Vlan for a newbe

RouterOS General
1

Hello my friends, I need help with my setup!

I’m using a RB2011LS like a central router for little office with 30 laptops wireless and some automation gadgets over ethernet. I need to create vlans to separate trafic for my computers and home automation gadgets…

My actual config is:

/interface bridge
add l2mtu=1598 name="bridge vlan 10"
add admin-mac=D4:CA:6D:86:95:8C auto-mac=no l2mtu=1598 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=1Gbps
set [ find default-name=ether2 ] speed=1Gbps
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
    ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
    ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
    ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
    ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway speed=100Mbps
/interface vlan
add interface=ether5 l2mtu=1594 name="vlan 10" vlan-id=10
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name="Pool 1" ranges=192.168.88.10-192.168.88.254
add name="Pool Vlan 10" ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add add-arp=yes address-pool="Pool 1" always-broadcast=yes disabled=no \
    interface=bridge-local lease-time=1d name=DHCP1
add add-arp=yes address-pool="Pool Vlan 10" always-broadcast=yes disabled=no \
    interface="vlan 10" lease-time=1d name="DHCP Vlan 10"
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether6-master-local
add bridge="bridge vlan 10" interface=ether5
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2 \
    network=192.168.88.0
add address=192.168.10.1/24 interface="vlan 10" network=192.168.10.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    yes out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
/ip proxy
set parent-proxy=0.0.0.0
/ip service
set api disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-gateway type=external
add interface=bridge-local type=internal
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
add interface=ether5 type=internal
add interface=ether6-master-local type=internal
/system clock
set time-zone-name=America/Sao_Paulo
/system clock manual
set time-zone=+03:00
/system ntp client
set enabled=yes mode=manycast primary-ntp=200.160.7.186 secondary-ntp=\
    201.49.148.135
/system ntp server
set enabled=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local

I’m try to create 2 simple subnets… one 192.168.88.1 and other 192.168.10.1 - it’s a basic system, with 2 dhcp servers and computers are in 192.168.88.1 and gadgets in 192.168.10.1, but my other dhcp subnets dont goes on (in my test are only in ether05)


ether1 = uplink
ether2 = master dhcp server (192.168.88.1) #### ubiquiti unifi
ether3 = on the bridge to ether2 #### ubiquiti unifi
ether4 = on the bridge to ether2 #### ubiquiti unifi
ether5 = goes to another switch (a simple unmanagement switch) and the default vlan10 #### dhcp server (192.168.10.1)

ether6 = master of the fast ethernet and bridge with ether 2 #### conected on simple automation hardware
ether7 = slave of ether6 #### simple automation hardware
ether8 = slave of ether6 #### simple automation hardware
ether9 = slave of ether6 #### simple automation hardware
ether10 = slave of ether6 #### simple automation hardware

Someone can help? it’s a simple systems maybe I’ll do a priority subnet, but for a while I need to create 2 vlans (or subnet) to separate the trafic and dhcp lease (the wifi ap are open and maybe I’ll explode the dhcp lease =D)

thanks in advance

2

Can you explain what is/is not working? You have a VLAN10 interface on ether5 but it isn’t clear what is producing tagged VLAN10 traffic.

3

Hello Celtic… thanks for help…

In fact, this example above can be all modified, it’s only a example, so..

Since I touch mikrotiks world, I never take Vlans work properly, my goal is this configuration (home and soho use, not a isp provinder):


The scope of new example config:

ether1 = uplink (for internet isdn modem, pppoe or other connection)
ether2 = Vlan 10
ether3 = Vlan 10
ether4 = Vlan 10
ether5 = Vlan 20

ether6 = Vlan 30
ether7 = Vlan 30
ether8 = Vlan 30
ether9 = Vlan 30
ether10 = Vlan 30

  • 3 dhcp servers (example: Vlan 10 = 10.0.10.1, Vlan 20 = 10.0.20.1, Vlan 30 = 10.0.30.1).
  • All Vlan can see other vlan, I think in vlans to expand lease capacity to clients (253+ valid ip).
  • all vlan has internet acess by nat - masquerade

I’m using mikrotik like a simple router and some laptops, or home gadgets plug directly in mikrotik and not in a Switch!

My question is if you can describe a simple config to teach me how the best way to do that…

Thank you

4

You don’t need vlan to do that. Just use the switch chip and bridges.

I’ll post a config when I get to a computer tonight if someone else doesn’t beat me to it.

Sent from my SCH-I545 using Tapatalk

5

Here we go…
/interface bridge
add name=bridge-net1
add name=bridge-net2
add name=bridge-net3

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=1Gbps

set [ find default-name=ether2 ] name=ether2-master-net1
set [ find default-name=ether3 ] master-port=ether2-master-net1 name=ether3-slave-net1
set [ find default-name=ether4 ] master-port=ether2-master-net1 name=ether4-slave-net1

set [ find default-name=ether5 ] master-port=none name=ether5-master-net2

set [ find default-name=ether6 ] name=ether6-master-net3
set [ find default-name=ether7 ] master-port=ether6-master-net3 name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-net3 name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-net3 name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-net3 name=ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway

/interface bridge port
add bridge=bridge-net1 interface=ether2-master-net1
add bridge=bridge-net2 interface=ether5-master-net2
add bridge=bridge-net3 interface=ether6-master-net3

/ip pool
add name=“Network1” ranges=192.168.1.2-192.168.1.254
add name=“Network2” ranges=192.168.2.2-192.168.2.254
add name=“Network3” ranges=192.168.3.2-192.168.3.254

/ip dhcp-server
add add-arp=yes address-pool=“Network1” always-broadcast=yes disabled=no interface=bridge-net1 lease-time=1d name=DHCPNetwork1
add add-arp=yes address-pool=“Network2” always-broadcast=yes disabled=no interface=bridge-net2 lease-time=1d name=DHCPNetwork2
add add-arp=yes address-pool=“Network3” always-broadcast=yes disabled=no interface=bridge-net3 lease-time=1d name=DHCPNetwork3

/ip address
add address=192.168.1.1/24 interface=bridge-net1 network=192.168.1.0
add address=192.168.2.1/24 interface=bridge-net2 network=192.168.2.0
add address=192.168.3.1/24 interface=bridge-net3 network=192.168.3.0

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1Use this as a base. You don’t actually need VLANs… you can just segregate things using the switch chip and the bridges… use the Firewall to block/allow whatever you want.

6

Thank you in advance! I’ll try and back soon

7

Nice!!! I guess it’s working!!

Thanks efaden!!

When Vlan it’s a best pratice? Only when I need to reduce trafic between networks?

8

You only really need VLANs if you need to send more than one network across a given interface at a time… (at least in mikrotik land). An example being something like a trunk port.

9

And when I say vlan I’m generally referring to the 802.1q standard vlan tagging. What your doing is really just separate networks.

Sent from my SCH-I545 using Tapatalk