VLAN + RB2011

So here it is the infamous first post and already looking for help… apologies in advance.


###########################################################BACKGROUND######################################################################################
I have read up extensively on VLANs with MikroTik and I even did a short course or 2 on RouterOs and I still feel quite lost. In my house I need two networks, one for my PCs, smartphones, XBOX etc. and one for my IOT automation stuff. Both networks have wired and wireless clients.
##############################################################################################################################################################

##############################################################SETUP##########################################################################################
On my RB2011 I went with the quick-setup as it already adds some firewall rules and configures WAN on ether1, which suites me as I consider myself very much a noob. I have a TP-link wireless AP that supports VLANs so I created two SSIDs and tagged them vlan87 and vlan89 and connected it to ether10, in other words I have a TRUNK port on ether10. I would like to make use of the level2 VLAN capabilities on the two switch chips in my RB2011 as much as possible so as to spare the CPU. I would like to have a DHCP server and WAN access on each network, optionally in the future I would like to allow some devices to communicate across the VLANs without going out to the WAN and back in.
#############################################################################################################################################################

#########################################################Diagram (TL,DR)######################################################################################
ether1 ↔ WAN
ether2 ↔ VLAN87 Access port (192.168.87.0/24)
ether3 ↔ VLAN87 Access port (192.168.87.0/24)
ether4 ↔ VLAN87 Access port (192.168.87.0/24)
ether5 ↔ VLAN87 Access port (192.168.87.0/24)
ether6 ↔ VLAN89 Access port (192.168.89.0/24)
ether7 ↔ VLAN89 Access port (192.168.89.0/24)
ether8 ↔ VLAN89 Access port (192.168.89.0/24)
ether9 ↔ VLAN89 Access port (192.168.89.0/24)
ether10 ↔ ---------------VLAN TRUNK port(87 + 89)----------------| VLAN ENABLED AP |

DHCP Server (192.168.87.0/24)
DHCP Server (192.168.89.0/24)

I have had the most success following this guide/method https://wiki.mikrotik.com/wiki/Manual:Switch_Router . Both my VLAN wireless networks have WAN, as well as my wired ports, I however cannot ping from my wireless to wired, or wired to wireless. I was hoping someone with a little more experience could describe the config necessary to achieve the described network.

Post your current config (all of it) … open terminal window and run command /export hide-sensitive … then post the ouptut (in [ code ] environment for readability).

Thanks for your time mkx.

Okey, 2 things I should mention I have ether2 as my management port, one looses connection so easily and you forget the “Safe Mode” all too often. Also I have rules on ether2, ether3, and ether5 to drop packets if the destination addr is outside their own network, I disabled the rule on ether4 to see if this rule was blocking my ping, but no. I have these rules to isolate the VLAN at level 2, on the switch chips. Only ether1-ether5 supports this rule, the Atheros8227 running ether6-10 does not support rules, I was going to block traffic in both directions on ether1-ether5, thus still isolating the VLANs on layer2.

Edit: On ether4 I am offered dhcp addr 192.168.88.246, from dhcp server 192.168.88.1, this breaks connection to WAN, the desired DHCP server 192.168.87.1 is not replying…

Further Edit: Could this be dropping my packets getting past layer2?

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

Much Further Edit: I found this in the documents about the chip that handles ether1-ether5,

Note: Atheros8327 switch chips ignore the vlan-header property and uses the default-vlan-id property to determine which ports are access ports. For Atheros8327 switch chips the vlan-header is set to leave-as-is and cannot be changed while the default-vlan-id property should only be used on access ports to tag all ingress traffic.

My setup is starting to look increasingly complicated, contemplating another approach.

.

# feb/04/2019 17:28:26 by RouterOS 6.43.8
# software id = SBPR-7G6R
#
# model = 2011UiAS
# serial number = 697C054954BF
/interface bridge
add admin-mac=E4:8D:8C:79:38:0B auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=VLAN87 vlan-id=87
add interface=bridge name=VLAN89 vlan-id=89
/interface ethernet switch port
set 3 default-vlan-id=87 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=87 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=87 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=89 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=89 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=89 vlan-header=always-strip vlan-mode=secure
set 9 default-vlan-id=89 vlan-header=always-strip vlan-mode=secure
set 10 vlan-header=add-if-missing
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=POOL87 ranges=192.168.87.100-192.168.87.200
add name=POOL89 ranges=192.168.89.100-192.168.89.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=POOL87 disabled=no interface=VLAN87 name=DHCP87
add address-pool=POOL89 disabled=no interface=VLAN89 name=DHCP89
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch rule
add dst-address=192.168.89.0/24 new-dst-ports="" ports=ether2 switch=switch1
add dst-address=192.168.89.0/24 new-dst-ports="" ports=ether3 switch=switch1
add dst-address=192.168.89.0/24 new-dst-ports="" ports=ether5 switch=switch1
/interface ethernet switch vlan
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=87
add ports=ether6,ether7,ether8,ether9,switch2-cpu switch=switch2 vlan-id=89
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.87.1/24 interface=VLAN87 network=192.168.87.0
add address=192.168.89.1/24 interface=VLAN89 network=192.168.89.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.89.210 client-id=1:b8:27:eb:ba:57:65 mac-address=B8:27:EB:BA:57:65 server=DHCP89
/ip dhcp-server network
add address=192.168.87.0/24 dns-server=8.8.8.8 gateway=192.168.87.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 dns-server=8.8.8.8 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Nothing really pops out as weird to me. Only … I’m never sure about /interface ethernet switch port … to which particular port certain index belongs. Many times I consult output of /interface ethernet switch port print … to check if VLAN ids are set to correct ports. I’d set vlan-header=leave-as-is on both switch?-cpu “ports” as well as on ether10, those definitely shouldn’t be set to strip vlan headers.

It is a bit of a magic how bridge works with “legacy” VLAN setups. I would expect that wired VLAN 89 hosts would be able to communicate with wireless hosts from same VLAN as switching between them should be done entirely in switch chip. When it comes to VLAN 87 things might behave differently as packets need to pass bridge. The untagged LAN stirs the fog as well …
Personally I’d remove all those rules in /interface ethernet switch rule … at least until things start to work properly. Later you can re-enforce security if you want.

Regarding firewall … I don’t think there’s anything wrong … as long as you keep your management LAN interface (might be one of VLAN8x interfaces) mentioned as /interface list member of LAN.