VLANs no switch chip

Hi, I have a CCR1009-7G-1C-1S+ which does not have a switch chip. I have VLANs fully working on my installed router that was setup a year or two ago before all of the changes to bridges, etc. I have a second identical router that I thought I’d take advantage of and reprogram to replace my router. While my current config works with VLANs just fine I don’t know if its the best way. The config I’m posting below is untested and is from the new, yet to be installed router, its based on the current router and I’ve removed some of the irrelevant parts.

I have each VLAN on its own interface feeding various switches downstream (Cisco SG500 or Cisco SG300). Since each VLAN is on its own interface I don’t know if I need to create a bridge or do anything beyond what I’ve done. I’m looking for best performance, but also best safety/flexibility to allow isolation of VLANs (i.e. office VLAN can access others, nothing can access office, guest can’t access anything, etc.). I haven’t yet put any rules in this firewall to drop traffic between VLANs.

Sorry for no diagram but network overview is as follows:
Verizon ONT - to Ether 7 on tik (WAN)
Combo port on tik to Cisco SG500 (VLAN3)
Ether 1 on tik to Cisco SG500 (VLAN1 - this is untagged ports on Cisco also)
Ether 2 on tik to Cisco SG500 (VLAN2 - no DHCP, static only)
Ether 4 on tik to Cisco SG500 (VLAN4)
Ether 5 on tik to Cisco SG500 (VLAN5)

If I’ve provided enough info should I keep VLANs as is or should be using the bridge menu and the VLAN subsection of it?

Also, I’m testing the interface lists so not sure those are correct at this point.

# model = CCR1009-7G-1C-1S+
# serial number = XXXXXXXXXXXX
/interface vlan
add comment="Camera Traffic" interface=ether2 name=vlan2-Camera vlan-id=2
add comment="Secure Office Traffic" interface=combo1 name=vlan3-Office vlan-id=\
    3
add comment="Trusted Local Traffic" interface=ether4 name=vlan4-TrustedLocal \
    vlan-id=4
add comment="Guest Traffic" interface=ether5 name=vlan5-Guest vlan-id=5
/interface list
add name=WAN
add exclude=WAN include=all name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ipsec+l2tp
/ip pool
add name=Automation ranges=10.0.1.101-10.0.1.199
add name=Guest ranges=10.0.5.100-10.0.5.150
add name=Office ranges=10.0.3.100-10.0.3.246
add name=VPN ranges=172.31.255.247-172.31.255.254
add name=TrustedLocal ranges=10.0.4.100-10.0.4.200
/ip dhcp-server
add address-pool=Automation disabled=no interface=ether1 lease-time=1d name=\
    Automation
add address-pool=Guest disabled=no interface=vlan5-Guest lease-time=8h name=\
    Guest
add address-pool=Office disabled=no interface=vlan3-Office lease-time=1d name=\
    Office
add address-pool=TrustedLocal disabled=no interface=vlan4-TrustedLocal \
    lease-time=1d name=TrustedLocal
/ppp profile
add change-tcp-mss=yes local-address=10.0.3.1 name="ipsec+L2TP VPN" \
    remote-address=VPN use-encryption=yes
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/interface l2tp-server server
set authentication=mschap2 default-profile="ipsec+L2TP VPN" enabled=yes \
    use-ipsec=yes
/interface list member
add interface=ether7 list=WAN
add interface=ether1 list=LAN
/ip address
add address=10.0.1.1/24 comment=Automation interface=ether1 network=10.0.1.0
add address=10.0.2.1/24 comment=Cameras interface=vlan2-Camera network=10.0.2.0
add address=10.0.3.1/24 comment=Office interface=vlan3-Office network=10.0.3.0
add address=10.0.4.1/24 comment="Trusted Local" interface=vlan4-TrustedLocal \
    network=10.0.4.0
add address=10.0.5.1/24 comment=Guest interface=vlan5-Guest network=10.0.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether7
/ip dhcp-server lease
SECTION REMOVED
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
    10.0.1.1
add address=10.0.2.0/24 dns-server=1.1.1.1 gateway=10.0.2.1
add address=10.0.3.0/24 dns-server=10.0.3.1 gateway=10.0.3.1
add address=10.0.4.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
    10.0.4.1
add address=10.0.5.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
    10.0.5.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=10.0.1.0/24 list=Automation
add address=10.0.5.0/24 list=Guest
add address=10.0.3.0/24 list=Office
add address=10.0.2.0/24 list=Cameras
add address=10.0.4.0/24 list=TrustedLocal
add address=172.31.255.0/24 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="VPN ipsec" protocol=ipsec-esp
add action=accept chain=input comment="VPN ipsec" dst-port=500,4500,1701 \
    protocol=udp
add action=accept chain=input comment="Winbox over Internet" disabled=yes \
    dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="Drop Invalid DNS Connections" dst-port=53 \
    in-interface-list=!LAN protocol=tcp
add action=drop chain=input comment="Drop Invalid DNS Connections" dst-port=53 \
    in-interface-list=!LAN protocol=udp
add action=drop chain=input comment="Drop Inbound SNMP" dst-port=161,162 \
    in-interface-list=!LAN protocol=tcp
add action=drop chain=input comment="Drop Inbound SNMP" dst-port=161,162 \
    in-interface-list=!LAN protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade loopback" \
    dst-address-list=LocalNet ipsec-policy=out,none out-interface-list=LAN \
    src-address-list=LocalNet
add action=jump chain=dstnat comment="Pinhole Jump" dst-address=!10.0.0.0/16 \
    dst-address-type=local jump-target=pinholes
NUMEROUS PINHOLES HERE
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.0.3.0/24,10.0.1.0/24 port=8291
set api-ssl disabled=yes
/ppp secret
add comment="ipsec+L2TP VPN" name=User1 profile="ipsec+L2TP VPN" service=\
    l2tp
add comment="ipsec+L2TP VPN" name=User2 profile="ipsec+L2TP VPN" \
    service=l2tp
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=“CCR1009”
/system ntp client
set enabled=yes
/system routerboard settings
set silent-boot=no
/system scheduler
add interval=12h name=UpdateNTP on-event=UpdateNTP policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add name=UpdateNTP owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\"{\
    \r\
    \n:local ntpServer \"pool.ntp.org\"\r\
    \n:local primary [resolve \$ntpServer]\r\
    \n:local secondary [resolve \$ntpServer]\r\
    \n/system ntp client set primary-ntp \$primary\r\
    \n/system ntp client set secondary-ntp \$secondary\r\
    \n}\""
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

All VLAN Switching should occur on the switches, with tagged / trunk port uplinks to CCR1009 and CCR1009 should only be used for routing between the VLAN’s and access control between VLAN’s via the firewall on CCR

Ok, I believe thats what I’m doing then, correct? I have multiple tagged trunk ports (VLANs 2-5) and an untagged trunk for VLAN1. I could tag this one too but Cisco seems to insist on having at least one untagged member per port. I think thats why I left this one as is. Or, I suppose I could create a VLAN100 on the switch and make that the untagged member but thats more of a cisco discussion. Happy for suggestions. I think I forgot to mention this is actually at my house but I do run a business from here and have a pretty large network, plus a previously unmentioned 10GB video over IP network which is currently in the VLAN1 area (its in beta testing so the manufacturer doesn’t want it isolated beyond being on its own switch anyway).

When talking about security, VLAN filtering and IP firewall are separate layers. VLAN filtering makes sure that a device which supports tagged traffic cannot send and receive traffic in other VLANs than those permitted for it. Once you have enabled each VLAN ID only on a single port, there is no way how this could happen. And once the communication between devices in the same VLAN is provided by an external switch, you don’t need to set up any bridge in Mikrotik.

As for access from one IP subnet to another, by default the 'Tik is routing between all those for which it has local addresses, which is all in your case. If you want to restrict this, you need to use the firewall. The most secure firewall approach is to configure “drop everything with a list exceptions”.

Thanks, so it appears I’m on the right track then, other than not doing the firewall rules yet. I’ll do a few more tweaks and then put this in as active. Just wanted to make sure with the newer changes in 6.4x that I didn’t need to reconfigure how I was doing things previously for any reason.

Just for my knowledge, I assume if I was using a single “trunk” port between MikroTik and Cisco switch then I would need to create a bridge with all VLANs in it. But since I have separate interfaces for each VLAN no bridge is needed, as you said.

Yes, using a common bridge for all VLANs is the right approach if you have a switch chip and you need to have the same VLAN on more than a single port, so that frames of that VLAN could be forwarded between those ports directly by the switch chip without engaging the CPU. And in this case it makes sense to think about vlan filtering. But if you would connect all VLANs using the same (trunk) port, there is no reason for vlan-filtering either. It starts making sense if you have three devices, one has all VLANs and the other two are authorized to access different subsets of them.

Thanks!

Just to clarify: bridge is only needed to span multiple interfaces. In OPs hypothetical case of single trunk port for all VLANs (and none of them are used on other ports) all vlan interfaces could be created on same ether port without using single bridge.
OTOH it makes sense to use common bridge even without having switch chip. But one has to think of it as VLAN capable switch, not as simple bridge.

Why?

Because if you want to make the 'Tik behave like a switch from the outside perspective, using a single common bridge for all VLANs results in simpler configuration and less processing when forwarding a frame between two physical ports. Here are the details and comparison.
Plus you can use STP in that case.

In this topic, where each VLAN is only present on a single physical interface, none of the arguments above has any relevance.

Hi,
I hope I can jump on this as it is spot on to my situation. I am almost there with an RB3011. We have been typically using one trunk port to a one switch so our VLANs did not run on a bridge - they ran on our trunk port - ether2. BUT - I created a bridge for each VLAN and tied it to ether 2. The DHCP server runs on the bridge not on the VLAN. Then I can add any other physical interface on the 3011 to create an access port for that subnet. I am not sure if this is the correct approach. I have not used the VLAN filtering and am unsure about its use case

Further - I now need more than one trunk port. I think the above approach does not work. Advice? I am going to pour over the other thread linked to and see if I cannot sort it.

Thanks