VLANs for home network - do I need changes ?

Mike65Rivne · August 23, 2024, 7:51am

I have RB951G-2HnD as home router and configured VLANs on it (Switch Chip Vlan Filtering - Atheros 8327 Chip):
VLAN 88 → home network, untagged, VLAN 10 → guest network, tagged,- VLAN 20 → IoT network, tagged .
Ether 1 is WAN port, ether2-ether5 have connected other vendor APs.
Each AP has 3 SSID:
1 home (untagged with 192.168.88.1 gateway),
2.guest (tagged VLAN10 with 192.168.10.1 gateway)
3. IoT (tagged VLAN20 with 192.168.20.1 gateway).

Everything works but I want to ask do I need some changes in my config.

So my config is next:

/interface bridge
add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes

/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=88
add ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=20

/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10
add interface=bridge1 name=VLAN20 vlan-id=20

/ip address
add address=192.168.88.1/24 interface=bridge1
add address=192.168.10.1/24 interface=VLAN10
add address=192.168.20.1/24 interface=VLAN20

/ip pool
add name=POOL88 ranges=192.168.88.2-192.168.88.254
add name=POOL10 ranges=192.168.10.2-192.168.10.254
add name=POOL20 ranges=192.168.20.2-192.168.20.254

/ip dhcp-server
add address-pool=POOL88 disabled=no interface=bridge1 name=DHCP88
add address-pool=POOL10 disabled=no interface=VLAN10 name=DHCP10
add address-pool=POOL20 disabled=no interface=VLAN20 name=DHCP20

/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1

/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=88
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=88
set ether4 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=88
set ether5 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=88
set switch1-cpu vlan-mode=secure vlan-header=leave-as-is default-vlan-id=88

As you can see I used bridge1 as interface for home network (VLAN88 ) - do I need to make such changes ?:

Add one more vlan in ‘/interface vlan’ → add interface=bridge1 name=VLAN88 vlan-id=88
Set interface=VLAN88 for 192.168.88.1/24 in ‘/ip address’
Set interface=VLAN88 for DHCP88 in ‘/ip dhcp-server’
“Home” interface list (used for access to Mac-WinBox, now includes bridge1)
→ replace bridge1 with VLAN88
“LAN” interface list (used for basic firewall rules, includes bridge1, VLAN10, VLAN20 )

replace bridge1 with VLAN88

Or if it work it should not be changed ?

Thank You.

mkx · August 23, 2024, 8:40am

The config is more or less fine. I have things configured only slightly differently on my RB951G, something like this:

/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=> always-strip > default-vlan-id=88
set ether3 vlan-mode=secure vlan-header=> always-strip > default-vlan-id=88
set ether4 vlan-mode=secure vlan-header=> always-strip > default-vlan-id=88
set ether5 vlan-mode=secure vlan-header=> always-strip > default-vlan-id=88
set switch1-cpu vlan-mode=secure vlan-header=leave-as-is default-vlan-id=> auto

I know that on AR8327 vlan-header property is ignored, however I like to set it up the way it’s supposed to be on switch chips that do observe setting of this property.

The last line: I have all VLANs tagged internally … so in turn this means you need also

/interface vlan
add interface=bridge1 name=VLAN88 vlan-id=88

and use VLAN88 interface for other settings where bridge1 interface is currently used. Pretty much the way you outlined in the last part of your post, but then you have to use switch1-cpu port as tagged also for VLAN 88.

Before changing switch1-cpu interface to tagged for VID 88 and moving the whole VLAN 88 L3 setup over to VLAN88 interface make sure that MAC access is allowed through VLAN88 interface. Default setting is /tool/mac-server/allowed-interface-list=all, but if you changed value to some explicit interface list, then you need to add VLAN88 to that list.
Because: when shuffling L2 settings, it’s only too easy to cut yourself from any management access if you’re not careful enough.

Mike65Rivne · August 23, 2024, 9:30am

Thank You for answer !

Few more questions

Sorry but I did not understand this “Pretty much the way you outlined in the last part of your post, but then you have to use switch1-cpu port as tagged also for VLAN 88”

Do you mean this:

/interface ethernet switch port
set switch1-cpu vlan-mode=secure vlan-header=leave-as-is default-vlan-id=88

or some other setting ?

Can I use only VLANs (without bridge or ether interfaces) for LAN interface list in firewall rules ?

mkx · August 23, 2024, 11:28am

Yes, this one … unset default-vlan-id (i.e. set it to “auto”) which will make CPU port (i.e. bridge) tagged for VLAN 88 as well.

Yes. Interface lists are about L3 interfaces … that’s interfaces with IP addresses (exception is mac-server, which works using MAC addressing … but uses same interface lists). So after you migrate VLAN 88 to tagged (internally to your RB), you don’t need bridge1 in any of interface lists. Same goes in case when one uses all-untagged setup: only bridge interface has to be set as member of interface list(s), individual bridge ports (e.g. ether2, ether3) don’t have to be mentioned in interface lists.

Mike65Rivne · August 23, 2024, 11:53am

Thank a lot - I understand now !

Mike65Rivne · August 23, 2024, 12:26pm

Sorry, one more thing:

Yes, this one … unset default-vlan-id (i.e. set it to “auto”) which will make CPU port (i.e. bridge) tagged for VLAN 88 as well.

but I have only untagged traffic for VLAN88 - how does this “auto” setting set VLAN88 in such case - I thought that default-vlan-id = 88 do this… Or I do not understand this correctly ?

Thank You.

mkx · August 23, 2024, 5:34pm

You can keep L2 setup for 192.168.88.0 subnet as is. Sometimes (V)LAN design becomes subjective aesthetics

However, my personal choice is to go all-VLAN whenever I start with VLANs. All-VLAN inside LAN infrastructure, including infrastructure interconnects. In case of your RB951G this mesns you have a few access ports to VLAN 88 but it should then be tagged between switch chip and CPU. IMO there’s no need to treat any LAN subnet specially (and untagged “VLAN” is special in this aspect). When you add another (access) switch, you simply configure the interconnect as trunk (all VLANs are tagged).

Mike65Rivne · August 23, 2024, 6:24pm

Thank you!

pwac092 · August 26, 2024, 12:32am

Quick question.

For the first time I am starting to be able to understand whenever I read these scripts..big day for me..

Nevertheless..a I right in thinking this would work on a hex router?

Cheers

CGGXANNX · August 26, 2024, 2:53am

No, the hEX has a MT7621 chip and with RouterOS 7 hardware offload is supported for Bridge VLAN Filtering. Which means on the hEX you configure VLAN according to this

https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering