VLAN filtering and InterVLAN-routing

wayller · March 23, 2019, 2:10pm

I set up my VLAN according to this: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.233_.28InterVLAN_Routing_by_Bridge.29

I have three VLANs, one for management, one for guests and one for IoT-devices. My bridge has PVID 200, the same has all the devices connected to the router, and my Unifi AP has PVID 200. The IoT devices has PVID 50, and the guests have PVID 100.

Now I want to let my Home Assistant server have access to my IoT devices. How do I do this? I’ve tried setting up firewall rules with my management interface as “in interface”, and my IoT interface as “out interface”, but I still can’t communicate with my IoT devices.

Config:

/interface bridge
add name=bridge pvid=200 vlan-filtering=yes

/interface vlan
add interface=bridge name=vlan_50_IoT vlan-id=50
add interface=bridge name=vlan_100_guest vlan-id=100
add interface=bridge name=vlan_admin vlan-id=200

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=200
add bridge=bridge comment=defconf interface=ether3 pvid=200
add bridge=bridge comment=defconf interface=ether4 pvid=200
add bridge=bridge comment=defconf interface=ether5 pvid=200
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10 pvid=200
add bridge=bridge comment=defconf interface=sfp1

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,ether10 vlan-ids=200
add bridge=bridge tagged=bridge,ether10 vlan-ids=50,100

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface=vlan_50_IoT out-interface=ether1

anav · March 24, 2019, 2:30am

Read this excellent reference on vlans and adjust config accordingly.
Right off the bat I would not apply a subnet to the bridge itself and I would not use a vlan on the bridge either.
Just leave the default pvid=1 setting for your bridge.

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Once you have rejigged your config, repost the latest here.

wayller · March 24, 2019, 10:16am

Thank you so much! My network works as intedded now, I just have to figure out port forwarding, since that doesn’t work now. My PiHole DNS, the Avahi-reflector is kind of working, but Google Cast and Spotify connect does not work. It discovers the Google Cast device, but I can’t connect to it.

Edit: Google Cast is now working, I had to add this rule, still have to figure out how to get Spotify Connect working across VLANs:

add action=accept chain=forward comment="Give all VLAN-devices access to Shield device" dst-address=10.0.0.25 in-interface-list=VLAN

Edit 2, added firewall rule to accept connections DSTNATed:

add action=accept chain=forward comment="Accept all DSTNATed" connection-nat-state=dstnat in-interface=ether1

I don’t know if this is the best way to do it, but setting my UnRAID computer with PiHole VM as tagged because the PiHole has 3 network interfaces, where two of them are tagged as VID 50 and 100, and the other one is untagged. Also my Unifi AP has 3 SSID, where two of them are tagged as VID 50 and 100.

Should I use the switch chip for VLAN, when I have a RB3011?

Config:

# mar/24/2019 11:10:59 by RouterOS 6.44.1
# model = RouterBOARD 3011UiAS

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=BR1 name=Base_VLAN vlan-id=99
add interface=BR1 name=VLAN_50_IoT vlan-id=50
add interface=BR1 name=VLAN_100_guest vlan-id=100
add interface=BR1 name=VLAN_200_mng vlan-id=200

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN

/ip pool
add name=dhcp ranges=10.0.1.100-10.0.1.254
add name=Pool_mng ranges=10.0.0.100-10.0.0.254
add name=Pool_guest ranges=10.0.100.10-10.0.100.50
add name=Pool_IoT ranges=10.0.50.10-10.0.50.100

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=Pool_mng disabled=no interface=VLAN_200_mng name=DHCP_mng
add address-pool=Pool_guest disabled=no interface=VLAN_100_guest name=\
    DHCP_guest
add address-pool=Pool_IoT disabled=no interface=VLAN_50_IoT name=DHCP_IoT

/interface bridge port
add bridge=BR1 comment=defconf ingress-filtering=yes interface=ether2 pvid=\
    200
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=200
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4 pvid=200
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=200
add bridge=bridge comment=defconf interface=ether6
add bridge=BR1 comment=defconf disabled=yes interface=ether7
add bridge=BR1 comment=defconf disabled=yes interface=ether8
add bridge=BR1 comment=defconf disabled=yes interface=ether9
add bridge=BR1 comment=defconf ingress-filtering=yes interface=ether10 pvid=\
    200
add bridge=bridge comment=defconf disabled=yes interface=sfp1

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether3,ether4,ether5,ether10,ether2 \
    vlan-ids=200
add bridge=BR1 comment="Tagged ethernet2 so the Avahi-reflector works, and eth\
    er10 because IoT and guest network are tagged. " tagged=\
    ether10,ether2,BR1 vlan-ids=50,100
	
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Base_VLAN list=VLAN
add interface=VLAN_50_IoT list=VLAN
add interface=VLAN_100_guest list=VLAN
add interface=VLAN_200_mng list=VLAN

/ip address
add address=10.0.1.1/24 comment=defconf interface=ether2 network=10.0.1.0
add address=192.168.0.1/24 interface=Base_VLAN network=192.168.0.0
add address=10.0.0.1/24 interface=VLAN_200_mng network=10.0.0.0
add address=10.0.100.1/24 interface=VLAN_100_guest network=10.0.100.0
add address=10.0.50.1/24 interface=VLAN_50_IoT network=10.0.50.0

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.10,1.1.1.1,8.8.8.8 gateway=10.0.0.1
add address=10.0.1.0/24 comment=defconf gateway=10.0.1.1 netmask=24
add address=10.0.50.0/24 dns-none=yes gateway=10.0.50.1
add address=10.0.100.0/24 dns-server=10.0.0.10,1.1.1.1,8.8.8.8 gateway=\
    10.0.100.1
	
/ip dns
set allow-remote-requests=yes servers=10.0.0.10,1.1.1.1,8.8.8.8

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "InterVLAN routing between mng and IoT-devices" connection-state=new \
    in-interface=VLAN_200_mng out-interface=VLAN_50_IoT
add action=accept chain=forward comment=\
    "Give all VLAN devices access to DNS and Avahi-reflector" dst-address=\
    10.0.0.10 in-interface-list=VLAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=drop chain=forward comment="Block internet access for IoT devices" \
    in-interface=VLAN_50_IoT out-interface-list=WAN
	
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp \
    to-addresses=10.0.0.20 to-ports=444
add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1 protocol=\
    tcp to-addresses=10.0.0.20 to-ports=32400