Hello all Mikrotik enthusiasts, I would like to turn to you in moments of utmost need and many attempts at setup. As you may already know from the title I would need help with setting up VLANs, I have tried many videos, done many tests but still unsuccessful.
What is involved and old and new tutorials.
So to the point, I am now using these three wonderful devices: Mikrotik-RB5009Pr+S+IN (main router, PPOE connection)
Mikrotik-CRS112-8P-4S-IN (switch connected to the router via SFP+)
Mikrotik-cAP ax (Main Wi-Fi, CAps)
I set all the devices I have in my home to a fixed IP address but I would also like to put them in a VLAN so I can then set individual rules for the groups.
No matter how I tried, I always died at the point that the individual devices were still connecting to the basic configuration / bridge but no access to the outside (WAN) was working at all
Yes I have also visited the documentation from Mirkotik but I am not very wise from it, it shows more on the terminal than using Winbox.
If you need more information Iâll be happy to provide if you say which ones and how to get them
Strongly suggest avoiding VLAN 1. Many devices treat VLAN 1 as something special (usually without telling you).
Please donât post screen captures to show your configuration. Export and post your configuration.
To export and paste your configuration (and Iâm assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) â/export hide-sensitive file=any-filename-you-wishâ. Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Problem right there. You are defining each of your IP ranges as /8. That means all of your ranges as defined are all 10.0.0.0 - 10.255.255.255. Based on what you are showing for the IP ranges, it would appear that you really are aiming for /16 address ranges. Do you REALLY need 64K addresses in each VLAN?
VLAN 0 and 4095 are reserved for other purposes according to the RFC.
You got a good suggestion in that VLAN 1 should be avoided. The explanation for this is a bit more involved. Cisco in their very popular and excellent Catalyst switches treated this as special, and many - bit not all - manufacturers of switch chips copied this design decision. If you introduce at any point a switch that uses such a chip into your network, youâre looking at hours of fun trying to understand why your network does not behave as it should. What adds to the fun is that it is usually not apparent from either the datasheet or manual of the product what their behavior is with relation to VLAN 1. (Cisco at least documented it thoroughly.)
As to IP allocations, letâs start with the RFC1918 ranges. There are three of them:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
There is a convention as to their uses. This is not specified in any standard, but they are usually observed by network engineers all over the world.
192.168 region is used for home / small office networks
172.16-31 is used for VPN connections
10 is used by large - I mean several hundred employees / devices spread over tens of locations, which they all want to interconnect.
If I understand your use case correctly, you should use the 192.168 region.
Your IP numbering is simply wrong - and as stated will not work at all. This is my suggestion:
The reason I suggest using the 11-253 region for DHCP in each of them:
Usually either .1 or .254 is the gateway (the address of the router on the subnet.) In fact you didnât leave a single address for gateway.
I usually like for routers switches and other network devices static addresses. This configuration leaves you with at least 10 addresses for this purpose. (I like static configurations, because if something doesnât work and you need to troubleshoot, then it is quite lot easier to do it if your network devices have static configurations and a re reachable by IP. Otherwise quite often you have to take them out of the rack/cabinet/top of the shelf and that is simply a pain.)
No, I donât need to, but itâs also part of my personal training, I just want to re-select every type of device on the network so I need to learn and find out the many options , yes itâs not necessary but I just want it
And for the answer i tried it on first time with /16 or /24 mask but i had same results then, so i give to a try to /8 if something happend and just post it as example of my last try
Thank you for your time and support
I didnât know that, I learn something new every day, thank you. Next time Iâll be much more careful about safety, it was midnight and I was ready for bed so I didnât have time to blur what I should have
Hell yeah ! No need to apologize for the long post. For me itâs better to get an explanation of whatâs going on and whatâs not. Iâm familiar with the ip range and its uses as you wrote, I just like the last option for large companies because you have the options of splitting it into multiple and thus for me to remember, for my use it would really be enough to use the range for home networks but I just donât like the numbers Just a personal thing but Iâll give it a try
Yes there will be endless torment and stress for my girlfriend as to why the internet is not working but ! somewhere you have to learn and I have tried on virtual machines before only itâs not the same, the reality is different then.
I didnât know that, I learn something new every day, thank you. Next time Iâll be much more careful about safety,
Safety is not so much the issue - although there are a few things not to make public. The far bigger issue is that trying to read a bunch of screen captures is very often hard to read and secondly often omits important data. Please export and post your config as instructed above.
You are absolutely free to choose which range to use. I was just referring to whatâs usual. There is no standard to adhere to here.
The bigger problem, and what I was trying to illustrate is this: The subnets must have IP ranges that do not overlap.
Now, 10.0.0.0/8 means: all addresses, whose first 8 bits match this pattern. Only the first 8 bits are relevant, therefore it is customary to give 0 for the other bits. (Although many routers will happily accept any form, nevertheless only the first 8 bits are relevant.)
It follows then that 10.1.0.0/8 is canonically written as 10.0.0.0/8. As is 10.2.0.0/8 written as 10.0.0.0/8. -Both subnets have the exact same IP range. This is not correct and will not work.
If you wish to distinguish between the two ranges, you can write - for example - 10.1.0.0/16 and 10.2.0.0/16. Here the /16 means that the first 16 bits are meaningful (in that they are matched), and therefore you have two distinct IP ranges which do not overlap. Now this will work.
This notation btw is called CIDR notation and if you are still unsure, you will find countless resources on the web explaining the concept. For this the standards document is RFC 1519 - though these are not so useful for learning, rather as a reference.
and so on, up to 70 for a total of 7 VLANs, but currently Iâm going to figure out how to make some VLANs see others/can communicate together and some not at all.
Currently I can see the device / can communicate with it if we are in the same VLAN.
But I would need for example VLAN10 to communicate with VLAN30 bilaterally but for example VLAN10 with VLAN20 only unidirectionally.
I greatly appreciate your reply and thank you very much for your help.
The next step - as you have correctly realized - is setting up the firewall correctly.
By default (if there are no filter rules) the router will route whatever it can. Itâs eager in that way.
There are many ways to set up a correct firewall; and unfortunately many more to do so incorrectly.
Some try to write rules that block unwanted traffic, and some block all traffic by default and only allow what is explicitly specified.
For home and corporate networks (of any size) I strongly believe that only the second one is acceptable.
This means that the last rule in both the input and forward chains should be to drop all:
/ip/firewall/filter
add chain=input action=drop
add chain=forward action=drop
Of course if we only have these, then everything gets dropped. To get started, I would suggest that for the while that you are configuring things, you set up a port (I usually use the last port) as an âadminâ port, from which everything is allowed. Letâs say itâs ether7.
Make sure that that port is not part of a bridge.
Then out rules will look line this:
add chain=input in-interface=ether7 action=accept
add chain=input action=drop
add chain=forward in-interface=ether7 action=accept
add chain=forward action=drop
Actually, if you really want to understand things, then this is where I would start out from.
The next natural rule that we add is to allow established connections to continue. For example you wrote âVLAN10 to VLAN20 only unidirectionallyâ - surely here you meant that if someone from VLAN10 makes a request to someone in VLAN20, than it may answer: that is what we mean by allowing established connections.
Now we are here:
add chain=input in-interface=ether7 action=accept
add chain=input action=accept connection-state=established,related
add chain=input action=drop
add chain=forward in-interface=ether7 action=accept
add chain=forward action=accept connection-state=established,related
add chain=forward action=drop
If we want to allow for example VLAN10 to make DNS queries we do it in the following way. (DNS uses port 53 both UDO and TCP.) This is a traffic destined for the router, therefore we use the input chain.
However letâs assume that you also want VLAN20, or probably all of your VLANs to have access to DNS. We can of course repeat these two rules 7 times, but well thatâs just daunting.
A more appropriate solution is to create an address list of who is allowed to access DNS, letâs call it dns-allowed. Populate it appropriately, and then use that in our rules:
Now for this to be a correct example, we have to add a two rules that do not follow this pattern. One for the DHCP server, and one for loopback. I will not explain these in detail. Itâs also considered well-mannered to reply to ICMP messages.
After you are familiar with these concepts, the next step is to configure VLAN-toVLAN communication. For this first you have to actually know what you want. Draw a table for yourself labelling the rows with your networks (WAN, VLAN10, VLAN20, âŚ) and the columns as well. For any communication that you wish to permit from interface in a given row to interface in a given column, put an X.
If you have this plan, then you can create (for example) an address list for each of your VLANs (WAN-allowed, VLAN10-allowed, VLAN20-allowed, âŚ) and replicating the example for DNS, specify a rule for them. Just as a reminder, this is traffic that router forwards, so the forward chain will be used; and of course we donât only wish to allow TCP and UDP but any protocol, so the protocol field will be omitted.
Hello friend in arms , Iâve been up all night fretting and testing but unfortunately unsuccessfully.
I have no idea where Iâm currently going wrong even though Iâve moved forward , Iâm posting the settings as I have them.
I currently need to somehow achieve / learn where the devil is buried .
So simply in points:
VLAN10 should access VLAN20 (a basic one that is missing somewhere..)
VLAN20 should not access VLAN10 without initial contact from VLAN10
All VLANs 10-70 have access to DNS say 9.9.9.11 or 1.1.1.1
I have tried the options to disable even all the preset values in the firewall which reject, I have also tried deleting everything and making only positive accesses between VLANs but also no response, I have tried different places in the priority ladder and also did not help although sometimes I intercepted a request but the machine/server did not respond back while having no VLANs communicating with each other without any problem.
Maybe you or someone else knows the answer to my dilemma
But a really huge thank you for everything youâve done for me Yggdrasil.rsc (14.1 KB)
So I woke up and tried one more thing to do it differently and that was the main router range which was 192.168.0.0/16 change the mask to /24 then the connection and VLAN works as it should / firewall rules, I think the problem was in the mask because when I searched 192.168.20.10 (ping) then I still tried the /16 mask range ⌠not /24 for the VLAN range.
Weâll see
Itâs really a new adventure for me and it makes me happy when after many struggles everything works and I know why Yggdrasil_VLAN.rsc (13.9 KB)
and many attempts at setup. As you may already know from the title I would need help with setting up VLANs, I have tried many videos, done many tests but still unsuccessful.
