VLANs & DHCP advice needed

Dear all,

I want to replace our core Cisco switch with a MikroTik CRS326-24S+2Q+RM switch.

I’ve read several posts here, and like others, I am missing something.

Here’s what I’m trying to do:

For example, I’d like port sfp-sfpplus23 to provide untagged VLAN ID 10 only, port sfp-sfpplus22 untagged VLAN 7 only and say ports 1-21 to provide tagged VLANs 10, 20, 30 and so on, but whatever is connected to those ports, I’d like the devices to automatically be assigned an IP from a DHCP pool 10.2.10.0 (VLAN 10) - then I want to be able to allocate access/untagged ports with VLANs 20, 30 etc on subsequent switches or WiFi APs.

Port sfp-sfpplus24 is configured for WatchGuard firewall “uplink”.

The diagram uses VLANs 10, 20 and 30, but my config is actually 10, 32 and 68.

[admin@MikroTik] > /export
# 1970-01-03 00:04:27 by RouterOS 7.12.2
# software id = QCIV-NCXY
#
# model = CRS326-24S+2Q+
# serial number = xxx
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus24 ] comment="WatchGuard Port 4"
/interface vlan
add disabled=yes interface=bridge1 name=vlan10 vlan-id=10
add disabled=yes interface=bridge1 name=vlan32 vlan-id=32
add disabled=yes interface=bridge1 name=vlan68 vlan-id=69
add interface=ether1 name=vlan99 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=pool68 ranges=10.2.68.50-10.2.71.200
add name=pool32 ranges=10.2.32.50-10.2.35.200
add name=pool192 ranges=192.168.252.50-192.168.255.200
/ip dhcp-server
add address-pool=pool192 disabled=yes interface=bridge1 name=server1
add address-pool=pool68 disabled=yes interface=bridge1 name=server2
add address-pool=pool32 disabled=yes interface=bridge1 name=server3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus3 pvid=68
add bridge=bridge1 interface=sfp-sfpplus2 pvid=32
add bridge=bridge1 interface=sfp-sfpplus4 pvid=10
/interface bridge vlan
add bridge=bridge1 vlan-ids=32,68,10
add bridge=bridge1 tagged=sfp-sfpplus1 untagged=sfp-sfpplus2 vlan-ids=32
add bridge=bridge1 tagged=sfp-sfpplus1 untagged=sfp-sfpplus3 vlan-ids=68
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 vlan-ids=99
/ip address
add address=10.2.68.1/22 interface=bridge1 network=10.2.68.0
add address=10.2.222.2/30 interface=sfp-sfpplus24 network=10.2.222.0
add address=192.168.252.1/22 disabled=yes interface=bridge1 network=\
    192.168.252.0
add address=10.2.32.1/22 interface=bridge1 network=10.2.32.0
add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0
/ip dhcp-server network
add address=10.2.32.0/22 dns-server=10.2.7.50,192.168.16.66 domain=\
    domain.local gateway=10.2.32.1 netmask=22
add address=10.2.68.0/22 dns-server=10.2.7.50,192.168.16.66 domain=\
    domain.local gateway=10.2.68.1 netmask=22
add address=192.168.252.0/22 dns-server=10.2.7.50,192.168.16.66 domain=\
    domain.local gateway=192.168.252.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.222.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.99.254 routing-table=main \
    suppress-hw-offload=no
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key
[admin@MikroTik] >

I’d really appreciate it if you could point me in the right direction, as I’m clearly missing something obvious

Well, the issue is you do not have direct contact with any of the end devices.
The firewall router ( which I am assuming provides all the vlans ) sends the vlans to the CRS326 on the CRS326 trunk port sfp-sfplus1.

Note I said trunk port because there is no reason on this earth for there to be untagged port being sent to the CRS326 ( in this case vlan10) ???
That would make the connection actually a hybrid port and one has to ask WHY?
Is this the admin vlan??
Is the firewall not capable of sending this as a vlan??

In fact between all smart devices there should be all trunk ports unless one is using ubiquiti devices that come defaulted expecting the management vlan untagged (although this can be modified on the device - dont ask me how ).

The requirements need to be stated a bit more clearly…
Break it down, as you have,
CRS326 PORTA needs to carry vlans XYZ trunked to Smart Device Y (model?)
CRS326 PORTB needs to carry vlan W untagged to PC/printer (dumb device)

For each smart device then break down its movement of traffic similarly.
Then we will have a clearer picture.

What is 10.2.10.2 for example???
Why do you show solid lines with one VLAN but in the small text talk of multiple vans?
What is the actual management vlan that all smart devices get their IP address from???

Are the access points smart device ( can read vlan tags ) and if so what models are they???

The firewall (WatchGuard) is not providing any VLANs or DHCP (that’s MikroTik’s job). It’s connected to MikroTik via sfp-sfpplus24 port. WatchGuard = 10.2.222.1 <> MikroTik 10.2.222.2 - it can be ignored in this discussion.

Okay, thats fine, just to be clear then that there is one single flat network coming from the watchguard.
What is this subnet and what is its significant to the rest of the network?
I am assuming none, and its simply acting as the WAN connection for all intensive purposes for the MT device.
Also I asked a number of questions to clarify your setup and intentions…

Yes the WatchGuard only provides internet to MT, that’s it. Remote users will connect to WatchGuard via mobile VPN or other remote sites connect to WatchGuard via VPN tunnels. Those remote users will access servers behind MikroTik on VLAN 7 10.2.7.0/24.

So, let’s say I want sfp-sfpplus7 interface to only provide VLAN ID 7 to another switch (48-port netgear) to which all host servers connect. Anything connected to that Netgear switch gets 10.2.7.0 IP address.

Now, let’s say I want sfp-sfpplus8 to carry all VLANs to other switches and devices on site (it’s a big site, not just one building). So I connect another HP ProSafe switch to sfp-sfpplus8 interface, the switch IP is set to get IP via DHCP, but I want to default the sfp-sfpplus8 port to provide 10.2.10.0 IP address pool so the HP switch could be 10.2.10.1. Then I connect another switch to the HP switch, let’s say TP-Link, it will also get the 10.2.10.2 IP address and so on. Now, I connect Unifi AP to a port on the TP-Link, the UAP’s IP becomes 10.2.10.3 but we have 3 separate WiFi networks: Corp (VLAN 20), Clients (VLAN30), Guests (VLAN40) (for example). I already have al this working on a Cisco switch.
See if the screenshot from my Cisco helps. What you see there, port GE7 is an Access port for VLAN 7 (7U) whereas port XG3 carries all VLANs but VLAN 45 is the default untagged VLAN (45U)

So I want to replicate the above table on a MikroTik switch. And all VLANs to talk to each other. In Unifi I’m currently using isolation option for clients and guest wifi, but if I could separate those two VLANs from our internal network, that would also be great.

Usually you dont want clients to speak to each other.

That is at the layer2 switches you use something called port-isolation (or protected vlan which is a specific subset of private vlan) so the clients can only speak upstream.

If that is the case in your case I would just do regular VLANing on the Mikrotik and let the VLAN interface (the IP-address the clients use as their default gateway) sit on the firewall.

This way you can filter traffic between the VLANs (if needed).

You have severely contradicted yourself.
If the Watchguard is the “internet gateway” for the MT (double nat), then
vpn users or sites connected at the Watchguard do not have access to the MT and there are no vlans coming across.

What you need to do on the watchguard define static routes for the subnets needing to be reached.
ex.
add dst-address=MT-SUbnet gateway=10.2.2.2.2 { or if only one server on subnet, just the address of the server }

What I would do is create all the vlans and dhpc on the watchguard and simply use the switch as a switch (which its better designed to do and especially seeing you already have a decent router in place).
++++++++++++++++++++++++++++++++++++++++++

In any case keeping your idea of switch acting as router. Hopefully this will get you partway.
Vlan99 is the management vlan and all smart devices get their IP from this.
Bridge does no DHCP…

interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus24 ] comment=“WatchGuard Port 4”
set [ find default-name=sfp-sfpplus22 ] comment=“Off Bridge Access”

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan32 vlan-id=32
add interface=bridge1 name=vlan68 vlan-id=68
add interface=bridge1 name=vlan99 vlan-id=99

/ip pool
add name=pool68 ranges=10.2.68.50-10.2.71.200
add name=pool32 ranges=10.2.32.50-10.2.35.200
add name=pool192 ranges=192.168.252.50-192.168.255.200
add name=pool99 192.168.99.10-192.168.99.200

/ip dhcp-server
add address-pool=pool192 interface=bridge1 name=server1
add address-pool=pool68 interface=bridge1 name=server2
add address-pool=pool32 interface=bridge1 name=server3
add address-pool=pool99 interface=bridge1 name=server99

/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 comment=“Trunk port to Managed Switch”
add bridge=bridge1 interface=sfp-sfpplus2 pvid=99 comment="Hybrid to Uubiquiti AP"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus3 pvid=68 ( assumes going to a PC on vlan68 - otherwise delete )
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus4 pvid=10 ( assumes going to a PC on vlan10 - otherwise delete )

Note: Only sfp1 and spf2 are show on diagram!

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1,sfp-sfpplus2 untagged=spf-spfplus4 vlan-ids=10
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=32
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1,sfp-sfpplus2 untagged=sfp-sfpplus3 vlan-ids=68
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1, untagged=sfp-sfpplus2 vlan-ids=99

/ip address
add address=10.2.222.2/30 interface=sfp-sfpplus24 network=10.2.222.0 comment=WAN
add address=192.168.252.1/24 interface=vlan10 network=192.168.252.0
add address=10.2.32.1/24 interface=vlan32 network=10.2.32.0
add address=10.2.68.1/24 interface=vlan68 network=10.2.68.0
add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0
add address=192.168.55.1/30 interface=OffBridge22 network=192.168.168.55.0

/ip dhcp-server network
add address=192.168.252.0/22 dns-server=192.168.252.1 gateway=192.168.252.1
add address=10.2.32.0/24 dns-server=10.2.32.1 gateway=10.2.32.1
add address=10.2.68.0/24 dns-server=10.2.68.150 gateway=10.2.68.1
add address=192.168.99.0/24 dns-server=1192.168.99.1 gateway=192.168.99.1

/ip route
add dst-address=0.0.0.0/0 gateway=10.2.222.1

/interface list
add name=WAN
add name=LAN
add name=MGMT
//interface list member
add interface=sfp-sfpplus24 list=WAN
add interface=vlan10 list=LAN
add interface=vlan32 list=LAN
add interface=vlan68 list=LAN
add interface=vlan99 list=LAN
add interface=OffBridge23 list=LAN
add interface=vlan99 list=MGMT
add interface=OffBridge22 list=MGMT

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9

/ip neighbor discovery-settings
set discover-interface-list=MGMT
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

++++++++++++++++++++++++++++++++++++++
/ip firewall address-list
add address= 10.2.2.X/32 list=Authorized comment=“Admin on Watchguard LAN”
add address=192.168.99.X list=Authorized comment=“admin on management vlan”
add address=192.168.55.2 list=Authorized comment=“admin off bridge”
Others???


For firewall rules, keep to mostly defaults…
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=“allow users to services” dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“allow users to services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
+++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“admin access” src-address-list=Authorized out-interface-list=LAN
add action=drop chain=forward comment=“drop all else”

/ip firewall NAT
add action=masquerade chain=srcnat out-interface-list=WAN

Thanks Anav, I wanted to keep WatchGuard to do what it’s best at - firewalling - and switching, DHCP, VLANing delegated to a separate device. Of course, both could do both And yes, there’s a static route on the WatchGuard and MikroTik.

I did end up configuring a Bridge, Ports, VLANs and DHCP which works great now and it’s very similar to your configuration. I will have a proper look at your config and compare to see if there’s anything I missed or if there’s something you did better. I will report back very soon if I have any more questions.

Thank you.