-pool=DHCP-vlan10 disabled=no interface=VLAN10 lease-time=7d name=DHCP-vlan10
add address-pool=DHCP-vlan20 disabled=no interface=VLAN20 lease-time=7d name=DHCP-vlan20

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
For WIFI, I am going to use one RADIO for the trusted house_users
I am going to use the second Radio for Guest WIFI (vlan10)
I am going to create a virtual AP from the second radio for Untrusted Wifi. (vlan20)
(repeat for second AP but use different naming conventions so you dont get confused)
Access Point Config:

/interface bridge
add name=BridgeAP1-Port5 vlan-filtering=yes

/interface vlan
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Guests vlan-id=10
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Untrusted vlan-id=20

/interface bridge port
add bridge=BridgeAP1-Port5 interface=ether2 (assuming wired from Router)
add bridge=BridgeAP1-Port5 interface=RadioA (will be your personal wifi)
add bridge=BridgeAP1-Port5 interface=RadioB1 (will be for vlan10 -guests)
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2 (will be for vlan20 -untrusted)

/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioA,RadioB1,VirtualRadioB2 vlan-ids=10,20

/interface wireless (assuming 2 radio device)
set [ find default-name=wlan1 ] band=Xghz-b/gn/ac? country=? disabled=no
distance=indoors frequency=? mode=ap-bridge name=RadioA
security-profile=family_profile ssid=HouseWifi
wireless-protocol=802.11 wps-mode=disabled

set [ find default-name=wlan2 ] band=xghz-? country=? disabled=no
distance=indoors frequency=? mode=ap-bridge name=RadioB1
security-profile=guest_profile ssid=Guest_Wifi vlan-id=10
vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled

add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx.xx:xx
master-interface=RadioB1 multicast-buffering=disabled name=VirtualRadioB2
security-profile=untrusted_profile ssid=Untrusted-wifi vlan-id=20
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

Jotne · November 29, 2018, 9:16pm

@anav
Fixed my typos.
No problem using same DNS server IP for all nett.

lmichael · November 30, 2018, 8:19am

Thx to all for your help, i will try the config from anav today, specially the wifi part looks very interesting and i hope i can make it to run.

mkx · November 30, 2018, 1:29pm

This part by @anav is not as secure as it might seem:

Conceptual problem with highlited configuration statement is that all mentioned interfaces will be, from bridge’s point of view, members of both VLANs. Which leaves proper VLAN separation to be done by individual bridge members, but those AFAIK don’t do egress filtering. So proper configuration would have two lines:

/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioB1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,VirtualRadioB2 vlan-ids=20

And, to be on the safe side, add vlan-mode=no-tag to the rest of settings for RadioA … the command is used to change settings and you don’t want vlan-mode to keep different setting from previous config.

lmichael · November 30, 2018, 2:16pm

So i tested the configuration..A big thx to anav, but i have some question and i have problems to geht the wlan run

The vlan configuration for the ports of the router works, the trusted ports get now a 192.168.0.x ip, untrusted a 192.168.20.0 and the ports 5 and 6 “where the Aps are connected” get the 192.168.0.x

The AP get also a 192.168.0.x
When i connect to the HouseWifi i get a 192.168.0.x This works
But when i connect the Guest i get no IP.
The Untrusted wifi connects shortly and then kick me.

Here are the Configs in the GUI
https://ibb.co/FzgCtMh
https://ibb.co/jbgFxYb
https://ibb.co/CstHQFs

If you need other information just ask, i will do my best.

lmichael · November 30, 2018, 2:34pm

I changed the /interface bridge vlan like in the commend from mkx, but it makes no difference, i get no ip in the guestwifi and it disconnects me immediatly from the untrusted wifi

mkx · November 30, 2018, 6:47pm

This part on main router IMHO also needs a change:

/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome untagged=ether7,ether8, vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10,20

.
Change it to

/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 untagged=eth7,eth8 vlan-ids=20

In case you wont be able to get it working, create export of configuration (open a terminal window from Winbox and run command /export hide-sensitive) and paste it here in code environment (the same as my suggestion about configuration above). Do it on both main router and on AP, it’s not entirely clear which device is showstopper.

anav · November 30, 2018, 9:26pm

This part by @anav is not as secure as it might seem:

/interface bridge port
add bridge=BridgeAP1-Port5 interface=ether2 (assuming wired from Router)
add bridge=BridgeAP1-Port5 interface=RadioA (will be your personal wifi)
add bridge=BridgeAP1-Port5 interface=RadioB1 (will be for vlan10 -guests)
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2 (will be for vlan20 -untrusted)

/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioA,RadioB1,VirtualRadioB2 vlan-ids=10,20

Conceptual problem with highlited configuration statement is that all mentioned interfaces will be, from bridge’s point of view, members of both VLANs. Which leaves proper VLAN separation to be done by individual bridge members, but those AFAIK don’t do egress filtering. So proper configuration would have two lines:
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioB1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,VirtualRadioB2 vlan-ids=20
And, to be on the safe side, add vlan-mode=no-tag to the rest of settings for RadioA … the command is used to change settings and you don’t want vlan-mode to keep different setting from previous config.

Much thanks MKX,
I will admit I was a bit unsure on that /interface bridge vlan setting as, I wasnt quite sure on how to deal with no untagged members, like a standard switch.
In other words not sure how the mikrotik APs handle the equivalent to (bridge port pvid=10, ingress-filtering = yes).
I thought it was correct to set AP radio to Vlan=tag due to this ref:
https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless

I also now see the blunder of putting both vlans 10,20 on same bridge rule…
To me what you have is a more accurate approximation of what we do for untagging on switches and keeps the vlans apart in the mind of the bridge (yes its alive )

anav · November 30, 2018, 9:30pm

This part on main router IMHO also needs a change:

/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome untagged=ether7,ether8, vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10,20

.
Change it to
/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 untagged=eth7,eth8 vlan-ids=20
In case you wont be able to get it working, create export of configuration (open a terminal window from Winbox and run command /export hide-sensitive) and paste it here in code environment (the same as my suggestion about configuration above). Do it on both main router and on AP, it’s not entirely clear which device is showstopper.

Awesome, I see where I went wrong here… one must be careful on a per VLAN basis on how to assign bridge tagging and untagging.
I am trying to combine in the wrong way.

Jotne · November 30, 2018, 9:43pm

From what I have learned here to not get into any problem, make one line for each VLAN.
Even if you can add more VLAN to one Bridge VLAN, its better to avoid it to not get into problems.

anav · November 30, 2018, 9:44pm

So my setup on my capAC is as follows
/interface vlan
add interface=bridgeHallway name=Guests_WIFI-v200 vlan-id=200
add interface=bridgeHallway name=Wifi_SDevices_cap2 vlan-id=45

RadioA - is my Devices Radio (uses vlan45)
RadioB - is my House Wifi
VirtualRadioB - is my guest-wif (uses vlan200)

/interface bridge port
add bridge=bridgeHallway comment=defconf interface=ether1
add bridge=bridgeHallway comment=defconf interface=ether2
add bridge=bridgeHallway comment=defconf interface=DevicesHallway
add bridge=bridgeHallway comment=defconf interface=Hallway5G
add bridge=bridgeHallway interface=VisitorWIFI trusted=yes
/interface bridge vlan
add bridge=bridgeHallway tagged=bridgeHallway,DevicesHallway,VisitorWIFI,ether1 vlan-ids=
45,200

Are you saying my capAC bridge rule should be…
/

interface bridge vlan
add bridge=bridgeHallway tagged=bridgeHallway,DevicesHallway,ether1 vlan-ids=45
add bridge=bridgeHallway tagged=bridgeHallway,VisitorWIFI,ether1 vlan-ids=200

???

NEXT QUESTION = no tag
How else do we tell the capAC to apply vlan tags to the incoming packets from devices using that radio? How else do we tell the capAC to do ingress-filtering and strip the packets when egressing the radio back to the device???

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=canada disabled=no \
    distance=indoors frequency=2442 mode=ap-bridge name=DevicesHallway \
    security-profile=devices_only ssid=Remotedevices vlan-id=45[b] vlan-mode=use-tag[/b] \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-Ceee country=canada disabled=no mode=ap-bridge name=Hallway5G \
    security-profile=Hallway_wifi ssid=HouseSmartPhones wireless-protocol=\
    802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx \
    master-interface=Hallway5G multicast-buffering=disabled name=VisitorWIFI \
    security-profile=HouseGuestsSecurity ssid=Guests  vlan-id=200 \
   [b] vlan-mode=use-tag [/b]wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

mkx · December 1, 2018, 3:41pm

What I’d experiment with is to remove bridgeHallway “port” from the list of vlan members if RB itself doesn’t have any role in it. Rationale: with HW-centric VLAN configuration, switchX-cpu had to be member of vlan group if there was wifi interface member of same VLAN (otherwise RBs CPU did not see the traffic of that VLAN). With modern bridge implementation, having all ether ports and wlan interfaces member of same bridge, I guess that adding bridge itself to the list of member ports is actually adding the “port personnality” … and if there’s no vlan interface on bridge port, bridge port doesn’t have to be member of vlan port members …

VLANs on wireless are different than on ethernet. Wireless per standard does not say much (or even anything) about VLANs, hence wlan ports can only be access ports (not trunk nor hybrid). So settings on wifi interface, the way @anav has it, are the way to go. It’s the same as setting pvid on ether port and setting same ether port as untagged member of vlan on bridge. Just make sure vlan settings on corresponding bridge match settings on wifi … and wifi shoukd be tagged member of vlan on bridge.

Well, the above is not “whole truth and nothing but the truth” (and God doesn’t help me here). If wifi is used as a PtP or PtMP, then it can be configured to carry VLAN-tagged frames. In this case it behaves as a dumb switch and both sides have to be configured for proper ingress filtering.

lmichael · December 1, 2018, 5:38pm

Hello MKX, i changed the bridge vlan, but i have still the same problems with the AP

Im very happy to see that someone cares about to make my config run, if we really get it to work i will make a own how-do thread with the config and a graphik, to help others who are also not so good in networks like i am and wants a homelan like this..

Here the config of the Router:

/interface bridge
add name=Bridgehome vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=Bridgehome name=VLAN10 vlan-id=10
add interface=Bridgehome name=VLAN20 vlan-id=20
/interface list
add name=Lan
add name=Wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP-home ranges=192.168.0.100-192.168.0.200
add name=DHCP-vlan10 ranges=192.168.10.0-192.168.10.200
add name=DHCP-vlan20 ranges=192.168.20.0-192.168.20.200
/ip dhcp-server
add address-pool=DHCP-home disabled=no interface=Bridgehome lease-time=1w name=\
    Home_Server
add address-pool=DHCP-vlan10 disabled=no interface=VLAN10 lease-time=1w name=\
    DHCP-vlan10
add address-pool=DHCP-vlan20 disabled=no interface=VLAN20 lease-time=1w name=\
    DHCP-vlan20
/interface bridge port
add bridge=Bridgehome interface=ether2
add bridge=Bridgehome interface=ether3
add bridge=Bridgehome interface=ether4
add bridge=Bridgehome interface=ether5
add bridge=Bridgehome interface=ether6
add bridge=Bridgehome ingress-filtering=yes interface=ether7 pvid=20
add bridge=Bridgehome ingress-filtering=yes interface=ether8 pvid=20
/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome,ether5,ether6 untagged=ether7,ether8 \
    vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,ether5,ether6 vlan-ids=10
/interface list member
add interface=Bridgehome list=Lan
add interface=VLAN10 list=Lan
add interface=VLAN20 list=Lan
add interface=ether1 list=Wan
/ip address
add address=192.168.0.1/24 interface=Bridgehome network=192.168.0.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Europe/Vienna
/system routerboard settings
set silent-boot=no