Community discussions

MikroTik App
 
Tropaion
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 6:48 pm

VLAN-Problems

Mon Feb 15, 2021 3:59 pm

Hello,
I have an Mikrotik 2011UiAS with 2x Ubiquiti AP AC Pro as WLAN-Hotspots (with OpenWrt). I'm trying for a very long time, to get two WLANs (Guest, Private) separated with VLAN (tag 1 u. 2), but even thought I can access the internet with both WLANs, the devices are not separated and I can access them all from Guest-WLAN...I'm pretty new into this matter but I invested very much time and am becoming desperate.

My intended setup:
Image
And here my current setup/config:
Image
Image
Image
Image
Image
Image

I really hope someone can help me, thanks ;)
 
tdw
Forum Veteran
Forum Veteran
Posts: 709
Joined: Sat May 05, 2018 11:55 am

Re: VLAN-Problems

Mon Feb 15, 2021 4:55 pm

Screenshots of winbox pages are generally not very useful, the output of /export hide-sensitive from a terminal window posted as code (the [] icon above the text entry box on the forum page) shows the precise configuration

Mikrotik documentation on VLAN-aware bridges is here https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering and there is a good tutorial here viewtopic.php?t=143620

Some people prefer not to use VLAN 1 as it is the Mikrotik default value for bridge and port PVIDs, also other manufacturers sometimes restrict use of VLAN 1.
 
Tropaion
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 6:48 pm

Re: VLAN-Problems

Mon Feb 15, 2021 5:22 pm

@tdw sorry and thanks for your help (I'm very grateful), didn't know how to output the config.
[admin@MikroTik] > /export hide-sensitive
# feb/15/2021 16:20:20 by RouterOS 6.47.3
# software id = 4C1Y-NGYU
#
# model = 2011UiAS
# serial number = 5782041D57AD
/interface bridge
add name=Bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=6626661000
/interface vlan
add interface=Bridge name=GuestVLAN vlan-id=2
add interface=Bridge name=PrivateVLAN vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PrivatePool ranges=192.168.88.20-192.168.88.254
add name=GuestPool ranges=192.168.25.3-192.168.25.254
/ip dhcp-server
add address-pool=GuestPool disabled=no interface=GuestVLAN name=Guest
add address-pool=PrivatePool disabled=no interface=PrivateVLAN name=Private
/queue simple
add disabled=yes max-limit=512k/1M name=GuestQueue target=192.168.25.0/24
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=Bridge comment=defconf interface=ether3
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether8
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10
add bridge=Bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=1
add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=2
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=PrivateVLAN network=\
    192.168.88.0
add address=192.168.25.1/24 interface=GuestVLAN network=192.168.25.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.4 comment=Printer mac-address=38:63:BB:7D:8B:31 server=\
    Private
add address=192.168.88.17 comment=DLAN mac-address=08:96:D7:F8:44:55
add address=192.168.88.2 comment="AP-Private(House)" mac-address=\
    80:2A:A8:19:62:90 server=Private
add address=192.168.25.2 comment="AP-Guest(House)" mac-address=\
    80:2A:A8:19:62:90 server=Guest
add address=192.168.88.6 comment=ProxMox1 mac-address=20:47:47:82:E0:BA server=\
    Private
add address=192.168.88.7 comment=ProxMox2 mac-address=20:47:47:82:E0:BC server=\
    Private
add address=192.168.88.9 comment="ReverseProxy(LXC)" mac-address=\
    56:59:71:B1:85:BC server=Private
add address=192.168.88.10 comment="NextCloud(LXC)" mac-address=\
    B2:62:86:48:66:66 server=Private
add address=192.168.88.11 comment=FHEM mac-address=E6:B4:1A:F3:11:86 server=\
    Private
add address=192.168.88.8 comment=iDRAC7 mac-address=20:47:47:82:E0:BE server=\
    Private
add address=192.168.88.5 client-id=1:1E:26:CA:51:2F:C2 comment=NAS mac-address=\
    1E:26:CA:51:2F:C2 server=Private
add address=192.168.88.19 comment=LedControllerFabian mac-address=\
    AC:CF:23:31:CC:DD server=Private
add address=192.168.88.12 comment="Heater(LXC)" mac-address=DA:62:17:83:4E:8F \
    server=Private
add address=192.168.88.18 comment="Heater(RS232)" mac-address=34:EA:E7:13:73:AE \
    server=Private
add address=192.168.88.3 comment="AP-Private(Garden)" mac-address=\
    80:2A:A8:19:5E:EC server=Private
add address=192.168.25.3 comment="AP-Guest(Garden)" mac-address=\
    80:2A:A8:19:5E:EC server=Guest
add address=192.168.88.13 comment=DataBase mac-address=F6:55:D0:3C:14:94 \
    server=Private
add address=192.168.88.14 comment="BookStack (Wiki" mac-address=\
    5E:3E:A5:3C:B4:80 server=Private
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=XXXXXXXXXad.sn.mynetname.net list=PUBLIC-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-sta
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.
add action=drop chain=input comment="defconf: drop all not coming from LAN
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" 
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-s
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTN
    connection-nat-state=!dstnat connection-state=new in-interface-list=WA
/ip firewall nat
add action=masquerade chain=srcnat comment=HairPinNAT
add action=dst-nat chain=dstnat comment="Forward - ReverseProxy(LXC)" \
    dst-address-list=PUBLIC-IP protocol=tcp to-addresses=192.168.88.9
/system clock
set time-zone-name=Europe/Vienna
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
tdw
Forum Veteran
Forum Veteran
Posts: 709
Joined: Sat May 05, 2018 11:55 am

Re: VLAN-Problems

Mon Feb 15, 2021 5:41 pm

As the bridge and all of the ports have a PVID=1 things are getting confused by also having a VLAN with VID=1 attached to the bridge. There are several options

* Use VLAN IDs excluding 1
OR
* Set the bridge & port PVIDs to some other value
OR
* Disable the PVID on ports where you wish to use VLAN 1 tagged:
/interface bridge
add name=Bridge vlan-filtering=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes
/interface bridge port
add bridge=Bridge interface=ether2 frame-types=admit-only-vlan-tagged ingress-filtering=yes
add bridge=Bridge interface=ether3 frame-types=admit-only-vlan-tagged ingress-filtering=yes


Note the bridge & bridge port frame-types= setting is ignored unless ingress-filtering=yes is also specified, so the ports with frame-types=admit-only-untagged-and-priority-tagged need updating too.
 
Tropaion
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 6:48 pm

Re: VLAN-Problems

Mon Feb 15, 2021 5:51 pm

Ok, thank you, i thought they have to be the same.

Is there same ID-Numberin-Convention?

In the article it says "Access ports are configured in a way that means ingress (incoming) packets must not have tags and thus will get a tag applied." so, shouldn't Ingress-Filtering only be activated at ports where there are only packages without tags?

What about ether3 where I have untaged and taged packages incoming?

Thanks your for help.
 
tdw
Forum Veteran
Forum Veteran
Posts: 709
Joined: Sat May 05, 2018 11:55 am

Re: VLAN-Problems

Mon Feb 15, 2021 6:19 pm

In the article it says "Access ports are configured in a way that means ingress (incoming) packets must not have tags and thus will get a tag applied." so, shouldn't Ingress-Filtering only be activated at ports where there are only packages without tags?
Tagged only (a.k.a. trunk): frame-types=admit-only-vlan-tagged ingress-filtering=yes
Untagged only (a.k.a. access): frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
Tagged+untagged (a.k.a. hybrid) : ingress-filtering=no OR frame-types=admit-all ingress-filtering=yes

Untagged and hybrid ports are automatically added as untagged bridge vlan members based on their pvid= setting. Note that many default settings such as pvid=1 do not appear in /export, if you use /interface bridge export verbose you will see all of the settings.

What about ether3 where I have untaged and taged packages incoming?
That doesn't correspond with your existing configuration (add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=1 and add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=2), or picture ("tag 1" and "tag 2")
 
mkx
Forum Guru
Forum Guru
Posts: 5418
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN-Problems

Mon Feb 15, 2021 7:18 pm

Tagged+untagged (a.k.a. hybrid) : ingress-filtering=no OR frame-types=admit-all ingress-filtering=yes

It actually should be the later (with ingress filtering enabled) to enforce ingress filtering acording to allowed VLANs as configured in /interface bridge vlan ...
BR,
Metod
 
Tropaion
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 6:48 pm

Re: VLAN-Problems

Mon Feb 15, 2021 8:09 pm

I think I set it up as you said, but I think setting PVID to another value isn't a solution for me.
Now I have:
  • vlan1 (ID=1) -> all untaged
  • vlan2 (ID=10)-> all taged with id=10 (guest)
  • vlan3 (ID=20)-> all taged with id=20 (guest)
But I don't want the untaged in a separate VLAN, I want that all untaged get the tag 10 and are in the private VLAN.
[admin@MikroTik] > /export hide-sensitive                     
# feb/15/2021 19:04:44 by RouterOS 6.47.3
# software id = 4C1Y-NGYU
#
# model = 2011UiAS
# serial number = 5782041D57AD
/interface bridge
add ingress-filtering=yes name=Bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=6626661000
/interface vlan
add interface=Bridge name=GuestVLAN vlan-id=20
add interface=Bridge name=PrivateVLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PrivatePool ranges=192.168.88.20-192.168.88.254
add name=GuestPool ranges=192.168.25.3-192.168.25.254
/ip dhcp-server
add address-pool=GuestPool disabled=no interface=GuestVLAN name=Guest
add address-pool=PrivatePool disabled=no interface=PrivateVLAN name=Private
/queue simple
add disabled=yes max-limit=512k/1M name=GuestQueue target=192.168.25.0/24
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=Bridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether6
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether7
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether8
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether9
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether10
add bridge=Bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=10
add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=20
add bridge=Bridge vlan-ids=1
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=PrivateVLAN network=\
    192.168.88.0
add address=192.168.25.1/24 interface=GuestVLAN network=192.168.25.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.4 comment=Printer mac-address=38:63:BB:7D:8B:31 server=\
    Private
add address=192.168.88.17 comment=DLAN mac-address=08:96:D7:F8:44:55
add address=192.168.88.2 comment="AP-Private(House)" mac-address=\
    80:2A:A8:19:62:90 server=Private
add address=192.168.25.2 comment="AP-Guest(House)" mac-address=\
    80:2A:A8:19:62:90 server=Guest
add address=192.168.88.6 comment=ProxMox1 mac-address=20:47:47:82:E0:BA server=\
    Private
add address=192.168.88.7 comment=ProxMox2 mac-address=20:47:47:82:E0:BC server=\
    Private
add address=192.168.88.9 comment="ReverseProxy(LXC)" mac-address=\
    56:59:71:B1:85:BC server=Private
add address=192.168.88.10 comment="NextCloud(LXC)" mac-address=\
    B2:62:86:48:66:66 server=Private
add address=192.168.88.11 comment=FHEM mac-address=E6:B4:1A:F3:11:86 server=\
    Private
add address=192.168.88.8 comment=iDRAC7 mac-address=20:47:47:82:E0:BE server=\
    Private
add address=192.168.88.5 client-id=1:1E:26:CA:51:2F:C2 comment=NAS mac-address=\
    1E:26:CA:51:2F:C2 server=Private
add address=192.168.88.19 comment=LedControllerFabian mac-address=\
    AC:CF:23:31:CC:DD server=Private
add address=192.168.88.12 comment="Heater(LXC)" mac-address=DA:62:17:83:4E:8F \
    server=Private
add address=192.168.88.18 comment="Heater(RS232)" mac-address=34:EA:E7:13:73:AE \
    server=Private
add address=192.168.88.3 comment="AP-Private(Garden)" mac-address=\
    80:2A:A8:19:5E:EC server=Private
add address=192.168.25.3 comment="AP-Guest(Garden)" mac-address=\
    80:2A:A8:19:5E:EC server=Guest
add address=192.168.88.13 comment=DataBase mac-address=F6:55:D0:3C:14:94 \
    server=Private
add address=192.168.88.14 comment="BookStack (Wiki" mac-address=\
    5E:3E:A5:3C:B4:80 server=Private
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=5782041d57ad.sn.mynetname.net list=PUBLIC-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=HairPinNAT
add action=dst-nat chain=dstnat comment="Forward - ReverseProxy(LXC)" \
    dst-address-list=PUBLIC-IP protocol=tcp to-addresses=192.168.88.9
/system clock
set time-zone-name=Europe/Vienna
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
EDIT: I have already solved the problem, I added some Firewall Filter Rules and now it works.
 
Tropaion
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 6:48 pm

Re: VLAN-Problems

Mon Feb 15, 2021 11:16 pm

It is basically working, but I have a problem with two devices. They have an static ip designed, but they don't start a connection, it always says "waiting", even trying to connect with dynamic IP (DHCP) it doesn't work. Every other devices works without problem.
[admin@MikroTik] > /export hide-sensitive             
# feb/15/2021 22:14:31 by RouterOS 6.47.3
# software id = 4C1Y-NGYU
#
# model = 2011UiAS
# serial number = 5782041D57AD
/interface bridge
add ingress-filtering=yes name=Bridge pvid=10 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=6626661000
/interface vlan
add interface=Bridge name=GuestVLAN vlan-id=20
add interface=Bridge name=PrivateVLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PrivatePool ranges=192.168.88.20-192.168.88.254
add name=GuestPool ranges=192.168.25.3-192.168.25.254
/ip dhcp-server
add address-pool=GuestPool disabled=no interface=GuestVLAN name=Guest
add address-pool=PrivatePool disabled=no interface=PrivateVLAN name=Private
/queue simple
add disabled=yes max-limit=512k/1M name=GuestQueue target=192.168.25.0/24
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=Bridge comment=defconf ingress-filtering=yes interface=ether3 pvid=\
    10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether6 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether7 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether8 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether9 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether10 pvid=10
add bridge=Bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2 untagged=\
    ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=20
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=PrivateVLAN network=\
    192.168.88.0
add address=192.168.25.1/24 interface=GuestVLAN network=192.168.25.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.4 comment=Printer mac-address=38:63:BB:7D:8B:31 server=\
    Private
add address=192.168.88.17 comment=DLAN mac-address=08:96:D7:F8:44:55 server=\
    Private
add address=192.168.88.2 comment="AP-Private(House)" mac-address=\
    80:2A:A8:19:62:90 server=Private
add address=192.168.25.2 comment="AP-Guest(House)" mac-address=\
    80:2A:A8:19:62:90 server=Guest
add address=192.168.88.6 comment=ProxMox1 mac-address=20:47:47:82:E0:BA server=\
    Private
add address=192.168.88.7 comment=ProxMox2 mac-address=20:47:47:82:E0:BC server=\
    Private
add address=192.168.88.9 comment="ReverseProxy(LXC)" mac-address=\
    56:59:71:B1:85:BC server=Private
add address=192.168.88.10 comment="NextCloud(LXC)" mac-address=\
    B2:62:86:48:66:66 server=Private
add address=192.168.88.11 comment=FHEM mac-address=E6:B4:1A:F3:11:86 server=\
    Private
add address=192.168.88.8 comment=iDRAC7 mac-address=20:47:47:82:E0:BE server=\
    Private
add address=192.168.88.5 client-id=1:1E:26:CA:51:2F:C2 comment=NAS mac-address=\
    1E:26:CA:51:2F:C2 server=Private
add address=192.168.88.19 comment=LedControllerFabian mac-address=\
    AC:CF:23:31:CC:DD server=Private
add address=192.168.88.12 comment="Heater(LXC)" mac-address=DA:62:17:83:4E:8F \
    server=Private
add address=192.168.88.18 comment="Heater(RS232)" mac-address=34:EA:E7:13:73:AE \
    server=Private
add address=192.168.88.3 comment="AP-Private(Garden)" mac-address=\
    80:2A:A8:19:5E:EC server=Private
add address=192.168.25.3 comment="AP-Guest(Garden)" mac-address=\
    80:2A:A8:19:5E:EC server=Guest
add address=192.168.88.13 comment=DataBase mac-address=F6:55:D0:3C:14:94 \
    server=Private
add address=192.168.88.14 comment="BookStack (Wiki" mac-address=\
    5E:3E:A5:3C:B4:80 server=Private
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.9 name=xxxxxxxxxxx.at
add address=192.168.88.9 name=xxxxxxxxxxx.at
add address=192.168.88.9 name=xxxxxxxxxxx.at
add address=192.168.88.9 name=xxxxxxxxxxx.at
add address=192.168.88.9 name=xxxxxxxxxxx.at
add address=192.168.88.9 name=xxxxxxxxxxx.at
add address=192.168.88.9 name=xxxxxxxxxxx.at
add address=192.168.88.9 name=xxxxxxxxxxx.at
add address=192.168.88.9 name=xxxxxxxxxxx.at
add address=192.168.88.9 name=xxxxxxxxxxx.att
/ip firewall address-list
add address=5782041d57ad.sn.mynetname.net list=PUBLIC-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Forward Guests to Reverse Proxy" \
    connection-state=! dst-address=192.168.88.9 src-address=192.168.25.0/24
add action=reject chain=forward comment="Block GuestVLAN" dst-address=\
    192.168.88.0/24 reject-with=icmp-network-unreachable src-address=\
    192.168.25.0/24
add action=reject chain=forward comment="Block PrivateVLAN" dst-address=\
    192.168.25.0/24 reject-with=icmp-network-unreachable src-address=\
    192.168.88.0/24
add action=reject chain=input comment="Block Router-UI-Access" dst-address=\
    192.168.25.1 reject-with=icmp-admin-prohibited src-address=192.168.25.0/24
add action=reject chain=input comment="Block AP-UI-Access" dst-address=\
    192.168.25.2 reject-with=icmp-network-unreachable src-address=\
    192.168.25.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=SrcNAT
add action=dst-nat chain=dstnat comment="Forward - ReverseProxy(LXC)" \
    dst-address-list=PUBLIC-IP protocol=tcp to-addresses=192.168.88.9
/system clock
set time-zone-name=Europe/Vienna
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6157
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN-Problems

Tue Feb 16, 2021 12:44 am

Try actually configuring according to the ref guide below!!!........
Not going to bother helping until you have a better understanding (clue bridge vlanid is the same as guest vlanid)

viewtopic.php?t=143620
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Tropaion
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 6:48 pm

Re: VLAN-Problems

Wed Feb 17, 2021 3:01 am

I'm already trying this for more than a week an have also read this article a few times (it doesn't say anything about hybrid ports).
I also read this and many others.

I thought I already had it pretty right and I don't get what you mean and what it does have to with the problem that two specific hosts don't get an IP-Adress.
VLANs have the VID=10 (Private) and VID=20 (Guest), the Bridge itself has the PVID=10 (Private), but I'm not exactly sure how this matters.
/interface bridge
add ingress-filtering=yes name=Bridge pvid=10 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=6626661000
/interface vlan
add interface=Bridge name=GuestVLAN vlan-id=20
add interface=Bridge name=PrivateVLAN vlan-id=10
ether3 is a Hybrid-Port and all others are Access-Ports, from what I have understood this should be alright.
Untagged packages from ether3 should go to the private VLAN (10).
/interface bridge port
add bridge=Bridge comment=defconf ingress-filtering=yes interface=ether3 pvid=\
    10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether6 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether7 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether8 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether9 pvid=10
add bridge=Bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether10 pvid=10
add bridge=Bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2 pvid=10
Then at Bridge->VLAN the Egress-Behaviour is defined, but I'm not really sure how to handle the hybrid port.
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2 untagged=\
    ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=20
I have compared my setting with the provided RouterSwitchAP.src and most things are similar, except there isn't an example for an hybrid port.
Either way, none of this doubts explain make sense to me why only two specific devies do not get an IP either static or dynamically, all other devices work without problems.

Thanks for your help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6157
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN-Problems

Wed Feb 17, 2021 2:49 pm

Okay, yes hybrid ports are a bit trickier,
I will have a look sometime today at the config you posted to see what I can discern, apologies for my negative tone yesterday.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Tropaion
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 6:48 pm

Re: VLAN-Problems

Wed Feb 17, 2021 3:43 pm

No problem, I'm grateful for your help.

I also read about hybrid port and tried to config it, but I'm not sure it is right.
But I'm sure it doesn't have something to do with the which can't get an IP either static or dhcp (because they don't use the ether3), I don't have any clue what the problem could be.

This is my current config, I changed the firewall filter a bit.
[admin@MikroTik] > /export hide-sensitive
# feb/17/2021 14:42:37 by RouterOS 6.47.3
# software id = 4C1Y-NGYU
#
# model = 2011UiAS
# serial number = 5782041D57AD
/interface bridge
add ingress-filtering=yes name=Bridge pvid=10 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=6626661000
/interface vlan
add interface=Bridge name=GuestVLAN vlan-id=20
add interface=Bridge name=PrivateVLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PrivatePool ranges=192.168.88.20-192.168.88.254
add name=GuestPool ranges=192.168.25.3-192.168.25.254
/ip dhcp-server
add address-pool=GuestPool disabled=no interface=GuestVLAN name=Guest
add address-pool=PrivatePool disabled=no interface=PrivateVLAN name=Private
/queue simple
add disabled=yes max-limit=512k/1M name=GuestQueue target=192.168.25.0/24
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=Bridge comment=defconf ingress-filtering=yes interface=ether3 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 pvid=10
add bridge=Bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2 untagged=ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=PrivateVLAN list=VLAN
add interface=GuestVLAN list=VLAN
/ip address
add address=192.168.88.1/24 interface=PrivateVLAN network=192.168.88.0
add address=192.168.25.1/24 interface=GuestVLAN network=192.168.25.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.4 comment=Printer mac-address=38:63:BB:7D:8B:31 server=Private
add address=192.168.88.17 comment=DLAN mac-address=08:96:D7:F8:44:55 server=Private
add address=192.168.88.2 comment="AP-Private(House)" mac-address=80:2A:A8:19:62:90 server=Private
add address=192.168.25.2 comment="AP-Guest(House)" mac-address=80:2A:A8:19:62:90 server=Guest
add address=192.168.88.6 comment=ProxMox1 mac-address=20:47:47:82:E0:BA server=Private
add address=192.168.88.7 comment=ProxMox2 mac-address=20:47:47:82:E0:BC server=Private
add address=192.168.88.9 comment="ReverseProxy(LXC)" mac-address=56:59:71:B1:85:BC server=Private
add address=192.168.88.10 comment="NextCloud(LXC)" mac-address=B2:62:86:48:66:66 server=Private
add address=192.168.88.11 comment=FHEM mac-address=E6:B4:1A:F3:11:86 server=Private
add address=192.168.88.8 comment=iDRAC7 mac-address=20:47:47:82:E0:BE server=Private
add address=192.168.88.5 client-id=1:1E:26:CA:51:2F:C2 comment=NAS mac-address=1E:26:CA:51:2F:C2 server=Private
add address=192.168.88.19 comment=LedControllerFabian mac-address=AC:CF:23:31:CC:DD server=Private
add address=192.168.88.12 comment="Heater(LXC)" mac-address=DA:62:17:83:4E:8F server=Private
add address=192.168.88.18 comment="Heater(RS232)" mac-address=34:EA:E7:13:73:AE server=Private
add address=192.168.88.3 comment="AP-Private(Garden)" mac-address=80:2A:A8:19:5E:EC server=Private
add address=192.168.25.3 comment="AP-Guest(Garden)" mac-address=80:2A:A8:19:5E:EC server=Guest
add address=192.168.88.13 comment=DataBase mac-address=F6:55:D0:3C:14:94 server=Private
add address=192.168.88.14 comment="BookStack (Wiki" mac-address=5E:3E:A5:3C:B4:80 server=Private
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.9 name=router.flowerhouse.at
add address=192.168.88.9 name=ve.flowerhouse.at
add address=192.168.88.9 name=nas.flowerhouse.at
add address=192.168.88.9 name=cloud.flowerhouse.at
add address=192.168.88.9 name=fhem.flowerhouse.at
add address=192.168.88.9 name=home.flowerhouse.at
add address=192.168.88.9 name=dav.home.flowerhouse.at
add address=192.168.88.9 name=heater.flowerhouse.at
add address=192.168.88.9 name=db.flowerhouse.at
add address=192.168.88.9 name=wiki.flowerhouse.at
/ip firewall address-list
add address=5782041d57ad.sn.mynetname.net list=PUBLIC-IP
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow Router-Services only for PrivateVLAN" in-interface=PrivateVLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Reverse Proxy Access" connection-state=! dst-address=192.168.88.9 in-interface-list=\
    VLAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment=SrcNAT
add action=dst-nat chain=dstnat comment="Forward - ReverseProxy(LXC)" dst-address-list=PUBLIC-IP protocol=tcp to-addresses=\
    192.168.88.9
/system clock
set time-zone-name=Europe/Vienna
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
tdw
Forum Veteran
Forum Veteran
Posts: 709
Joined: Sat May 05, 2018 11:55 am

Re: VLAN-Problems

Wed Feb 17, 2021 6:08 pm

The bridge itself is still set to be both untagged
/interface bridge
add ingress-filtering=yes name=Bridge pvid=10 vlan-filtering=yes

and tagged
tagged=Bridge,... under /interface bridge vlan
together with
/interface vlan add interface=Bridge name=PrivateVLAN vlan-id=10

Change the bridge-to-CPU interface to be tagged only
/interface bridge
add ingress-filtering=yes frame-types=admit-only-vlan-tagged name=Bridge pvid=1 vlan-filtering=yes


Personally I leave out any untagged= membership under /interface bridge vlan as these will by dynamically added from the pvid= settings under /interface bridge port - you can see the actual current memberships in Winbox, or with /interface bridge vlan print, note ports which are not plugged in do not have current memberships. Whilst you can manually specify the untagged= memberships if there is a mismatch odd connectivity issues can arise.

Have you checked your other device actually supports hybrid ports - specifically devices with fast (not gigabit) switch chips from Atheros and Ralink appear to let you configure a mix of tagged and untagged but the chips themselves do not support it, you end up with traffic tagged in one direction but untagged in the other.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6157
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN-Problems  [SOLVED]

Wed Feb 17, 2021 7:50 pm

Will echo TDW in most respects

1. Leave bridge default to pvid=1 and remove ingress filtering for now (I dont use it at my place for my bridge)
/interface bridge
add ingress-filtering=yes name=Bridge pvid=10 vlan-filtering=yes

/interface bridge
add name=Bridge pvid=1 vlan-filtering=yes

2. No need to make an interface list of VLAN as you already have LAN. You also have firewall rules where you identify LAN but have no corresponding member identification.
So......
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=PrivateVLAN list=VLAN
add interface=GuestVLAN list=VLAN
To
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=PrivateVLAN list=LAN
add interface=GuestVLAN list=LAN

3. Your firewall rules are missing some default rules that you should have and perhaps denying some services to the guest LAN!!
Should look like this....
ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="Allow Router-ACCESS only for ADMIN" in-interface=PrivateVLAN
source-address-list=AdminAccess
(note)
add action=accept chain=input comment="Allow access to router dns services for all users" in-interface=LAN\
dest-port=53 protocol=tcp connection-state=new
add action=accept chain=input comment="Allow access to router dns services for all users" in-interface=LAN\
dest-port=53 protocol=udp connection-state=new

add action=drop chain=input comment=Drop

Note: Create a firewall address list of all the devices you would use to access and config the router, Desktop, laptop, ipad etc.........

{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

add action=accept chain=forward comment="VLAN Internet Access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to vlan access" in-interface=PrivateLAN out-interface=GuestLAN source-address-list=AdminAccess

add action=drop chain=forward comment=Drop

I removed this rule because I dont understand its purpose nor how it works, what affects it may have. Lets get a clean config working before getting TOO FANCY!
add action=accept chain=forward comment="Allow Reverse Proxy Access" connection-state=! dst-address=192.168.88.9 in-interface-list=\
VLAN

4. Your Sourcenat rule is incomplete!
From
/ip firewall nat
add action=masquerade chain=srcnat comment=SrcNAT
To
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1

Again I would remove the reverse proxy rule here as well as I dont understand its purpose or effects on the config.

5. NOW TO THE MEAT OF VLANS lol.
Looking at your diagram tells me that you have one server that is the root cause of reverse proxy and hairpin nat etc............
I think a better way to manage this would be the following, EASY PEASY, just put the server on a different subnet and you no longer need hairpin NAT!!!!
Vlan30 (for the server) and call it VLANServer
DHCP for this vlan
Address for vlan
pool for vlan
DHCP network for VLAN
If the Server has different requirements than the private LAN and Guest VLAN, for example does the server need access to the internet (will traffic Actually originate and start at the server and head out to the internet or will it only respond to requests?? Will the SERVER need DNS services???
I would consider adding back your VLAN interface member and only assign the Server VLAN to it, so that you have some additional flexibility in firewall rules once you make this requirement clearer!!!
add VLANServer list=VLAN

6. From the diagram, it seems clear that we have a trunk port on eth2 and eth3 to Ubiquiti access points to handle both vlans, 20,10. I am not sure how ubiquiti handles the default vlan1 and they both could be hybrid ports but lets go on the assumption that they act like other vendors. or possibly a hybrid port on ether2, to the ubiquit access point as they are strange beasts.
Ether 4 is an access port on the Server VLAN, untagged, ether5,6,7 are access ports on the private vlan, untagged.
The only ports for the guest vlan are wifi ports.

modify to as follows...............
/interface bridge port
add bridge=Bridge comment=defconf ingress-filtering=yes interface=ether2
add bridge=Bridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=10
add bridge=Bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=10

/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2,ether3 untagged=ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
add bridge=Bridge tagged=Bridge,ether2,ether3 vlan-ids=20
add bridge=Bridge tagged=Bridge untagged=eth4 vlan-ids=30

7. This works for me in terms of wifi using TPLINK access points and MT access points but unsure of Ubiquite.
In all cases I set the working LANIP of the devices to be that on the MAIN network in this case the private LAN network.
Your best bet is to get the mac addresses of both ubiquiti units and go to the router and add them as devices with those mac addresses and assign unused fixed IPs from the private vlan.
Then go into the ubiqui units and assign them manually those fixed LANIPs as their LAN address.
So I read this......
https://help.ui.com/hc/en-us/articles/219654087

What a mess....... do you use a controller app or program to config these access points? If so is it done from your computer?
Apparently they need an untagged vlan for controlling...........Gets annoyingly complex. They do state aftewards you can move to a tagged vlan for control.........pfffft

Okay what I would do is create vlan99 - ControllerLAN
dhcp / pool /, dhcp network,/address, / and add to bridge as an interface, it will only be noted at follows

/interface bridge port
add bridge=Bridge comment=defconf ingress filtering=yes interface=ether2 pvid=99
add bridge=Bridge comment=defconf ingress-filtering=yes interface=ether3 pvid=99

YOu could but not necessary add the following line to the bridge vlan config (it is done auto in the background by the router but I like to see it in the config so everything is plainly visible)
add bridge=Bridge tagged=Bridge untagged=eth2,eth3 vlan-ids=99

Then you should be able to use the controller on the private network to access the Access points.
Assuming the controller is on your PC (firewall forward filter rule)
add action=accept chain=forward in-interface=private lan source-address=AdminAccess out-interface=ControllerLAN

8. Almost forgot your destination nat rule can simply be (AND MISSING PORT NUMBER ON ORIG CONFIG!!)
add action=dst-nat chain=dstnat comment="serveraccess" dst-address-list=PUBLIC-IP protocol=tcp
port=???? to-addresses=192.168.30.9

9. MISSING FIREWALL RULE TO ALLOW PORT FORWARDING.
add action=accept chain=forward comment=Allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Tropaion
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 6:48 pm

Re: VLAN-Problems

Wed Feb 24, 2021 12:21 am

Thanks for your detailed post.
I set it up nearly like you suggested and it works fine.
The only problem is the ether3 hybrid port, the hotspot doesn't work.
But I don't think the problem is the router but rather the dlan. I suspect that the dlan is throwing the vlan tags away and doesn't passthrough them.
I have the dlan AVM Powerline 1000E and tried to research it but sadly I didn't find any kind of technical documentation about it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6157
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN-Problems

Wed Feb 24, 2021 12:32 am

Hmm good point,
the powerline unit may not pass vlan tags is what you are thinking??
i missed that in your diagram??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Tropaion
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 6:48 pm

Re: VLAN-Problems

Wed Feb 24, 2021 2:26 pm

Yeah, I forgot to draw the third dlan adapter at ether3 for the Ubiquiti Access Point, could be a bit confusing.
It is ether 3 -> DLAN ---- DLAN -> Access Point (tag1 u. 2)
^--- DLAN -> Heater (untagged)
BTW not that important but forgot...I don't use the Ubiquiti AP AC Pros with original firmware, I installed OpenWrt so I don't have the use the Ubiquiti Server.
 
mkx
Forum Guru
Forum Guru
Posts: 5418
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN-Problems

Wed Feb 24, 2021 4:18 pm

I would expect DLAN to be transparent for VLANs (as is a dumb switch, only requirement is support for 1504 byte MTU). To rule this out, try to connect AP directly to ether3 of your mikrotik. If it still doesn't work, then its configuration mismatch. If it works with direct connection but doesn't with DLAN in between, then it's DLAN which blocks VLANs.
BR,
Metod

Who is online

Users browsing this forum: mommish and 46 guests