Hello,
I’m having a hard time wrapping my head around how to approach the following setup. Hopefully some can direct me to the proper way of getting this done.
Port Eth1 WAN port
My school will default to a MGMT VLAN 1000 which will hand out an IP via DHCP; a second VLAN would be assigned for general traffic VLAN 2904
Port Eth 2-4 would be part of a LAN with DHCP server assigning IP to whatever would be plugged here. All traffice from Eth 2-4 would be going to VLAN 2904.
I’m confused as to the setup of the WAN port. Can you assign TWO dhcp clients to this port with one getting an IP from VLAN 1000 and the other from VLAN2904?
THanks in advance for any guidance this group can offer.
It sounds like what you are saying is that whatever MT device you have in place, it will strictly be acting as a switch.
Please let us know your device and by the way this is perfectly doable…
The vlan 1000 is strictly a management vlan so that the switch can get assigned an IP address terminates at the MT device
The other vlan is passed through the device to its ports for the users.
I guess I should have worded it a little differently if your suggestion is to have it act as a switch since this is not what I want.
Product used is : hAP Ax Lite (L41G-2axD)
The basic functionning I need is that of a router which will manage it’s own LAN (I’m trying to do a somewhat closed ecosystem for our students and give them access to internet only). So the router configuration is necessary. Port 1 will be the WAN and get an IP from VLAN 2904 and ports 2-4 will be for plugging in student devices which will require internet and to communicate amongst each other but not anybody else on the VLAN2904.
Our school offers an added “benefit” where they have a VLAN 1000 MGMT which will also hand out IPs to devices in order to manage them safely from the WAN port.
I’ve continued to read up on this through the forums, while it is still not clear if this is possible or not (virtual interfaces?), I might be trying to do the impossible? Thanks for your previous response and any additionnal information you can add.
Understood, just trying to figure out how to use the management VLAN properly, the rest as you wish is very doable.
Typically the IP address given to the device is on the management vlan.
If I understand correctly, only a single DHCP client would be configured on the WAN port 1 which would belong to VLAN 1000(MGMT), get an IP from VLAN1000 and its IP pool rnage and would allow servicing the router from the WAN port. The same port 1 would also be configured to allow packets from the LAN (ports 2-4) to be identified as VLAN2904 for standard network traffic from the LAN.
Be advised, you wont be able to make any changes to this router since we are locking it down to only the Management VLAN coming in on ether1 !!
If you require other access best stated from where…
Also how are management going to access this device, via WINBOX… need to know more information before we actually implement…
/interface bridge
add name=Bridge
/interface vlan
add comment=Management interface=Bridge name=vlan-mgmt vlan-id=1000
add comment=WAN-INPUT interface=Bridge name=vlan-WAN vlan-id=2940
add comment=LAN interface=Bridge name=vlan-Students vlan-id=5
/interface wifi { As required will assume WLAN1 1/2 the class WLAN2 1/2 the class same network avoid overloading one chain ( just use different SSID) } /interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface bridge port
add bridge=Bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1
add bridge=Bridge ingress-filtering=yes frame-types=priority-and-untagged interface=ether2 pvid=5
add bridge=Bridge ingress-filtering=yes frame-types=priority-and-untagged interface=ether3 pvid=5
add bridge=Bridge ingress-filtering=yes frame-types=priority-and-untagged interface=ether4 pvid=5
add bridge=Bridge ingress-filtering=yes frame-types=priority-and-untagged interface=WLAN1 pvid=5
add bridge=Bridge ingress-filtering=yes frame-types=priority-and-untagged interface=WLAN2 pvid=5
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether1 vlan-ids=1000,2094
add bridge=Bridge tagged=Bridge untagged=ether2,ether3,ether4,WLAN1,WLAN2 vlan-ids=5
/ip dhcp client
add interface=vlan2094 add-default-route=yes { also use peer DNS and peer NTP are both checked ) /ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=vlan-Students bridge lease-time=10m name=defconf
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=vlan-WAN list=WAN
add interface=vlan-Students list=LAN
add interface=vlan-mgmt list=MGMT
/ip address
add address=192.168.88.1/24 interface=vlan-Students network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set 192.168.1.1
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1 ad action=accept chain=input comment=“authorized access” in-interface=vlan-mgmt
add action=accept chain=input comment=“students to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“students to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { put this rule in last, to avoid getting locked out }
++++++++++++++++++++ add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-mark=no-mark connection-state=established,related disabled=yes
add action=accept chain=forward comment “defconf: accept established,related, untracked”
connection-state=established,related,untracked routing-mark=main
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=“Drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN
add action=dstnat chain=dstnat in-interface-list=LAN dst-port=53 protocol=udp to-address=192.168.88.1
add action=dstnat chain=dstnat in-interface-list=LAN dst-port=53 protocol=tcp to-address=192.168.88.1 /ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
[b_]set winbox_ PORT=??? access group should be subnet off management vlan 1000[/b] /tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Nope, just following the directions given. You clearly stated that the ROUTER, the MT should get its IP address on this VLAN and thus the students get internet from this source.
The management vlan is strictly to access the router for config purposes and has nothing to do with DHCP client or internet traffic.
Okay I see where the confusion lies…
Your first statement in this regard implies the opposite of what i provided above… Port Eth1 WAN port My school will default to a MGMT VLAN 1000 which will hand out an IP via DHCP; a second VLAN would be assigned for general traffic VLAN 2904
Since I found that confusing upon the first read, I made some assumptions and then you replied with additional clarifying information which in fact contradicted the first post" Port 1 will be the WAN and get an IP from VLAN 2904
The latest statement switched back to the original post… so we have to be clear at all times LOL.
A. What I provided ( acting like a router, students on isolated LAN )
if the VLAN2940 is for the router to get a WANIP, that works.
behind the other router we can setup a LAN that is not related and simply uses the connection to go out the internet
the management vlan is easily handled as shown.
B. What you want ( acting like a switch - no dhcp to students )
if the VLAN2940 is the vlan that students should be on and get dhcp from, then they will have access but also be able to reach all other VLAN2940 users and the internet.
The management VLAN can be terminated under IP DHCP client and provided the MT device with its IP address.
Once again will have to thing about how to solve this dilemma.
EITHER the students are on their own VLAN and subnet getting dhcp from the mikrotik and have no direct connection or need to use 2940, OR they are vlan2940 getting dhcp from the upstream router.
and are connected directly to 2940 It cannot be both!!
Also, since you state that you want to terminate the MT router on the management VLAN ( aka get a private WANIP ) from that subnet, THAT MEANS all internet traffic will go out management vlan anyway and would never use the other VLAN…
++++++++++++++++++++++++++++++++++++++
The only solution I see, apart from what I provided, is to forget about 2940, you dont need it. There is no need to use this vlan if your students are on a different subnet.
Simply terminate the router with VLAN1000, create your single subnet behind the MT and you are done.
The problem with this approach however..
They get internet based on the ASSUMPTION the management vlan also accesses the internet
and The IT managers dont mind your students on the management vlan
My recommendation: Forget about terminating the router to the management vlan, its not required as the router is only manageable via the vlan1000, with what I gave you, so you are
keeping to the design and intent of the network. You still are using 2940 for internet ( student traffic ) and your students have no access to users on 2940.
Hence my original proposition is the valid and viable one.
Quick update for the benefit of all on how this ended being implemented.
Finally we dropped the requirement to use the management VLAN. We’ll only use the 2904. The MT device will be setup as a basic router. I’ll be able to remotely manage the MT device through the 2904 VLAN. We’ll be relying on IT rules to limit those who can manage the MT device.
As a supplementary security action, I also put in place a MAC filtering for the physical ports to prevent juste anyone from using the MT device to get internet. I used the ARP:Reply-Only approach seen on this forum.
