VLAN Question

P00HB33R · August 12, 2022, 7:45am

Hi All,

Ok so I have managed to wrap my head around the whole Bridge with VLAN filtering. I got it working and all is good, except for once filtering is active, I lose the ability to access the mikrotik via IP and MAC. I want to be able to access the mikrotik from anywhere in my network.

So currently I have SFP1 as tagged port vlan11, untagged ports are all the remaining ports on router.
Then I change all ports PVID to 11, including SFP1. Bridge PVID is 1.
All ports including SFP1 are added to bridge ports.

This config works as stated, but then I lose the ability to access router via IP and MAC. I want to be able to access the router on all ports, no matter the vlan.

Any help would be greatly appreciated

mkx · August 12, 2022, 8:02am

You did not reveal model of router you’re using, so I’ll assume it’s one of “non-pro” devices. Those come with default setup including pretty decent firewall. And default firewall depends on proper interface list membership management. Default rules allow connections to router itself (including management) via one of interfaces members of LAN interface list. The same is true for MAC connections (winbox and telnet). When one configures VLANs, the ingress interface is no longer bridge interface (or physical interface), it’s one of vlan interfaces, so one has to allow connections via appropriate vlan interface(s) … either by adding it(them) to LAN interface list or by overhauling substantial portion of firewall filter rules and MAC access rules.

P00HB33R · August 12, 2022, 8:04am

I am using a CRS317-1G-16S+

No firewall etc. Just a basic lab I am setting up to test and get a better understanding of VLANS

mkx · August 12, 2022, 8:13am

Post configuration … execute /export hide-sensitive file=anynameyouwish, copy file off the switch, open it with text editor, obfuscate any remaining sensitive data (such as serial number), and copy-paste it inside [__code] [/code] block.

P00HB33R · August 12, 2022, 8:32am

Thank you. Below my config.

/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus1 pvid=11
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus2 pvid=11
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus3 pvid=11
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=\
    sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=11
add bridge=bridge1 untagged=\
    ether1,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=1

/ip address
add address=192.168.1.43/24 interface=bridge1 network=192.168.1.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1

With this config, when I activate filtering, I lose all connectivity to the router

anav · August 12, 2022, 10:26am

Terrible idea. Why would you want all users to have access to config the router.
The only person that should have access to the router is the admin.
You need to rethink your strategy.

Step1: Ensure all smart devices have their IP address from the same subnet (vlan)
Step2: Ensure only the admin has access to lets say winbox via the input chain…

If you only have the one device/router and wish to be able to access it from every vlan, yuck… then
at least use a firewall address list…

/firewall address list
add address=adminPC_on_vlanX list=Authorized
add address=adminPC_on_vlanY list=Authorized
add address=adminPC_on_vlanZ list=Authorized
etc…

add chain=input action=accept in-interface-list=LAN src-address=list=Authorized dst-port=winboxport protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”

++++++++++++++++++++++++++++++++++
Well it turns out you dont have a bunch of vlans you only have sorta 2. In any case you kinda have two vlans, but I will let others deal with the config, I have had enough of people using vlan1 for data…
Since others seems to think its okay, they can provide the extra overhead support that it takes… such a waste of time.

Buckeye · August 12, 2022, 12:34pm

You have no vlan interface for the vlan access. The vlan interface is the switch’s management connection to the switch ASIC.

See CRS3xx, CRS5xx series switches, CCR2116, CCR2216 and RTL8367, 88E6393X, 88E6191X and MT7621 switch chips

Another worthwhile resource: Mikrotik VLANs - CRS3XX Step by Step - Mikrotik Tutorial

@anav, while I agree the config isn’t good for production use, they did say this was for a lab setup to learn vlans. And for that purpose, why introduce other things that can be misconfigured and cause it to fail to work as expected?