VLAN test scenario

fuzzyl0gic · October 3, 2021, 4:36pm

Hello all,

I’m new to Mikrotik products and have recently acquired an RB4011 router.
I am very impressed by the amount of configuration possibilities.
Part of why I chose to go with Mikrotik is to improve my understanding about networking, solving more complex tasks as I progress.
I have decided to start with something common, which is utilizing VLANs to segment a network.

# Synposis

To get the hang of configuring the router - and before putting it into use in my home network (and risking larger downtimes ) - I’ve decided to implement a small, isolated (no internet / WAN) scenario using VLANs.
My goal (target setup), approach, current configuration and open points are detailed below.

Why I am writing here:

To get feedback on my first attempt from experienced folks here (to see if I am on the right track, or possibly already took a wrong turn somewhere)
Help on the issues I have encountered and am currently stuck on (I’ve summarized some ideas at the bottom of this post)

Any help or pointers are very much appreciated

## Target setup

Topology:

Three VLANs:
VLAN 1: Management VLAN where access to the router and managed switch is allowed
VLAN 10: Devices of class A
VLAN 20: Devices of class B
Router (RB4011, 10 ports):
ether1: Trunk port for VLANs 1, 10, 20
ether2, ether3: Access ports for VLAN 1
ether3 to ether6: Access ports for VLAN 10
ether7 to ether9: Access ports for VLAN 20
ether10: Currently not used
Managed switch (not from Mikrotik):
ether1: Trunk port for VLANs 1, 10, 20
ether2 to ether4: Access ports for VLAN 10
ether5 to ether7: Access ports for VLAN 20
ether8: Access port for VLAN 1

Networks:

VLAN 1: 10.10.1.0/24
VLAN 10: 10.10.10.0/24
VLAN 20: 10.10.20.0/24

With this setup I would like to:

Allow only devices in VLAN 1 to access the managed switch and router for management purposes
Allow devices in VLAN 10 to communicate with one another, but not with devices in other VLANs
Allow devices in VLAN 20 to communicate with one another, but not with devices in other VLANs

## Current state

What works: Devices connected to the switch are assigned an IP address from the correct range, depending on which port they are plugged into.

Current open issues:

The router still has an IP in the default range (192.168.88.1/24)
Devices connected to ether2 and ether3 on the router are still given an IP from the default address range, not the VLAN 1 address range
There seems to still be routing between devices on individual VLANs, which I would expect to not be possible (e.g. I can ping a device with IP 10.10.20.253, connected to ether5 on the switch from another device connected to ether2 on the switch which was given an IP of 10.10.10.2; only when the swith is connected to the router though))

## Router configuration

The following are the configuration steps taken for the router.

### Interfaces

Add the following new interfaces:

Bridge interface bridge
Three VLAN interfaces vlan1, vlan10, vlan20, where bridge is the parent interface

Configure bridge ports:

Add ether1 … ether10 to bridge
Keep pvid at 1 for ether1 to ether3
Set pvid to 10 for ether4 to ether6
Set pvid to 20 for ether7 to ether9

Configure VLANs for bridge interface:

VLAN with ID 1: Tagged for ether1 and bridge, untagged for ether2
VLAN with ID 10: Tagged for ether1 and bridge, untagged for ether4 to ether6
VLAN with ID 20: Tagged for ether1 and bridge, untagged for ether7 to ether9

### Addresses and DHCP

Assign the addresses to the following interfaces

192.168.88.1/24 for bridge (from defconf)
10.10.1.1/24 for vlan1
10.10.10.1/24 for vlan10
10.10.20.1/24 for vlan20

Create the following networks:

10.10.1.0/24 for devices in VLAN 1
10.10.10.0/24 for devices in VLAN 10
10.10.20.0/24 for devices in VLAN 120
192.168.88.0/24 is the defconf network

Create the following DHCP address pools:

Pool for vlan1: dhcp-pool-vlan1 with range 10.10.1.2-10.10.1.254
Pool for vlan10: dhcp-pool-vlan10 with range 10.10.10.2-10.10.10.254
Pool for vlan20: dhcp-pool-vlan20 with range 10.10.20.2-10.10.20.254

Create the following DHCP servers:

DHCP for interface bridge with addresses from default-dhcp
DHCP for interface vlan1 with addresses from dhcp-pool-vlan1
DHCP for interface vlan10 with addresses from dhcp-pool-vlan10
DHCP for interface vlan20 with addresses from dhcp-pool-vlan20

### Exported config

/interface bridge
add admin-mac=2C:C8:1B:03:BB:AD auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge secondary-channel=auto ssid=MikroTik-03BBB7 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-E8D272 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool-vlan10 ranges=10.10.10.2-10.10.10.254
add name=dhcp-pool-vlan20 ranges=10.10.20.2-10.10.20.254
add name=dhcp-pool-vlan1 ranges=10.10.1.2-10.10.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp-pool-vlan10 disabled=no interface=vlan10 name=dhcp-vlan10
add address-pool=dhcp-pool-vlan20 disabled=no interface=vlan20 name=dhcp-vlan20
add address-pool=dhcp-pool-vlan1 disabled=no interface=vlan1 name=dhcp-vlan1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether6 pvid=10
add bridge=bridge comment=defconf interface=ether7 pvid=20
add bridge=bridge comment=defconf interface=ether8 pvid=20
add bridge=bridge comment=defconf interface=ether9 pvid=20
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether2,ether3 vlan-ids=1
add bridge=bridge tagged=ether1,bridge untagged=ether4,ether5,ether6 vlan-ids=10
add bridge=bridge tagged=ether1,bridge untagged=ether7,ether8,ether9 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.20.1/24 interface=vlan20 network=10.10.20.0
add address=10.10.1.1/24 interface=vlan1 network=10.10.1.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.1.0/24 gateway=10.10.1.1
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

## Ideas for solving the issues

Ideas for solving the issues mentioned above:

Setting the address 10.10.1.1/24 for the bridge interface and giving a different address from the 10.10.1.0 network to the vlan1 interface (I tried this and ended up locking myself out)
Using the same DHCP server for bridge as for vlan1
Currently unclear how to proceed, but perhaps looking into the routing / firewall configuration of the router is a way forward here