VLAN on CRS326 - can`t connect to gw in VLAN subnet

Despierto · April 16, 2019, 11:54am

Hello!

I`m trying to make CRS326 process VLANs on chip not CPU.

I`ve created VLAN10 for office and user is connected to ether15

VLAN interface has IP 192.168.10.1/24. DHCP server configured, but computer doesnt get address. If I assign static address to PC, it cant ping 192.168.10.1.

Can you, please, explain, what I`m doing wrong?

My config is:

#RouterOS 6.44.2
# model = CRS326-24G-2S+
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
/interface bridge
add name=bridge-main protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge-main name=vlan10-users vlan-id=10
/ip pool
add name=dhcp_pool0 ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10-users lease-time=3d name=dhcp1
/interface bridge port
add bridge=bridge-main interface=ether15
/interface bridge vlan
add bridge=bridge-main untagged=ether15 vlan-ids=10
/ip address
add address=192.168.10.1/24 interface=vlan10-users network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1

ip route print:

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  192.168.10.0/24    192.168.10.1    vlan10-users              0

interface print:

14  RS ether15                             ether            1500  1592      10218 
26  R  bridge-main                         bridge           1500  1592            
27  R  vlan10-users                        vlan             1500  1588

mkx · April 16, 2019, 7:24pm

Your config follows “CPU” way of doing it. Almost. Thess config lines are corrected:

add bridge=bridge-main interface=ether15 > pvid=10
add bridge=bridge-main > tagged=bridge-main > untagged=ether15 vlan-ids=10

If you want to configure VLANs on switch chip, start reading some manual.

Despierto · April 16, 2019, 8:15pm

Thanks, I`ll try it tomorrow.

Id like to start from short sample config. On this page Im looking at section “3.3.1 Port Based VLAN”.
Reading there “The configuration for CRS3xx switches is described in the Bridge VLAN FIltering section.”
And there I can see this config:

/interface bridge
add name=bridge1 vlan-filtering=no

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400

/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400

/interface bridge set bridge1 vlan-filtering=yes

Is this one correct for me? If it isn`t maybe you can give me link of example config or correct mine.

mkx · April 16, 2019, 8:35pm

Ah, right, I forgot that CRS3xx is the only Routerboard series which has bridge-VLAN setup actually HW-offloaded (read: fully executed by switch chip).

The rest of the rooster either needs different setup (devices that do have switch chips) or it has to be done by CPU because switch chip desn’t exist (CCR series).

So actually your setup is conceptually right, just fix the errors.
One thing that is moot and often confuses innocent newcomers: every bridge has twin personnalities:

“something like a switch” where it (intelligently) forwards traffic between member ports
“L2 interface” (or port), allowing router to interact with network. Automatically member of personnality #1

When configuring IP address (and services, such as DHCP server), the personnality #2 is used. And if there are VLANs in play, the “port personnality” has to be set up among other ports, members of “switch personnality”. Thus setting bridge as tagged member of self.

Despierto · April 17, 2019, 1:25pm

Thanks a lot!!! Youre my savior! Its strange, in official wiki one couldn`t find it…

I returned to my full config and from now on it workes including inter-vlan routing (but I didn`t set it up intentionally).

You helped me great, may be you can give me one more advise?
I need to

Isolate Guest vlan.
Allow to connect from Sysadmins vlan to any other vlan (except Guest) but not vise versa.
Allow Users (vlan10) to connect to determined Servers in vlan70.

May I use section “/ip route rule” for some cases(1)? Either I should use firewall for all cases or some other way?

Sorry for my English.

mkx · April 17, 2019, 1:49pm

Probably official Wiki documents behaviour of CRS as a switch. You only need these when used as router and for management.

Router by default will route between all of its interfaces with IP address assigned. If you don’t want it, you have to block it. My approach is to use firewall for that.

Firewall rules would be something like these … order is important, but you can have some more rules in between … just make sure they don’t get in the way. Some of those rules you might already have as they come from default setup.

/interface list
add comment="guests" name=guest
add comment="sysadmin interfaces" name=sysadmin
/interface list member
add interface=vlan-guests list=guest # enter corect VLAN interface here
add interface=vlan-sysadmin list=sysadmin # enter correct VLAN interface here
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow connections from guest to WAN" in-interface-list=guest out-interface-list=WAN
add action=drop chain=forward comment="drop connections from guest to anywhere else" in-interface-list=guest 
add action=drop chain=forward comment="drop connections towards guest subnet" out-interface-list=guest
add action=drop chain=forward comment="drop any connection targeting sysadmin subnet" out-interface-list=sysadmin

The rules above fulfill your wishes #1 and #2:

guest VLAN is isolated by first two drop rules … one rule per connection direction. Note that guests are allowed to access internet by preceding rule.
in the config example above last filter rule serves this purpose, but the logic is reverse: because so far all inter-vlan connections are allowed (except for guest VLAN, see point #1), it is enough to drop connections from other directions towards sysadmin. This also includes connections from WAN (so DST-NAT connections can not be terminated in sysadmin subnet).

Point #3 needs some debate: do you want to generally permit inter-vlan communication or not? If yes, then it’s already enabled and you might want to drop some connections you don’t want to happen. If not, then you’d either construct another interface list with all VLAN interfaces as members … and a filter rule add action=drop chain=forward comment=“drop any inter-vlan communication” in-interface-list=all-vlan out-interface-list=all-vlan (note that this filter does not apply to switched traffic between bridge ports members of same vlan, only to router traffic). Preceeded by rule which allows some particular connections, e.g. add action=accpet chain=forward comment=“allow http from LAN towards server” protocol=tcp port=80 in-interface=vlan10 out-interface=vlan70 …

And don’t forget to protect your router from evil VLANs (use chain=input for that).

anav · April 17, 2019, 1:58pm

hi mkx, i must be missing something but the block rules seem strange to me…
In other words why create a bunch of block rules vice create allow rules…

I usually

allow fasttrack established etc.
allow established etc.
++++++
drop everything else

++++ = only the traffic I wish to permit

mkx · April 17, 2019, 4:44pm

I know, @anav. That’s why wish #3 is so much debatable. I didn’t want to post full firewall setup, just shown minimum rules that fulfill OP’s requirements.

Despierto · April 19, 2019, 12:08pm

Thank you, @mkx! You were very kind to explain this topic in detail. I appreciate it very much.
It took some time to test this configuration and I`m very glad to see it workes well!

Sorry to say, I didnt get. Can you illustrate this point or give some link? If you mean to drop traffic of alien vlans then I couldnt find argument PVID in firewall rule.

mkx · April 19, 2019, 1:40pm

Firewall knows nothing of VLANs, it only knows interfaces and IP addresses. And it doesn’t know about physical interfaces but rather last interface before packet landed in firewall (e.g. when a tagged packet enters through ether3, which delivers it to bridge and bridge pushes it to vlan interface, firewall will know about vlan interface and nothing more).
So when rejecting connections from evil VLAN to router itself, you’d use something like one of following rules:

/ip firewall filter
add chain=input action=drop in-interface=vlan-guests
add chain=input action=drop src-address=<guest vlan network>/24

Don’t forget to allow services you want to provide before general drop. For example DHCP server or DNS service …

And, just to keep @anav happy: you can use in-interface-list instead of in-interface and src-address-list instead of src-address.

Despierto · April 22, 2019, 12:20pm

I got it. You mean to block connections from vlan-guests to MikroTik. Thats important youre right. Thanks, this topic was very useful for me.

anav · April 22, 2019, 1:39pm

/ip firewall filter
add chain=input action=drop in-interface=vlan-guests
add chain=input action=drop src-address=<guest vlan network>/24
I got it. You mean to block connections from vlan-guests to MikroTik. Thats important youre right. Thanks, this topic was very useful for me.

Typically the only one that needs access to the router (input chain) is the admin, but in case your setup is such that DNS from the subnets to the router is what occurs, then allowing those on the LAN access to the router input chaing for only port 53 (UDP&TCP) is normal.

Despierto · April 23, 2019, 12:00pm

That’s a valuable remark! Thanks!