VLAN Setup - Did I do this right?

mtz156 · September 29, 2023, 4:58pm

I’m hoping to get some help with making sure I have everything set up right. I read through many posts, and the greatly cited user articles about vlans and firewall rules to get this going. I believe I have things behaving the way I need, but please help me with anything I have missed or should change.

I’m using hEX S, and I have made the change to start separating out IOT devices on a separate VLAN. I migrated my previous single network into VLAN1000, and added VLAN20. I want to be able to access VLAN20 from VLAN1000, but VLAN20 to have access only to the internet.

VLAN1000 - main network for most clients
VLAN20 - IOT devices

Eth1 - WAN, connected to my cable modem
Eth2 - Trunk to AP, carrying both vlans
Eth3 - Raspberry Pi on VLAN1000
Eth4 - Camera Hub on VLAN20
Eth5 - PC on VLAN1000

I attached my basic network diagram as well.

And my full config:

# 2023-09-29 10:44:53 by RouterOS 7.11.2
# software id = XXP1-BQAY
#
# model = RB760iGS
# serial number = ###
/interface bridge
add admin-mac=18:FD:74:08:07:55 auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan1000 vlan-id=1000
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="vlan1000 only" name=mgmt
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=main-vlan1000 ranges=10.10.0.30-10.10.0.254
add name=vlan20 ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=main-vlan1000 interface=vlan1000 lease-time=1d name=\
    main-vlan1000
add address-pool=vlan20 interface=vlan20 lease-time=1d name=IOT-vlan20
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
    ether3 pvid=1000
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=sfp1 pvid=1000
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=1000
/ip neighbor discovery-settings
set discover-interface-list=mgmt
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether2,bridge untagged=ether3,sfp1,ether5 vlan-ids=\
    1000
add bridge=bridge tagged=ether2,bridge untagged=ether4 vlan-ids=20
/interface list member
add comment=defconf interface=vlan1000 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
add interface=vlan1000 list=mgmt
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.10.0.1/24 comment=main interface=vlan1000 network=10.10.0.0
add address=10.0.20.1/24 comment=IOT interface=vlan20 network=10.0.20.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.0.20.0/24 comment=IOT dns-server=10.10.0.1 gateway=10.0.20.1
add address=10.10.0.0/24 comment=main dns-server=10.10.0.1 gateway=10.10.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow mgmt from Main" in-interface=\
    vlan1000 src-address-list=""
add action=accept chain=input comment="allow services for LAN" dst-port=53 \
    in-bridge-port-list=mgmt in-interface-list=LAN protocol=tcp \
    src-address-list=""
add action=accept chain=input comment="allow services for LAN" dst-port=\
    53,123 in-bridge-port-list=mgmt in-interface-list=LAN protocol=udp \
    src-address-list=""
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Main access to IOT" in-interface=\
    vlan1000 out-interface=vlan20
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=""
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.10.0.0/24
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=America/Denver
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=mgmt
/tool mac-server mac-winbox
set allowed-interface-list=mgmt

Any and all critiques are much appreciated. Thanks!

sid5632 · October 1, 2023, 3:03pm

You don’t need those untagged entries. They can be inferred dynamically from the PVIDs.

/ip firewall filter
add action=accept chain=input comment=“allow mgmt from Main” in-interface=
vlan1000 src-address-list=“”
add action=accept chain=input comment=“allow services for LAN” dst-port=53
in-bridge-port-list=mgmt in-interface-list=LAN protocol=tcp
src-address-list=“”
add action=accept chain=input comment=“allow services for LAN” dst-port=
53,123 in-bridge-port-list=mgmt in-interface-list=LAN protocol=udp
src-address-list=“”

>

Not sure if those src-address-list="" are correct or not or what's meant by them. Either specify a list or unset them completely.

holvoetn · October 1, 2023, 3:55pm

/interface bridge vlan
add bridge=bridge tagged=ether2,bridge untagged=ether3,sfp1,ether5 vlan-ids=\
    1000
add bridge=bridge tagged=ether2,bridge untagged=ether4 vlan-ids=20
You don’t need those untagged entries. They can be inferred dynamically from the PVIDs.

It is advised to include them for clarity since export will not show default values.
When you do specify them, they will be shown and you know what is there.

sid5632 · October 2, 2023, 12:36am

And when you change the PVID on the port, you get very confused, which is why it is NOT advised to include them.
It means you only need to edit one thing in one place, which is always better than having to remember to edit two things in two places, as one thing can’t be in conflict with itself, whereas two things can.

mtz156 · October 4, 2023, 9:35pm

So the thinking is that I don’t need to specify the untagged ports under Bridge, VLANs… Because it is being taken care of when I specify the pvid and frame types in Bridge, Ports? I can see how omitting that would create less confusion when adjusting in the future. I was definitely looking at both to make sure I did the other correctly, too. I’m sure things can go south quicky if they don’t match.

I’m assuming I do have to change the pvid of the ports regardless?

For the firewall rules- Thank you! On those that you pointed out I was looking at using an address list at first, but decided it was simpler to use other options. In winbox I had cleared out the field but forgot to click the arrow up to set it back all the way. Fixed now. Even the in-bridge-port-list=mgmt portion was extra and not ultimately needed. Got rid of that as well, because I had already specified LAN.

Thanks so much for the feedback!

llamajaja · October 4, 2023, 9:38pm

The problem is that many people do not configure the vlans properly and its impossible to tell when there is not a clear cross check between both bridge ports and bridge interfaces… THe advice from sid is not wrong, but IMHO should be avoided for beginner to medium users. For experts, sure, but in helping others, being able to cross check a config aka an export, quickly shows whether or not the OP understands how to properly handle access, trunk and hybrid ports.

mtz156 · October 4, 2023, 10:21pm

Got it. I will probably just keep it if that’s recommended and not hurting anything obviously.

That seems to be the best way for me to wrap my brain around what the vlans are doing anyway- to have that in one place. Then using it for the other setting where needed.