VLANs attempt with heXs + TP-SG-105PE

RouterOS Beginner Basics
1

Hi all,

I am looking for some assistance configuring VLANs on my home setup.

I have following devices while only 1. and 2. are used in the below tests so far:

  1. Router RB760iGS
  2. SW TL SG-105PE
  3. SW TL SG-108PE
  4. AP EAP225

My current setup is mostly defaults on all devices, no VLANS nor any other logic:

A: Export of my current config on router, that’s the default/preset from router itself + ISP related pppoe interface: https://justpaste.it/8trni

B: I have attempted to merge above “working” config with http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 and following is my latest iteration of above merge: https://justpaste.it/8vhpd

C: visualisation of what I wish to accomplish - https://ibb.co/bXBHqy1

D: On SW105PE I enabled VLANs, port 5 is tagged on vlan 99, its PVID is set to 99 as well. All of the other ports are additonally untagged on default VLAN1, pvid 1. I used https://www.tp-link.com/pl/support/faq/788/ as guide, it’s pretty much what they said here.

The problems that I am facing with current set-up:

  1. Laptop that’s listed in the MGMT leases section does not seem to be able to connect to the router via winbox while being connected to one of the router ports directly, I can see the router on the list but login attempts time out. Laptop is not getting the DHCP IP nor can ping the 0.1. gateway.
  2. On the same laptop I can see my switches with the TP Link’s Launch Easy Smart Configuration Utility although I see either do not get the IPs specified in the lease section for MGMT_vlan of the router. DHCP is enabled on them.
  3. When I re-connect my laptop directly to the switch I do not see router in the winbox nor any of the switches on TP’s app.


    Do you have any recommendations on should I can approach troubleshooting this? I was applying full config each time by uploading new one to flash, restoring to it and If I was unable to connect with WinBox I would reset the config to default and re-upload previous/next iteration and go from there again. I hjave a feeling there’s an error in the logs which could lead me to another step but I cannot connect to the router and could not figure out a way to do it with above mentioned latest iteration.

Do you have any suggestions on what could be the culrpit here or should I start making those changes in smaller batches… ? I feel like I am trying to make too many changes in one go. I’ve been iterating abovementioned “merge” config together with ChatGPT but it does not seem to be very helpful at this stage.

Since I am learning a lot during this excercise any input that will bring me a step closer is welcome!

2

Sorry I dont work from pcunite presentation,.

/export file=anynameyouwish (minus router serial number and any public WANIP information).

This is a straightfoward setup.

3

Hi Anav,

Thanks for your time!

I’ve already provided exports of my current “active” config and one I am attempting to achieve:

4

That is not an export of the config, that is a bastardization of part of the output that was done for an article but has nothing to do with what I am asking for. Good luck!

5

Apologies, but I am completely lost here - did you want me to post the “template” from http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 that I am referring to? That’s the one:

###############################################################################
# Topic:		Using RouterOS to VLAN your network
# Example:		Switch with a separate router (RoaS)
# Web:			http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
# RouterOS:		6.43.12
# Date:			Mar 28, 2019
# Notes:		Start with a reset (/system reset-configuration)
# Thanks:		mkx, sindy
###############################################################################

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="Router"


#######################################
# VLAN Overview
#######################################

# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
add bridge=BR1 interface=ether6
add bridge=BR1 interface=ether7
add bridge=BR1 interface=sfp1

# egress behavior
/interface bridge vlan

# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"

# Yellow WAN facing port with IP Address provided by ISP
/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0

# router's gateway provided by ISP
/ip route add distance=1 gateway=b.b.b.b


#######################################
# IP Services
#######################################

# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24
/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=20
/ip address add interface=GREEN_VLAN address=10.0.20.1/24
/ip pool add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1

# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=RED_VLAN vlan-id=30
/ip address add interface=RED_VLAN address=10.0.30.1/24
/ip pool add name=RED_POOL ranges=10.0.30.2-10.0.30.254
/ip dhcp-server add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP disabled=no
/ip dhcp-server network add address=10.0.30.0/24 dns-server=192.168.0.1 gateway=10.0.30.1

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
# /ip pool add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
# /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
# /ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1     list=WAN
add interface=BASE_VLAN  list=VLAN
add interface=BLUE_VLAN  list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN   list=VLAN
add interface=BASE_VLAN  list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"


##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp1]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

and here’s my “running” config export, just so we have them in the same post…

# 2023-08-12 16:10:54 by RouterOS 7.10
# software id = Q8LX-3IVL
#
# model = RB760iGS
# serial number = XXX
/interface bridge
add name=bridge_LAN
/interface ethernet
set [ find default-name=ether1 ] comment=ONT
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp1 name=pppoe-out2 \
    use-peer-dns=yes user=ROM_SZPITALNA
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=1 name=option1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_0 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_0 interface=bridge_LAN lease-time=10m name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_LAN interface=ether2
add bridge=bridge_LAN interface=ether3
add bridge=bridge_LAN interface=ether4
add bridge=bridge_LAN interface=ether5
add bridge=bridge_LAN disabled=yes interface=sfp1
add bridge=bridge_LAN interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=*8 list=WAN
add list=LAN
add interface=sfp1 list=WAN
add interface=bridge_LAN list=LAN
add interface=pppoe-out2 list=WAN
/ip address
add address=192.168.0.1/24 interface=bridge_LAN network=192.168.0.0
/ip dhcp-client
add disabled=yes interface=sfp1
/ip dhcp-server lease
add address=192.168.0.220 client-id=NAS mac-address=3C:52:82:50:D6:D0 server=\
    dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
/ip dns static
add address=192.168.0.220 name=nas
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes dst-address-list=\
    192.168.0.0/24 log=yes log-prefix=8888 src-address=0.0.0.0 \
    src-address-list=192.168.0.0/24
/ip route
add dst-address=192.168.10.0/24 gateway=192.168.0.1 routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set cache-entries="(unknown)"
/ip traffic-flow target
add dst-address=192.168.0.246 port=8888
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="MikroTik Szpitalna36"
/system note
set show-at-login=no

and finally the bastardized version as you called it, one that I am trying to run in conjunction with my “current” one:

# 2023-07-23 14:27:26 by RouterOS 7.10
# software id = Q8LX-3IVL
#
# model = RB760iGS
# serial number = XXX

:delay 30000ms


#######################################
# Naming
#######################################

# name the device being configuIoT
/system identity set name="MikroTik"


#######################################
# VLAN Overview
#######################################

# 99 = MGMT_VLAN	.0
# 10 = Home_VLAN	.10
# 20 = Cams_VLAN	.20
# 30 = IoT_VLAN		.30
# 40 = Guest_VLAN	.40


#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=bridge_LAN protocol-mode=none vlan-filtering=no

#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1

add bridge=bridge_LAN interface=ether1
add bridge=bridge_LAN interface=ether2
add bridge=bridge_LAN interface=ether3
add bridge=bridge_LAN interface=ether4
add bridge=bridge_LAN interface=ether5

/port
set 0 name=serial0a

# egress behavior
/interface bridge vlan

# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=bridge_LAN tagged=bridge_LAN,ether1,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge_LAN tagged=bridge_LAN,ether1,ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=bridge_LAN tagged=bridge_LAN,ether1,ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=bridge_LAN tagged=bridge_LAN,ether1,ether2,ether3,ether4,ether5 vlan-ids=40
add bridge=bridge_LAN tagged=bridge_LAN,ether1,ether2,ether3,ether4,ether5 vlan-ids=99



#######################################
# IP Services
#######################################


# Home VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge_LAN name=Home_VLAN vlan-id=10
/ip address add interface=Home_VLAN address=192.168.10.1/24
/ip pool add name=Home_POOL ranges=192.168.10.2-192.168.10.254
/ip dhcp-server add address-pool=Home_POOL interface=Home_VLAN name=Home_DHCP disabled=no
/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.0.1  gateway=192.168.10.1

# Cams VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge_LAN name=Cams_VLAN vlan-id=20
/ip address add interface=Cams_VLAN address=192.168.20.1/24
/ip pool add name=Cams_POOL ranges=192.168.20.2-192.168.20.254
/ip dhcp-server add address-pool=Cams_POOL interface=Cams_VLAN name=Cams_DHCP disabled=no
/ip dhcp-server network add address=192.168.20.0/24 dns-server=192.168.0.1 gateway=192.168.20.1

# IoT VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge_LAN name=IoT_VLAN vlan-id=30
/ip address add interface=IoT_VLAN address=192.168.30.1/24
/ip pool add name=IoT_POOL ranges=192.168.30.2-192.168.30.254
/ip dhcp-server add address-pool=IoT_POOL interface=IoT_VLAN name=IoT_DHCP disabled=no
/ip dhcp-server network add address=192.168.30.0/24 dns-server=192.168.0.1 gateway=192.168.30.1

# Guest VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge_LAN name=Guest_VLAN vlan-id=40
/ip address add interface=Guest_VLAN address=192.168.40.1/24
/ip pool add name=Guest_POOL ranges=192.168.40.2-192.168.40.254
/ip dhcp-server add address-pool=Guest_POOL interface=Guest_VLAN name=Guest_DHCP disabled=no
/ip dhcp-server network add address=192.168.40.0/24 dns-server=192.168.0.1 gateway=192.168.40.1

# MGMT_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge_LAN name=MGMT_VLAN vlan-id=99
/ip address add interface=MGMT_VLAN address=192.168.0.1/24 
/ip pool add name=MGMT_POOL ranges=192.168.0.20-192.168.0.254
/ip dhcp-server add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

#######################################
# IP Addressing & Routing
#######################################
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="8.8.8.8"

#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=MGMT
/interface list add name=LAN

/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp1 name=pppoe-out2 \
    use-peer-dns=yes user=ROMANSKI_SZPITALNA

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/interface detect-internet
set detect-interface-list=all

/interface list member
add interface=*8 list=WAN
add interface=sfp1 list=WAN
add interface=pppoe-out2 list=WAN

add interface=MGMT_VLAN  list=VLAN
add interface=Home_VLAN  list=VLAN
add interface=Cams_VLAN list=VLAN
add interface=IoT_VLAN   list=VLAN

add interface=MGMT_VLAN  list=MGMT

/ip route
add dst-address=192.168.0.0/24 gateway=192.168.0.1 routing-table=main \
    suppress-hw-offload=no
	
# VLAN aware firewall. Order is important.
/ip firewall filter

##################
# INPUT CHAIN
##################

add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow MGMT_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=MGMT_VLAN comment="Allow MGMT_VLAN Full Access"

add chain=input action=drop comment="Drop"

##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################

/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface-list=WAN

#######################################
# VLAN Security
#######################################

# Only allow packets with tags over the Trunk Ports

/interface bridge port
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]

#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from MGMT_VLAN, the MGMT_VLAN network
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT

#######################################
# Leases
#######################################

#MGMT leases

#1 NAS
/ip dns static
add address=192.168.0.5 name=NAS
/ip dhcp-server lease
add address=192.168.0.5 client-id=NAS mac-address=3C:52:82:50:D6:D0 server=MGMT_DHCP 

#2 105 SWITCH
/ip dhcp-server lease
add address=192.168.0.2 client-id=SW105 mac-address=3C-84-6A-61-99-27 server=MGMT_DHCP 

#3 108 SWITCH
/ip dhcp-server lease
add address=192.168.0.3 client-id=SW108 mac-address=54-AF-97-01-99-55 server=MGMT_DHCP 

#4 LAPTOP
/ip dhcp-server lease
add address=192.168.0.10 client-id=LAPTOP mac-address=8C-16-45-75-52-2F server=MGMT_DHCP 



#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge_LAN vlan-filtering=yes