working VLAN but I have questions

RouterOS General
1

Hello,

I’m trying to setup my test environment, everything is working (due my test) but I have few questions, because I have doubts.

I followed these tutorials to setup ROS:
Router-Switch-AP (all in one) http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
InterVLAN Routing by Bridge https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_#3_(InterVLAN_Routing_by_Bridge)
CAP VLAN configuration example https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-CAPsMAN-CAPVLANconfigurationexample:

Networks:
LAN-BRIDGE: 192.168.1.1/24
TEST-VLAN: VLANID:20, 192.168.20.1/24
GUEST-VLAN: VLANID:30, 192.168.30.1/24

IDEA:
ether1 - WAN
ether2 - local server (with linux)
ether3 - test server with vmware ESXi (multiple OS with VLANs) - networks allowed: LAN-BRIDGE, TEST-VLAN, GUEST-VLAN
ether8 - hap ax2 (LAN and GUEST WiFi) - networks allowed: LAN-BRIDGE, GUEST-VLAN

I tried to separate the VLANs and only allow access to internet for every VLAN:

# RouterOS 7.10.2
# model = RB5009UG+S+

/interface bridge
add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes

/interface vlan
add interface=LAN-BRIDGE name=GEUST_VLAN vlan-id=30
add interface=LAN-BRIDGE name=TEST_VLAN vlan-id=20

/interface list
add name=WAN
add name=VLAN
add name=GUEST_VLAN

/interface wifiwave2 channel
add disabled=no frequency=2300-7300 name=5GHz width=20/40/80mhz
add disabled=no frequency=2300-7300 name=2GHz width=20/40mhz

/interface wifiwave2 datapath
add bridge=LAN-BRIDGE disabled=no name=GUEST vlan-id=30

/interface wifiwave2 security
add authentication-types=wpa3-psk disabled=no name=WPA3 wps=disable
add authentication-types=wpa2-psk disabled=no name=WPA2 wps=disable
add authentication-types=wpa2-psk disabled=no name=GUEST wps=disable

/interface wifiwave2 configuration
add country="United States" disabled=no name=HOME-5GHz security=WPA3 ssid=\
    HOME-5GHz
add country="United States" disabled=no name=HOME-2GHz security=WPA2 ssid=\
    HOME-2GHz
add country="United States" datapath=GUEST disabled=no name=GUEST security=\
    GUEST ssid=GUEST

/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN-BRIDGE name=dhcp1
add address-pool=dhcp_pool1 interface=TEST_VLAN name=dhcp2
add address-pool=dhcp_pool2 interface=GEUST_VLAN name=dhcp3

/interface bridge port
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether8

/interface bridge vlan
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 vlan-ids=30

/interface list member
add interface=ether1 list=WAN
add interface=GEUST_VLAN list=VLAN
add interface=LAN-BRIDGE list=VLAN
add interface=TEST_VLAN list=VLAN

/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=none

/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=HOME-5GHz \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=HOME-2GHz \
    slave-configurations=GUEST supported-bands=2ghz-n

/ip address
add address=192.168.1.1/24 interface=LAN-BRIDGE network=192.168.1.0
add address=192.168.20.1/24 interface=TEST_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GEUST_VLAN network=192.168.30.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1

/ip dns
set allow-remote-requests=yes

/ip firewall filter
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=input comment="ALLOW VLAN ACCESS ROUTER SERVICES" \
    in-interface-list=VLAN
add action=drop chain=input comment=DROP
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=forward comment="ALL VLANS INTERNET ACCESS ONLY" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=DROP

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Questions:

  1. I didn’t followed “Router-Switch-AP (all in one)” at ingress behavior, I didn’t added pvid to interfaces at bridge port because I saw at “CAP VLAN configuration” it’s not needed if multiple VLAN need to access), is this true or is there another solution for it?

  2. I didn’t set up frame-types=admit-only-untagged-and-priority-tagged because if I set up it’s stops working on interfaces with multiple VLANs, is this because it’s only interfaces with only one VLAN? Is there a better solution?

  3. Overall with my test shows everything is working but did I missed something about security?

Thank You so much!

2

Suggestions for consideration and I can’t say all is syntax error free:

# Prefer VLAN interface over physical interface
/ip dhcp-client remove [ find where interface=ether1 ]
/interface list member remove [ find where interface=ether1 ]
/ip firewall nat remove [ find where chain=srcnat ]

# Remember LAN-BRIDGE defaults to pvid=1
# /interface bridge add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes

# Bridge ALL ports AND set untagged port pvid (default is 1)
/interface bridge port
add bridge=LAN-BRIDGE interface=ether1 pvid=10
set bridge=LAN-BRIDGE interface=ether2 pvid=1
set bridge=LAN-BRIDGE interface=ether3 pvid=20
add bridge=LAN-BRIDGE interface=ether4 pvid=1
add bridge=LAN-BRIDGE interface=ether5 pvid=1
add bridge=LAN-BRIDGE interface=ether6 pvid=1
add bridge=LAN-BRIDGE interface=ether7 pvid=1
set bridge=LAN-BRIDGE interface=ether8 pvid=30
add bridge=LAN-BRIDGE interface=sfp-sfpplus1 pvid=1

/interface bridge vlan
add bridge=LAN-BRIDGE untagged=LAN-BRIDGE,ether2,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=1
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,sfp-sfpplus1 untagged=ether1 vlan-ids=10
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,sfp-sfpplus1 untagged=ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,sfp-sfpplus1,ether3 untagged=ether8 vlan-ids=30

/interface vlan
add interface=LAN-BRIDGE name=WAN0_VLAN vlan-id=10

/ip dhcp-client
add interface=WAN0_VLAN

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN0_VLAN
3

Disagree, dont use vlan1 for data, its working in the background on the bridge already.
Simply get rid of apples and oranges concept which is NOT in the artilcles you noted.

Take your bridge LAN and create another vlan and have a consistent approach.
Once you have vlans, the only thing the bridge should do is bridging, no dhcp etc…

4

RouterOS 7.10.2

model = RB5009UG+S+

/interface bridge
add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes

/interface vlan
add interface=LAN-BRIDGE name=GUEST_VLAN vlan-id=30
add interface=LAN-BRIDGE name=TEST_VLAN vlan-id=20
add interface=LAN-BRIDGE name=LAN_VLAN vlan-id=10

/interface list
add name=WAN
add name=LAN
add name=TRUSTED

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

/interface wifiwave2 capsman ( CAPSMAN is a Waste of TIme here get rid of it )
/interface wifiwave2 channel { to reinforce above → why the eff put vlan settings in wifi settings?? no need! }

/ip pool
add name=dhcp_pool0 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN-VLAN name=dhcp1
add address-pool=dhcp_pool1 interface=TEST_VLAN name=dhcp2
add address-pool=dhcp_pool2 interface=GUEST_VLAN name=dhcp3

/interface bridge port
add bridge=LAN-BRIDGE ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=10
add bridge=LAN-BRIDGE ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3
add bridge=LAN-BRIDGE ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether8

/interface bridge vlan
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 untagged=ether2 vlan-ids=10
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 vlan-ids=30

/interface list member
add interface=ether1 list=WAN
add interface=GUEST_VLAN list=LAN
add interface=LAN-VLAN list=LAN
add interface=TEST_VLAN list=LAN
add interface=LAN-VLAN list=TRUSTED

/interface wifiwave2 capsman ( CAPSMAN is a Waste of TIme here get rid of it )

/ip address
add address=192.168.10.1/24 interface=LAN-VLAN network=192.168.10.0
add address=192.168.20.1/24 interface=TEST_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GUEST_VLAN network=192.168.30.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input in-interface-list=TRUSTED
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“admin access to all vlans” in-interface-list=TRUSTED out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding)” connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

5

+1 on everything and in particular VLAN 1 which IMO is special and I reserve for backup management with default 192.168.88.0/24 subnet. All my data traffic is spread over multiple VLAN (never 1).