Hello everyone, how are you? I’m stuck on a problem!
I have an RB4011iGS+RM!
Here’s the scenario:
Ports 1 and 2 are connected to DHCP links.
Port 3 is disabled (reserved for future links).
Ports 4 to 10 are in a bridge.
I need to create:
A corporate network (IP: 172.16.21.0/24).
Two VLANs: one for cameras (20.20.20.0/24) and one for visitors (10.10.10.0/24).
I need to create these VLANs without using an interface in the “Interface” section, meaning everything should be configured via the bridge.
My questions are:
How can I set this up if all ports are part of the bridge (except the cameras’ switch, which is separate, and the visitors’ network that will run on UniFi devices sharing the corporate network)?
How do I define DHCP servers for these VLANs?
mod edit: split from “Using RouterOS to VLAN your network”
Just to be clear, ether1 and ether2 are WAN links
Ether 3 reserved —> what I would do NOW, is to make this an OFF BRIDGE access for doing all the vlan configuring, much safer, trust me!!
/interface ethernet
set [ find default-name=ether3] name=OffBridge3
Ether4-10 would be on the bridge.
Create 3 VLANs with parent interface bridge ( bridge does not dhcp etc, no subnets)
a. corporate-v10
b. cameras-v20
c. guests-v30
Use pcunites tutorial to get to the proper end state regarding vlans.
The last two rules you should enter are the input chain drop all rule and the enabling vlan filtering rule = yes.
In terms of firewall rules the following rules are pretty much default and will ensure nobody accesses the corporate vlan. /ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“admin access” in-interface-list=TRUSTED
add action=accept chain=input comment="users to services in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { put this rule at the end of the config }
+++++++++++++++++++++++++++++++++ add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet access” in-interface-list=LAN out-interface-list=WAN
****************************** <<<<----- additional rule here if required like trusted users to cameras etc… . add action=drop chain=forward comment=“Drop all else”
WHERE: /interface list
add name=WAN
add name=LAN
add name=TRUSTED