VLANs to segreggate network

Nyx · September 14, 2024, 9:37pm

Hello.
I recently got a MikroTik with router switch and would like to configure VLANs to segreggate my network and make it safer.

VLAN10 - private network
VLAN20 - servers
VLAN30 - guest network
VLAN1 or 40(?) - admin network

Later, I want to implement firewall rules so that VLANs can’t communicate, and I am considering to set up an admin network that can communicate with all of them.

Interfaces
WLAN: WLAN1 (2,4 GHz), WLAN2 (5 GHz) - not broadcasting, no VLAN configured.
VAP: A pair of VAPs for each VLAN so that it can have both 2,4 GHz and 5 GHz available.
ether: WAN, switch (a managed switch), eth3 (VLAN10), eth4 and eth5 (VLAN20).
VLAN: One for each, with the corresponding bridges set.

Bridge ports
bridge-private: ether3, VAP1, VLAN10
bridge-server: switch, ether4, ether5, VAP2, VLAN20
bridge-guest: VAP3, VLAN30
bridge-admin: VAP4, VLAN40

IP, DHCP, etc.
Under IP Addresses, I set the default gateway IP in the corresponding bridge interface.
In DHCP server, I created DHCP1 with interface VLAN10 in range 192.168.10.0/24 (from 2 to 254), etc.

I’m currently setting all the filtering rules to admit all, because I can’t figure out what is wrong. I can’t connect to the VAPs, and when connecting through ethernet, I get an APIPA address.
The rest of the settings (NAT, DHCP client, etc.) are set as default settings.

Edit: Formatting consistency

TheCat12 · September 15, 2024, 7:48am

Would you export your config and post it here because it seems that my local fortune teller is on vacation:

export file=anynameyouwish (minus sensitive info)

Nyx · September 15, 2024, 1:03pm

Yes, I am attaching the config file.
router-config.rsc (10.4 KB)

TheCat12 · September 15, 2024, 2:09pm

Apparently I read your OP too diagonally and didn’t see the obvious problems - the bridges. For VLAN to work properly, you need one bridge with all of the ports on which traffic will be tagged/untagged. Also, the VLAN interfaces shouldn’t be members of the bridge(s). That’s why before we continue, try reading the following topic on VLANs and correcting your mistakes:

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

If you still have problems/questions, you can write here without any hesitation

Nyx · September 15, 2024, 4:15pm

Thanks for the advice! I removed the VLAN interfaces from the bridge, and moved everything to just one bridge.

This seems to have fixed the problem in connecting to the VAP. Although, the phones are getting addresses from the wrong DHCP server (receiving a router range instead of the VLAN subnet range).

Under Wireless > WiFi interfaces, I have a
VAP1 AP bridge, with a master interface WLAN1, VLAN mode no tag, VLAN ID 10;
WLAN1 AP bridge, VLAN mode no tag, VLAN ID 1.

Then, under Bridge > Ports, I have once again a
VAP1, bridge set to the only one available now, PVID 10 and frame types admit only VLAN tagged;
WLAN1, with the same bridge, PVID 1 and frame types admit all.

Under IP > DHCP Server > DHCP I have a DHCP1 with interface VLAN10, configured the standard way on subnet 192.168.10.0/24.
Under IP > DHCP Server > Networks I have an entry with address 192.168.10.0/24 with gateway at 192.168.10.1 (and nothing else configured).
Under IP > Addresses I have an entry that’s configured the same way, with the address of gateway, same network and interface as the DHCP1.

Edit: I feel like the VLAN interfaces should be a part of the bridge, so that the correct DHCP servers are tied to the VLAN interfaces and it is all handled through the bridge, am I wrong?

jaclaz · September 15, 2024, 4:52pm

Maybe connected, maybe not, but VLAN1 is generally a no-no:
http://forum.mikrotik.com/t/vlan-configuration/176351/1

Nyx · September 15, 2024, 5:11pm

Thanks for the tip. I see that using VLAN1 can introduce conflicts.
I read that it’s a sort of a standard to use VLAN99 for admin access, so that’s what I might do.

I’m only using VLAN1 on the WLAN interfaces.
My current setup idea is that I will have two WLAN interfaces, one for 2,4 GHz and the other for 5 GHz. Those will be configured so they are only a part of the backend and will not act as an access point. Then I will have a pair of virtual access points for each VLAN, configured to use tag, like so:

Do you think that is a valid strategy?

jaclaz · September 15, 2024, 5:21pm

No idea, but you should post again your current configuration, so that some members experienced with VLANs (and VAPs) may give you some more hints/advices.

Nyx · September 16, 2024, 5:49pm

It appears I was able to fix my setup, thanks! Now I’m using a single bridge and it makes a lot more sense.
Although, I still need to filter the traffic correctly with the firewall.

I have a bridge with those 4 VLANs, WAN interface, 5 DHCP servers for the 4 VLANs and the main network, DNS server.

I think it will be best and most secure to make a “drop all, except…” type of firewall, but I am not confident enough to configure all the rules necessary for the basic network function before dropping everything else. Would anyone know all the rules necessary? Will I need to configure several of them for each VLAN, to keep it specific and secure, or is it unnecessary?