I’ve got an RB2011UiAS-2HnD-IN with a server plugged into ether8-slave-local that I would like to segment off from the rest of my network. I want it to be able to talk out to the internet and I’d like to be able to SSH to it from my laptop plugged into a different port (e.g. ether7-slave-local). I was looking at http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 which is fantastic but is over my head; I don’t understand whether I should use a layer2 layer3 vlan, what a “bridge” is, etc.
I’m looking for:
1 - a very dumbed down explanation for all of these terms
2 - an explanation of what I need to do to reach my goals
Do either of these things exist? You really cannot underestimate my networking skills here, so a youtube video targeted at primary school students would be perfect.
Unfortunately you will have to make an effort fail and try again and learn, there are no shortcuts.
Before any advice though one needs a complete set of requirements understood, not just one server.
Without the below, you cannot have a realistic plan, and a plan before config is essential.
a. identify all users/devices ( external and internal and admin)
b. identify all the traffic each group requires
c. detail WANs how many, public private, dynamic, static, if more than one, load balance or primary/failover etc… type of connections..
d. any traffic to the router like vpns or any port forwarding.
e. any servers on the LAN, if are local users using the server and if so how to they reach the server
f. network diagram.
To be clear this is a home network: I have a modem in front of my router. The answers to everything else is in my head. Change control is letting my spouse know I might take down the network while she’s watching TV.
Edit: based on some additional reading and the most straightforward explanation I’ve yet seen(https://www.youtube.com/watch?app=desktop&v=1ZJ-pM89N7o) it looks like I need to do the following:
- Create a Bridge in /interface/bridge
- Create a vlan in /interface/vlan
- Assign the vlan from step 2 to the bridge
- Assign the ethernet port on my router that is attached to the server to to the bridge
- Set up a DHCP server for the new bridge
- Firewall off the VLAN from the rest of my network
Is that even close to correct? I’m at step 5 and it doesn’t look like the server is pulling a new IP so something is wrong.
Love the name “Minnesnowta”! I too have been wracking my little brain trying to figure out a lot with my new Mikrotik RB952Ui-5ac2nD. I’ll be asking questions here pretty soon, so I hope I do as well as you! My networking knowledge is about 25 years old and mostly forgotten or outdated. I’m a deer in the headlights for most of this stuff, but I been trying hard to absorb what I can!
“anav” gives some very sage advice. Even ChatGPT depends on most, if not all of that advice, to be able to give you correct answers - ambiguous questions result in ambiguous answers. Here goes some discussion that I hope is corrected or embellished by the experts here if wrong!:
As to the layer 2 or 3 VLAN, I’m pretty sure VLANs are only layer 2 (the empire of the switch). In my MikroTik (layer 3), I’ve used some firewall filters that block talking between VLANs for now (might need to add some exceptions later for my 3 networks), but I might eventually need some help figuring that out.
A bridge is a Layer 3 “device” that routes one network to another. They seem to be used a lot to forward your subnet to the Internet.
If you bring up a New Terminal, you can “export” your current settings to a file or screen for sharing here. In my own case, it’s sometimes easier to see obviously bad settings that way:
export → settings are sent to the terminal screen
export file=filename.rsc → go to Files menu in Winbox to find/copy/upload files
What is the point of getting a “dumbed down explanation” if you won’t be able to use the information to solve a problem? For example, you can explain how to turn on a light using a switch to a 2 year old, but that won’t help them be able to add a switch.
If you want to understand enough that you will be able to use the information in a new situation, you are going to need to put in effort. As anav said there really aren’t any shortcuts.
This is what I recommend to people that want to be able to understand how networking works. 4 years old, but still the best I am aware of.
Networking Fundamentals: How data moves through the Internet by Ed Harmoush.
Watch at least the first video Network Devices - Hosts, IP Addresses, Networks - Networking Fundamentals - Lesson 1a (under 12 minutes) and you will know if you like his teaching style and if it is something you want to pursue further or not. It is vendor independent, (there may be a few cisco specific examples, but as in driving a car, once you understand the principles, it is relatively easy to learn how to drive a new vehicle, you just need to learn the specific ways things are done.
If you go through the (free on youtube) lessons, you will have a good foundation about how networking works.
Once you have an understanding of the parts and tools and how they work, then you will be able to start to build from the parts, using the correct tools.
Here’s a link to the playlist of the 15 video course.
Your other option is to find an example that is close enough to what you want (a recipe), and that may be good enough to get something working for that specific instance, but if you then want to add another feature, and you find an example for that feature, it is very likely you won’t be able integrate the two without at least some networking foundation knowledge.
A bridge is a sofware implementation of a switch, and these are used to facilitate communication between devices on the same LAN, using mac addresses (layer 2).
A router is used to facilitate communication between devices on different networks using ip addresses. (layer 3)
But watch the second video (after you watch the first, these build on each other) for a “nutshell” explaination of hub, bridge, switch, router.
Later video go into more detail, you may or may not be interested. But it is well organized and well explained. Just read some of the comments on the youtube videos.
Yep, also a degree in electronics with a master in networking might help, but come on, it is a home network, if the requirements are not absurd it should be possible to fulfill them in a relatively simple way.
The concepts in themselves are not that difficult (Mikrotik specific implementation might).
Still,from the original:
I’ve got an RB2011UiAS-2HnD-IN with a server plugged into ether8-slave-local that I would like to segment off from the rest of my network. I want it to be able to talk out to the internet and I’d like to be able to SSH to it from my laptop plugged into a different port (e.g. ether7-slave-local).
it is not clear at all (to me) what these requirements are.
@Minnewsota
You should do three things:
- post your current configuration, following these instructions
http://forum.mikrotik.com/t/forum-rules/173010/1 - post a schematic/diagram of your setup, a photo a hand made drawing would do.
- describe in more detail what you want to do, i.e. your expectations from the new setup, what is the role of this server, should it be accessible from the internet/remotely, does it serve content only locally, etc.
One of the good (and also bad) things with Mikrotik is that the same thing can often be done in more than one way, so understanding in detail the expected result is important to choose the “better” way to get there.
Thank you very much!
1 - See below, I’ve taken the liberty of adding some whitespace I hope that’s ok.
2 - Attached. The big box at the bottom represents my router.
3 - I want to isolate an asterisk server and several ip phones (but to begin with I just want to isolate asterisk) from the rest of my network so that it can make and receive connections from the internet. I don’t mind if other computers on my network can initiate connections to the asterisk server, I just don’t want it to connect to anything else on my network. I would also like to route inbound and outbound traffic for asterisk through a macvlan as well, because I have an extra static IP.
# 2025-01-21 13:04:07 by RouterOS 7.17
# software id = F5AF-4IGT
#
# model = RB2011UiAS-2HnD
# serial number = REDACTED
/interface bridge
add admin-mac= auto-mac=no fast-forward=no name=bridge-local \
port-cost-mode=short
add name=voicevlan
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n country=\
"united states" disabled=no distance=indoors frequency=auto \
frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=\
REDACTED station-roaming=enabled wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
set [ find default-name=ether6 ] advertise="10M-baseT-half,10M-baseT-full,100M\
-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" name=\
ether6-master-local
set [ find default-name=ether7 ] advertise="10M-baseT-half,10M-baseT-full,100M\
-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" name=\
ether7-slave-local
set [ find default-name=ether8 ] advertise="10M-baseT-half,10M-baseT-full,100M\
-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" name=\
ether8-slave-local
set [ find default-name=ether9 ] advertise="10M-baseT-half,10M-baseT-full,100M\
-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" name=\
ether9-slave-local
set [ find default-name=ether10 ] advertise="10M-baseT-half,10M-baseT-full,100\
M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" name=\
ether10-slave-local
/interface wireguard
add listen-port=13231 mtu=1420 name=mobiledevices
/interface macvlan
add disabled=yes interface=ether1-gateway mac-address=REDACTED name=\
endusers
add disabled=yes interface=ether1-gateway mac-address=REDACTED name=\
wyrd
/interface vlan
add interface=ether8-slave-local name=vlan42voice vlan-id=42
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vlan42voice ranges=192.168.42.10-192.168.42.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge-local \
lease-time=4h name=default
add address-pool=vlan42voice interface=voicevlan name=voicedhcp
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 remote=10.69.69.2
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge=bridge-local ingress-filtering=no interface=ether2-master-local \
internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether6-master-local \
internal-path-cost=10 path-cost=10
add bridge=bridge-local hw=no ingress-filtering=no interface=sfp1 \
internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=wlan1 \
internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether5-slave-local \
internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether4-slave-local \
internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether7-slave-local \
internal-path-cost=10 path-cost=10
add bridge=voicevlan ingress-filtering=no interface=ether8-slave-local \
internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether9-slave-local \
internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether10-slave-local \
internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether3-slave-local \
internal-path-cost=10 path-cost=10
add bridge=voicevlan interface=vlan42voice
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ethernet switch vlan
add ports=ether8-slave-local switch=switch2 vlan-id=42
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=ether10-slave-local list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=sfp1 list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=ether1-gateway list=WAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:B0:4E:65:E0:1E name=ovpn-server1
/interface wireguard peers
add allowed-address=172.16.0.3/32 comment=REDACTED interface=mobiledevices \
name=peer6 public-key="REDACTED"
add allowed-address=172.16.0.2/32 comment=REDACTED interface=\
mobiledevices name=peer7 public-key=REDACTED"
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
bridge-local network=192.168.88.0
add address=PUBLICIP/24 interface=ether1-gateway network=PUBLICIP
add address=172.16.0.1/25 interface=mobiledevices network=172.16.0.0
add address=192.168.42.1/24 interface=voicevlan network=192.168.42.0
/ip dhcp-client
add comment="default configuration" disabled=yes interface=ether1-gateway
add disabled=yes interface=*10
add add-default-route=no disabled=yes interface=wyrd
/ip dhcp-server lease
add address=192.168.88.18 mac-address=B8:27:REDACTED server=default
add address=192.168.88.14 mac-address=EC:C4:REDACTED server=default
add address=192.168.88.23 client-id=\
ff:18:8c:21:61:REDACTED mac-address=\
B8:27:REDACTED server=default
add address=192.168.88.25 client-id=1:34:73:REDACTED mac-address=\
34:73:REDACTED server=default
add address=192.168.88.20 client-id=1:e4:5f:1:b7:a7:3 mac-address=\
E4:5F:REDACTED server=default
add address=192.168.88.27 client-id=\
ff:b6:22:f:eb:0:REDACTED mac-address=\
98:90:REDACTED server=default
/ip dhcp-server network
add address=192.168.42.0/24 dns-server=192.168.88.1 gateway=192.168.42.1 \
netmask=24
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=MY_ISP_SERVERS
/ip dns static
add address=192.168.88.1 name=REDACTED type=A
add address=192.168.88.32 name=REDACTED type=A
add address=192.168.88.64 name=REDACTED type=A
add address=192.168.88.247 name=REDACTED type=A
add address=192.168.88.14 name=REDACTED type=A
add address=192.168.88.23 name=REDACTED type=A
add address=192.168.88.25 name=REDACTED type=A
add address=192.168.88.1 name=REDACTED type=A
add address=192.168.88.20 name=REDACTED type=A
add address=192.168.88.27 name=REDACTED type=A
add address=10.69.69.69 name=REDACTED type=A
add address=192.168.88.18 name=REDACTED type=A
add address=10.69.69.2 name=REDACTED type=A
add address=10.69.69.3 name=REDACTED type=A
add address=10.69.69.4 name=REDACTED type=A
/ip firewall address-list
add address=54.172.60.0/23 list=twilio
add address=34.203.250.0/23 list=twilio
add address=54.244.51.0/24 list=twilio
add address=54.171.127.192/26 list=twilio
add address=52.215.127.0/24 list=twilio
add address=35.156.191.128/25 list=twilio
add address=3.122.181.0/24 list=twilio
add address=54.65.63.192/26 list=twilio
add address=3.112.80.0/24 list=twilio
add address=54.169.127.128/26 list=twilio
add address=3.1.77.0/24 list=twilio
add address=54.252.254.64/26 list=twilio
add address=3.104.90.0/24 list=twilio
add address=177.71.206.192/26 list=twilio
add address=18.228.249.0/24 list=twilio
/ip firewall filter
add action=accept chain=input comment="Allow WireGuard traffic" log=yes \
log-prefix=WIREGUARDTRAFFIC src-address=172.16.0.0/24
add action=accept chain=input comment="Allow WireGuard" dst-port=13231 log=\
yes log-prefix=WIREGUARD protocol=udp
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="default configuration" \
connection-state=established,related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=\
ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=accept chain=dstnat comment="Route inbound twilio traffic" \
disabled=yes dst-address=192.168.88.22 src-address-list=twilio
add action=accept chain=srcnat comment=\
"allow outbound connections to twilio" disabled=yes \
dst-address-list=twilio src-address=192.168.88.22
add action=accept chain=input comment=letsencrypt disabled=yes dst-address=\
PUBLIC_IP dst-port=443 protocol=tcp
add action=accept chain=input comment=letsencrypt disabled=yes dst-address=\
PUBLIC_IP dst-port=80 protocol=tcp
add action=masquerade chain=srcnat disabled=yes out-interface=wyrd
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=PUBLIC_IP
add dst-address=10.0.0.0/8 gateway=192.168.88.27
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24 disabled=yes
set ssh address=192.168.88.0/24
set www-ssl address=192.168.88.0/24 certificate=REDACTED \
disabled=no tls-version=only-1.2
set api disabled=yes
set winbox disabled=yes
set api-ssl address=192.168.88.0/24 certificate=REDACTED disabled=yes tls-version=\
only-1.2
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set strong-crypto=yes
/ip tftp
add read-only=no
/ip traffic-flow
set enabled=yes
/lcd
set time-interval=daily
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=REDACTED
/system identity
set name=REDACTED
/system logging
set 3 action=memory
add topics=wireguard
/system note
set show-at-login=no
/system ntp client
set mode=broadcast
/system scheduler
add interval=1d name=update on-event=autoupdate policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-04-01 start-time=02:21:13
/system script
add dont-require-permissions=no name=autoupdate owner=REDACTED policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
system package update\
\ncheck-for-updates once\
\n:delay 3s;\
\n:if ( [get status] = \"New version is available\") do={ install }"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/user group
add name=REDACTED policy="REDACTED"
The RB2011 is a “special” device that has two switch chips:
https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features
Atheros8327 (ether1-ether5+sfp1); Atheros8227 (ether6-ether10)
The “modern” way to do what you want to accomplish (good on any Mikrotik hardware) is surely VLANs, but on that particular device maybe - just maybe - you could consider the “older” way making use of two separate bridges.
I would think (but I know very little about VLANs) that the “old” way is simpler in your specific use case, or, if you want to go all the way down VLANs you might need (or not?) to.“connect externally” the two bridges with a cable (losing two ports) to connect everything together, but since ultimately you want two separate bridges that don’t talk to each other, the 2011 seems like the perfect device to do that, check:
http://forum.mikrotik.com/t/rb2011-what-to-do-with-second-switch-when-doing-vlan/138436/1
http://forum.mikrotik.com/t/rb2011-vlan-slow-lan-speed/133125/1
Hopefully anav will intervene with proper VLAN advice
So far, none of ROS versions can offload VLAN-enabled bridge to these types of switch chips. Which means that things have to be configured in /interface/ethernet configuration subtree to maintain decent bridging/switching performance. And since there are two switch chips involved (each with own peculiarities), this can be a bit of a challenge 
. The upside is that in this case it’s fine to have single (dumb) bridge.
So it’s absolutely not a requirement that I access this vlan from every port. If I can only do it from the ports on one switch chip that’s totally fine too
Circling back on this…
So if I’m just fine being able to access the dmz from a single port on the same switch chip, what’s my next step: setting up a bridge on one of the chips between the dmz, the admin port, and the internet?