Community discussions

MikroTik App
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Yet another VLAN issues topic...

Sat Apr 03, 2021 9:58 pm

I'm trying to figure out how to migrate from a "regular" setup to a VLAN based one, but honestly I'm struggling to understand the basics, even if I have read a few guides.

I have a RB2011 router which is connected to internet through eth1. I have two bridges on the RB to separate personal devices and IOT devices, and IPs are assigned by two DHCP servers (192.168.10.0/24 and 172.16.1.0/24 respectively). Local devices are connected to internet both by wifi and ethernet. Wifi connection is provided by a Ruckus R700 AP.
What I'd like to achieve is having two VLANS, one for IOT and one for the rest of the devices. Both need internet access but IOT won't be allowed to access other local devices.
Ruckus AP is setup to have two SSID, one for IOT and one for personal devices. I have attached a picture of what is the connection.

Problem is I don't have the least idea on how to migrate this setup to VLANS in order to allow the AP to use the dhcp server on the router and not having to NAT wifi connections...
You do not have the required permissions to view the files attached to this post.
 
erlinden
Forum Veteran
Forum Veteran
Posts: 788
Joined: Wed Jun 12, 2013 1:59 pm

Re: Yet another VLAN issues topic...

Sat Apr 03, 2021 10:32 pm

Start with (only) this great topic:
viewtopic.php?t=143620

It describes a lot of situations and has helped a lot of people on the forum.
First the problem, then the solution
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Re: Yet another VLAN issues topic...

Sat Apr 03, 2021 10:46 pm

Thank you, that is one of the guides I have read, but believe me or not, I struggle to adapt it...
 
erlinden
Forum Veteran
Forum Veteran
Posts: 788
Joined: Wed Jun 12, 2013 1:59 pm

Re: Yet another VLAN issues topic...

Sat Apr 03, 2021 11:02 pm

Thank you, that is one of the guides I have read, but believe me or not, I struggle to adapt it...
I believe about the struggle...it is a learning curve.

This part relates to your router:
viewtopic.php?t=143620#p706998

Know that there are trunk ports and accessports: trunk ports contain two or more VLAN's, accessports only offer a single VLAN.

To be honest...the switch is really easy: https://wiki.mikrotik.com/wiki/SWOS/CSS326-VLAN-Example
But my tip: start with the router.
First the problem, then the solution
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6859
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Yet another VLAN issues topic...

Sun Apr 04, 2021 1:26 am

/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Zacharias
Forum Guru
Forum Guru
Posts: 2348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Yet another VLAN issues topic...

Sun Apr 04, 2021 9:21 pm

You can use ether2 on your 2011 as your Trunk port (ether2 must be not be a slave interface)... No need to configure Bridge VLAN filtering on your router...
Just create your VLANs under /interface VLAN (on ether2 port), set addresses on each vlan, create your DHCP server and you are almost done...

Your switch can then be configured using Bridge VLAN filtering...
But ofcorse as @anav suggested, we should see your config...
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Re: Yet another VLAN issues topic...

Tue Apr 06, 2021 5:40 pm

Thank you guys for the help. I'll try to post an export asap.
In the meantime, if I'm not mistaken, I shoud set both eth1 on the WiFi AP and eth2 on the router as Trunk ports, since I have two VLANS on the AP going through a single ethernet port, right?
Is it necessary configuring VLAN on the switch as well or I can simply configure the router and the access point?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6859
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Yet another VLAN issues topic...

Tue Apr 06, 2021 6:04 pm

Normally one configures the switch for VLANS.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Re: Yet another VLAN issues topic...

Tue Apr 13, 2021 11:12 pm

I have finally managed to work a little bit on the configuration. It seems it's working... almost.
I modified a little bit the topology:

- Ruckus WiFi AP has two SSIDs, with VLAN ID 10 and 20, configured in "bridged to WAN" mode, and it is connected directly to ether5 on the RB2011, thus bypassing the ethernet switch
- I setup both VLAN 10 and 20 (LAN and IOT respectively) on RB2011 port eth5

I added dhcp pools for the two networks.
The strangest thing is when I try to configure the Ruckus AP via a pc on the LAN network, the connection is extremely slow.

Any suggestion on how I could improve the configuration?
#
# model = 2011UiAS-2HnD

/interface bridge
add comment="IOT Bridge" name=bridge-IOT
add comment="LAN Bridge" name=bridge-LAN
/interface vlan
add interface=ether5 name=vlan10 vlan-id=10
add interface=ether5 name=vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=VLAN
/ip pool
add name=dhcp_pool-LAN ranges=192.168.2.100-192.168.2.160
add name=dhcp_pool-vpn ranges=192.168.89.100-192.168.89.140
add name=dhcp_pool-IOT ranges=172.16.1.20-172.16.1.100
/ip dhcp-server
add address-pool=dhcp_pool-LAN disabled=no interface=bridge-LAN name=\
    dhcp-LAN
add address-pool=dhcp_pool-IOT disabled=no interface=bridge-IOT name=\
    dhcp-IOT
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=dhcp_pool-vpn
/caps-man manager
set ca-certificate=auto certificate=auto upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
/interface bridge port
add bridge=bridge-LAN comment=defconf disabled=yes interface=ether1
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-LAN interface=vlan10
add bridge=bridge-IOT interface=vlan20
add bridge=bridge-LAN interface=ether5
/ip firewall connection tracking
set tcp-established-timeout=5h
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge-LAN list=LAN
/interface wireless cap
set caps-man-addresses=127.0.0.1 certificate=request interfaces=wlan1
/ip address
add address=192.168.2.1/24 interface=bridge-LAN network=192.168.2.0
add address=172.16.1.1/24 interface=vlan20 network=172.16.1.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    172.16.1.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24
/ip dns
set cache-size=4096KiB servers=208.67.222.222,208.67.220.220,8.8.8.8
/ip firewall address-list
add address=172.16.1.0/24 list=IOT
add address=192.168.2.0/24 list=LAN
add address=192.168.2.11 comment="IOT allowed" list=IOT-allowed
add address=216.218.206.0/24 list=blacklist
/ip firewall filter
add action=drop chain=input comment="Block from blocklist" log-prefix=\
    "blk from blocklist" src-address-list=blacklist
add action=accept chain=input comment="Allow Ping (icmp)" protocol=icmp
add action=accept chain=input comment="Allow established, related" \
    connection-state=established,related
add action=accept chain=input comment="Allow L2TP VPN (ipsec-esp)" protocol=\
    ipsec-esp
add action=accept chain=input comment="Allow L2TP VPN (1701, 4500, 500 /udp)" \
    dst-port=1701,4500,500 protocol=udp
add action=accept chain=input comment="Allow CAPSMAN on local interface" \
    dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=drop chain=forward comment="Block from blocklist" src-address-list=blacklist
add action=drop chain=input comment="Deny All input from WAN" \
    in-interface-list=!LAN log-prefix="drop input !LAN"
add action=drop chain=forward comment=\
    "Deny new,invalid,untracked connections" connection-state=\
    invalid,new,untracked in-interface=ether1
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="IOT->LAN allowed IPs" \
    dst-address-list=IOT-allowed src-address-list=IOT
add action=drop chain=forward comment="Blocca IOT ->LAN" dst-address-list=LAN \
    log-prefix="drop fwd IOT-LAN" src-address-list=IOT
add action=accept chain=forward comment=\
    "Allow established,related connections" connection-state=\
    established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="Deny All forward from WAN" \
    in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="Masquerade vpn traffic" \
    src-address=192.168.89.0/24
add action=masquerade chain=srcnat comment="Masquerade IOT network" \
    out-interface=ether1 src-address-list=IOT
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
/ip route
add distance=1 gateway=192.168.1.254
/ppp secret
add name=myname
/system logging
add disabled=yes prefix="IPSECDBG===>" topics=ipsec
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233
/tool bandwidth-server
set enabled=no
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6859
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Yet another VLAN issues topic...

Wed Apr 14, 2021 12:36 am

Still dont see the need for two bridges...............

add bridge=bridge-LAN interface=vlan10
add bridge=bridge-IOT interface=vlan20

is wrong a VLAN is not a bridge port (etherports or WLANs are bridge ports).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6859
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Yet another VLAN issues topic...

Wed Apr 14, 2021 1:09 am

Assuming two vlans, ether2 to ruckus, ether3 to switch, ether 4,5 to PCs etc.....
Ether1 should not be disabled if its going to your WAN, eventually........ once config is done I suppose.
Detect internet set to None (otherwise can cause issues).
Firewall rules.......... suggest you go back to default rules.
Then we can add to them as required.
The only one you will need to add to defaults is
in the forward chain
add chain=forward action=drop in-interface=one-bridge out-interface=vlan10 source-address=subnetofvlan20
In source nat rule you do not need a separate rule for IOT devices.

YOU WERE MISSING bridge vlan settings too!!
/interface bridge
add  name=one-one-bridge
/interface vlan
add interface=one-bridge name=homevlan10 vlan-id=10
add interface=one-bridge name=iotvlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=VLAN
/ip pool
add name=dhcp_pool-homeLAN ranges=192.168.2.100-192.168.2.160
add name=dhcp_pool-vpn ranges=192.168.89.100-192.168.89.140
add name=dhcp_pool-IOTLAN ranges=172.16.1.20-172.16.1.100
/ip dhcp-server
add address-pool=dhcp_pool-homeLAN disabled=no interface=one-bridge name=\
    dhcp-LAN
add address-pool=dhcp_pool-IOTLAN disabled=no interface=bridge-IOT name=\
    dhcp-IOT
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=dhcp_pool-vpn
/caps-man manager
set ca-certificate=auto certificate=auto upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
/interface bridge port
add bridge=one-bridge comment=defconf disabled=yes interface=ether1  
add bridge=one-bridge interface=ether2 allow only tagged frames ingress filtering=yes {goes to ruckus)}
add bridge=one-bridge interface=ether3  allow only tagged frames ingress filtering=yes (goes to switch)
add bridge=one-bridge interface=ether4  pvid=10 only allow priority or untagged frames  ingress filtering=yes
add bridge=one-bridge interface=ether5  pvid=10 only allow priority or untagged frames  ingress filtering=yes
/interface bridge vlans
add bridge=one-bridge tagged=one-bridge,eth2,eth3  untagged=ether4,ether5  vlan-ids=10
add bridge=one-bridge tagged=one-bridge,eth2 vlan-ids=20
/ip firewall connection tracking
set tcp-established-timeout=5h
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet  {DE}
set detect-interface-list=NONE  
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=one-bridge list=LAN
/interface wireless cap
set caps-man-addresses=127.0.0.1 certificate=request interfaces=wlan1
/ip address
add address=192.168.2.1/24 interface=homeLAN10 network=192.168.2.0
add address=172.16.1.1/24 interface=IOTLAN20 network=172.16.1.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    172.16.1.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24  {DNS SERVER ????????????}
/ip dns
set cache-size=4096KiB servers=208.67.222.222,208.67.220.220,8.8.8.8
/ip firewall address-list
add address=172.16.1.0/24 list=IOT
add address=192.168.2.0/24 list=LAN
add address=192.168.2.11 comment="IOT allowed" list=IOT-allowed
add address=216.218.206.0/24 list=blacklist
/ip firewall filter
{USE DEFAULT FIREWALL RULES}
{ADD to forward chain,--- drop vlan20 to vlan10 traffic }
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="Masquerade vpn traffic" \
    src-address=192.168.89.0/24
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Re: Yet another VLAN issues topic...

Wed Apr 14, 2021 10:35 am

Thank you for thaking so much time to help me ;)
I'll try your suggestions as soon as possible.
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Re: Yet another VLAN issues topic...

Fri Apr 16, 2021 2:48 pm

Mmm something is not clear...
You create only one bridge, but then you assign two dhcp-servers to two bridges:
/ip dhcp-server
add address-pool=dhcp_pool-homeLAN disabled=no interface=one-bridge name=\
    dhcp-LAN
add address-pool=dhcp_pool-IOTLAN disabled=no interface=bridge-IOT name=\
    dhcp-IOT
I cannot assign two separate dhcp-servers to the same bridge, so this seems correct, but conflicts with the initial statement you only need one bridge for the VLANs...

What is the correct setup?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6859
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Yet another VLAN issues topic...

Fri Apr 16, 2021 10:19 pm

OOPS thats a typo from doing so many versions of setups for so many posts LOL.

Let me fix it for you.
/ip dhcp-server
add address-pool=dhcp_pool-homeLAN disabled=no interface=homevlan10 name=\
dhcp-home
add address-pool=dhcp_pool-IOTLAN interface=iotvlan20 name=\
dhcp-IOT
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Re: Yet another VLAN issues topic...

Sun Apr 18, 2021 9:10 pm

I feel very dumb, but this is still not working :)

I have WAN on ether1 (192.168.1.2), Ruckus on ether2, switch on ether3.
Switch is setup as to have VLAN ID 10 on all port connected to home PCs and on port 24 which is connected to Router's ether3.
Firewall is default 3 rules.

From my pc I cannot access any other pc on my LAN nor the Router. I can access Ruckus AP. From wifi I can access only devices connected to wifi.
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-RUCKUS
set [ find default-name=ether3 ] name=ether3-SWITCH
set [ find default-name=ether6 ] name=ether6-ADMIN

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20

/interface list
add name=WAN
add name=LAN
add name=ADMIN

/ip pool
add name=dhcp_LAN ranges=192.168.2.100-192.168.2.160
add name=dhcp-vpn ranges=192.168.89.100-192.168.89.140
add name=dhcp_IOT ranges=172.16.1.20-172.16.1.100

/ip dhcp-server
add address-pool=dhcp_LAN disabled=no interface=vlan10 name=dhcp-LAN
add address-pool=dhcp_IOT disabled=no interface=vlan20 name=dhcp-IOT

/interface bridge port
add comment=defconf disabled=yes interface=ether1-WAN
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2-RUCKUS
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3-SWITCH
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=10

/ip firewall connection tracking
set tcp-established-timeout=5h

/ip neighbor discovery-settings
set discover-interface-list=none

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2-RUCKUS,ether3-SWITCH untagged=ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2-RUCKUS vlan-ids=20

/interface list member
add interface=ether1-WAN list=WAN
add interface=ether6-ADMIN list=ADMIN
add interface=bridge1 list=LAN

/ip address
add address=192.168.2.1/24 interface=vlan10 network=192.168.2.0
add address=172.16.1.1/24 interface=vlan20 network=172.16.1.0
add address=192.168.1.2/24 interface=ether1-WAN network=192.168.1.0
add address=10.10.0.1/24 interface=ether6-ADMIN network=10.10.0.0

/ip dhcp-client
add comment=defconf interface=ether1-WAN

/ip dns
set cache-size=4096KiB servers=208.67.222.222,208.67.220.220,8.8.8.8

/ip firewall address-list
add address=172.16.1.0/24 list=IOT
add address=192.168.2.0/24 list=LAN
add address=192.168.2.11 comment="IOT allowed" list=IOT-allowed
add address=10.10.0.0/24 list=Admin

/ip firewall filter
add action=accept chain=input comment="Allow input on ether-6 for Administration" in-interface=ether6-ADMIN src-address-list=Admin
add action=accept chain=input comment="Allow established, related" connection-state=established,related
add action=drop chain=input comment="Deny All input from WAN" in-interface-list=!LAN log-prefix="drop input !LAN"
add action=drop chain=forward comment="Deny new,invalid,untracked connections" connection-state=invalid,new,untracked in-interface=ether1-WAN
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=masquerade chain=srcnat comment="Masquerade vpn traffic" src-address=192.168.89.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6859
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Yet another VLAN issues topic...

Sun Apr 18, 2021 9:39 pm

Hard to follow but Okay I think I understand what you are trying to do.
Last edited by anav on Sun Apr 18, 2021 9:54 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Re: Yet another VLAN issues topic...

Sun Apr 18, 2021 9:54 pm

You are correct, ether6 is just an emergency access because I locked myself out of the router so many times, it was getting boring :)

The idea is having the router providing internet access to all the ethernet device in the house, separate IOT devices from the rest of the PCs, provide internet access to wifi devices connected to Ruckus AP through ether2 on the router itself, and provide firewall protection to all of this. All the PCs of the house are connected to the Routher through a switch, as in the scheme in my first post.
This is something which was working perfectly until I had to convert to VLANs because that's what's needed by the WiFi AP.
Last edited by settecplus on Sun Apr 18, 2021 9:58 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6859
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Yet another VLAN issues topic...

Sun Apr 18, 2021 9:55 pm

Okay So with that in mind, I will assume ether6 on the router is an available port that is not actuallly hooked up to your PC all the time and that regularly you manage the network from a PC on vlan10.

Will post the config shortly. The firewall rules need work, for example you made a specific rule for admin access to the router but in another rule (default rule) allow everyone on the LAN access to the router. Once you start configuring one has to adjust the default rules as required.
Assuming 4 and 5 are PCs attached to the ROUTER on vlan10.
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-RUCKUS
set [ find default-name=ether3 ] name=ether3-SWITCH
set [ find default-name=ether3 ] name=ether4-general_use
set [ find default-name=ether3 ] name=ether5-my_pc
set [ find default-name=ether6 ] name=ether6-EMERG

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20

/interface list
add name=WAN
add name=LAN
add name=MGMT

/ip pool
add name=dhcp_LAN ranges=192.168.2.100-192.168.2.160
add name=dhcp-vpn ranges=192.168.89.100-192.168.89.140
add name=dhcp_IOT ranges=172.16.1.20-172.16.1.100
add name=dhcp-emerg ranges=10.10.0.2-10.10.0.5

/ip dhcp-server
add address-pool=dhcp_LAN disabled=no interface=vlan10 name=dhcp-LAN
add address-pool=dhcp_IOT disabled=no interface=vlan20 name=dhcp-IOT
add address-pool=dhcp_emerg disabled=no interface=ethernet6-EMERG name=emer-server

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=172.16.1.0/24 dns-server=172.16.1.1 gateway=172.16.1.1
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2-RUCKUS
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3-SWITCH
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4-general_use pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5-my_pc pvid=10

/ip firewall connection tracking
set tcp-established-timeout=5h

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2-RUCKUS,ether3-SWITCH untagged=ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2-RUCKUS vlan-ids=20

{It is also correct not to enter the untagged vlans as the router will automatically insert them however I like to manually do them as a visual crosscheck when making the config and later whenever checking the config}
{add bridge=bridge1 tagged=bridge1,ether2-RUCKUS,ether3-SWITCH  vlan-ids=10   -  also legit   }
{add bridge=bridge1 tagged=bridge1,ether2-RUCKUS vlan-ids=20  }

/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge1 list=LAN
add interface=ether6-EMERG list=LAN
add interface=ether6-EMERG list=MGMT
add interface=vlan10 list=MGMT

/ip address
add address=192.168.2.1/24 interface=vlan10 network=192.168.2.0
add address=172.16.1.1/24 interface=vlan20 network=172.16.1.0
add address=192.168.1.2/24 interface=ether1-WAN network=192.168.1.0
add address=10.10.0.1/24 interface=ether6-EMERG network=10.10.0.0

/ip dhcp-client
add comment=defconf interface=ether1-WAN

/ip dns
set cache-size=4096KiB servers=208.67.222.222,208.67.220.220,8.8.8.8

/ip firewall address-list
add address=192.168.2.11 comment="IOT allowed" list=IOT-allowed   {okay this makes sense, its not covered by an interface and is specific, however I didn't see when you use it?? }
add address=IP of Admin Desktop (on vlan10) list=AdminAccess
add address=IP of Admin Laptop (on vlan10) list=AdminAccess
add address=IP of Admin Smartphone (on vlan10) list=AdminAccess
add address=IP of Admin Desktop/laptop (on ethernet-6_EMERG) list=AdminAccess

/ip firewall filter
{NEEDS WORK!}
{input chain}
add action=accept chain=input connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=\
    invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow admin access" in-interface-list=MGMT source-address-list=AdminAccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="ENABLE LAN to WAN Traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \  {disable if not using}
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="MGMT access to all subnets" \
    in-interface-list=MGMT out-interface-list=LAN  source-address-list=AdminAccess
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="Masquerade vpn traffic" src-address=192.168.89.0/24
....

As for the switch pretty simple. You will note two options for bridge vlan filtering as the bridge will automatically create the untagged ports when required.
I prefer to manually insert them as a cross check when doing my config and later when checking my config.
/interface bridge port
add bridge=bridgeSW frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether24-router
add bridge=bridgeSW frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether1 pvid=10
{repeat for all other bridge ports}

/interface bridge vlan
add bridge=bridgeSW tagged=bridgeSW,ether24-router  vlan-ids=10    {if prefer the automated constructiond}
OR ...........
add bridge=bridgeSW tagged=bridgeSW,ether24-router untagged=eth1,eth2,eth2....ethR  vlan-ids=20
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Re: Yet another VLAN issues topic...

Mon Apr 19, 2021 11:10 pm

Thank you for the great amount of work you did to help...

Unfortunatly, and inexplicably, it still doesn't work correctly. Devices connected by ethernet to VLAN10 are unreacheable.
I'm gonna try tomorrow, a fresh reset and a total reconfiguration may help, hopefully.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6859
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Yet another VLAN issues topic...

Tue Apr 20, 2021 12:51 am

Thank you for the great amount of work you did to help...

Unfortunatly, and inexplicably, it still doesn't work correctly. Devices connected by ethernet to VLAN10 are unreacheable.
I'm gonna try tomorrow, a fresh reset and a total reconfiguration may help, hopefully.
Why, you didnt post the config to show what you have done!
Post it and I will take a look!!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Re: Yet another VLAN issues topic...

Tue Apr 20, 2021 2:59 pm

You are welcome:
#  RouterOS 6.48.1

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-RUCKUS
set [ find default-name=ether3 ] name=ether3-SWITCH
set [ find default-name=ether6 ] name=ether6-ADMIN
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=ADMIN
add name=VLAN
/ip pool
add name=dhcp_LAN ranges=192.168.2.100-192.168.2.160
add name=dhcp-vpn ranges=192.168.89.100-192.168.89.140
add name=dhcp_IOT ranges=172.16.1.20-172.16.1.100
/ip dhcp-server
add address-pool=dhcp_LAN disabled=no interface=vlan10 name=dhcp-LAN
add address-pool=dhcp_IOT disabled=no interface=vlan20 name=dhcp-IOT
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=dhcp-vpn
/caps-man manager
set ca-certificate=auto certificate=auto upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no
/interface bridge port
add comment=defconf disabled=yes interface=ether1-WAN
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2-RUCKUS
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether3-SWITCH
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=10
/ip firewall connection tracking
set tcp-established-timeout=5h
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2-RUCKUS,ether3-SWITCH untagged=ether4 \
    vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2-RUCKUS vlan-ids=20
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1-WAN list=WAN
add interface=ether6-ADMIN list=ADMIN
add interface=bridge1 list=LAN
add interface=ether6-ADMIN list=LAN
add interface=vlan10 list=ADMIN
add interface=vlan20 list=VLAN
add interface=vlan10 list=VLAN
/interface wireless cap
set caps-man-addresses=127.0.0.1 certificate=request interfaces=wlan1
/ip address
add address=192.168.2.1/24 interface=vlan10 network=192.168.2.0
add address=172.16.1.1/24 interface=vlan20 network=172.16.1.0
add address=192.168.1.2/24 interface=ether1-WAN network=192.168.1.0
add address=10.10.0.1/24 interface=ether6-ADMIN network=10.10.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    172.16.1.1 netmask=24
add address=192.168.2.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.2.1 netmask=24
/ip dns
set cache-size=4096KiB servers=208.67.222.222,208.67.220.220,8.8.8.8
/ip firewall address-list
add address=172.16.1.0/24 list=IOT
add address=192.168.2.0/24 list=LAN
add address=192.168.2.11 comment="IOT allowed" list=IOT-allowed
add address=10.10.0.0/24 list=Admin
/ip firewall filter
add action=drop chain=input comment="Block from blocklist" log-prefix=\
    "blk from blocklist" src-address-list=blacklist
add action=accept chain=input comment=\
    "Allow input on ether-6 for Administration" in-interface=ether6-ADMIN \
    src-address-list=Admin
add action=accept chain=input comment="Allow established, related" \
    connection-state=established,related
add action=accept chain=input comment="Allow L2TP VPN (ipsec-esp)" protocol=\
    ipsec-esp
add action=accept chain=input comment="Allow L2TP VPN (1701, 4500, 500 /udp)" \
    dst-port=1701,4500,500 protocol=udp
add action=drop chain=input comment="Deny All input from WAN" \
    in-interface-list=!LAN log-prefix="drop input !LAN"
add action=drop chain=forward comment="Block from blocklist" log=yes \
    log-prefix="blk to blocklist" src-address-list=blacklist
add action=drop chain=forward comment=\
    "Deny new,invalid,untracked connections" connection-state=\
    invalid,new,untracked in-interface=ether1-WAN
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="IOT->LAN allowed IPs" \
    dst-address-list=IOT-allowed src-address-list=IOT
add action=drop chain=forward comment="Block IOT ->LAN su VLAN" \
    in-interface=vlan20 log=yes log-prefix="Drop VLAN20 to VLAN10" \
    out-interface=vlan10
add action=accept chain=forward comment=\
    "Allow established,related connections" connection-state=\
    established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="Deny All forward from WAN" \
    in-interface=ether1-WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=masquerade chain=srcnat comment="Masquerade vpn traffic" \
    src-address=192.168.89.0/24
/ip route
add distance=1 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set api address=192.168.2.11/32
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/lcd
set default-screen=stats-all enabled=no
/lcd interface pages
set 0 interfaces=wlan1
/ppp secret
add name=luc
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Router
/system logging
add disabled=yes prefix="IPSECDBG===>" topics=ipsec
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=ADMIN
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6859
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Yet another VLAN issues topic...

Tue Apr 20, 2021 7:28 pm

So far all looks good...... but not for long

(1) Dont see this used often?? Purpose?
/ip firewall connection tracking
set tcp-established-timeout=5h

(2) Missing Ether5 if you want to manually insert the untagged vlans (which I prefer)
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2-RUCKUS,ether3-SWITCH untagged=ether4,ether5 \
vlan-ids=10

OR this is correct as well (as router dynamically creates them when required)..

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2-RUCKUS,ether3-SWITCH vlan-ids=10

(3) MISSING EMERG LAN setup. NOTE, Change ether6-ADMIN to ether6-emerg as its far less confusing, as you have created an interface group called ADMIN and also a source address list with the the word ADMIN. I would refrain from using same nomenclature when it creates confusion.
/ip pool
add name=dhcp_LAN ranges=192.168.2.100-192.168.2.160
add name=dhcp-vpn ranges=192.168.89.100-192.168.89.140
add name=dhcp_IOT ranges=172.16.1.20-172.16.1.100

add name=dhcp-emerg ranges=10.10.0.2-10.10.0.5
/ip dhcp-server
add address-pool=dhcp_LAN disabled=no interface=vlan10 name=dhcp-LAN
add address-pool=dhcp_IOT disabled=no interface=vlan20 name=dhcp-IOT

add address-pool=dhcp_emerg interface=ether6-emerg name=emerg_server
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
172.16.1.1 netmask=24
add address=192.168.2.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
192.168.2.1 netmask=24

add address=10.10.0.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
10.10.0.1 netmask=24


(4) Firewall rules - as reccomended you should reset to defaults and start over. They are a mess.

for example why even bother with this rule?????????????????
add action=accept chain=input comment=\
"Allow input on ether-6 for Administration" in-interface=ether6-ADMIN \

When later on you have this rule...........
add action=drop chain=input comment="Deny All input from WAN" \
in-interface-list=!LAN log-prefix="drop input !LAN"

CLUE: If you don't understand the question, it means you dont understand firewall rules and should SET DEFAULTS until you learn them.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
settecplus
just joined
Topic Author
Posts: 24
Joined: Tue Oct 30, 2012 12:03 pm

Re: Yet another VLAN issues topic...

Tue Apr 20, 2021 9:57 pm

Anav, thank you once again for your help. Unfortunately the configuration is still not working.
Adding a dhcp server to emergency port is certainly useful but won't change the fact that I cannot access ethernet devices from VLAN10.
Port 5 on the router is not used so its configuration is no big deal.
I do agree firewall rules are a bit messed up (btw, I do understand them, mostly :) ), that's because the current configuration has been reworked many times. In any case I even tried disconnecting the WAN port and removing all the firewall rules with no apparent improvement, so in the end, the configuration while correct is not working and I'm clueless :)

The switch has been configured as per mikrotik suggestion here: https://wiki.mikrotik.com/wiki/SWOS/CSS326-VLAN-Example
I added all the ethernet ports to VLAN10 just for testing.

Who is online

Users browsing this forum: No registered users and 47 guests