Community discussions

 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Complicated VLAN setup

Sat Jul 02, 2016 2:30 am

Hi all,

I'm relatively new to RouterOS and even though I've been reading the manuals for a couple of days now I'm still no closer to getting my 951g-2HnD to do what I had imagined. I'm working on my parents' network in a smallish hotel. It has a Mikrotik 951g-2HnD router with a bunch of APs and some wired clients but most importantly the occasional couple dozen guests on WiFi. Right now every computer is on the same (unsecured) network and that is of course foolish.
What I would like to do is separate hotel management computers from the public network with VLANs and give those VLANs different priority to insure that no matter how many guests are using the public WiFi, management PCs will always get a minimum guaranteed bandwidth.

This is what I would like to achieve (larger image):
Image
The TP-Link access points (building 2) can do VLAN tagging for each SSID and the unmanaged switch should pass VLAN tags (if it doesn't I'll get a managed one) so eth3 on the Mikrotik router must be configured a trunk port. The TP-Link router configured as an AP (building 1) can't manage VLANs so eth5 should be tagged on ingress, eth2 and eth4 must also be tagged on ingress. eth1 is configured as static IP and put in the DMZ of the ISP-issued router. (I know, double NAT-ing isn't fortunate and I'll try to fight it with our ISP however at the moment without their router our phone lines don't work.)

Traffic priority aside (maybe with queues one day?) how do I go about setting up the VLANs? Do I create two switches for the two VLANs? Can I put the two VLANs on different subnets? How can I make sure that the PC on eth4 gets it's packets tagged so it can see some other device that is connecting through the "tagging" APs in building 2? I've been reading manpages for days but I still don't see the underlying structure.

If someone could shed some on this I would appreciate that.

cheers,
David
 
Revelation
Member
Member
Posts: 338
Joined: Fri Dec 25, 2015 5:59 am

Re: Complicated VLAN setup

Sat Jul 02, 2016 9:31 pm

Couple of things:

The unmanaged switch, most likely, cannot have a single port working as a trunk. Most likely the ports can only be access ports, thus you could not trunk multiple vlans to the switch. 

As far as the bandwidth goes, you can use qos, policies and or queues to obtain your goals. I've done QoS on Cisco gear, just not on Mikrotik; so I am not the best resource to walk your through those steps if you wish to go that route. Depending on how you want to set it up, simple queues may be an easy approach for you. You can create a queue for the guest wireless and create a maximum amount of bandwidth the network as a whole can use. 

QoS would allow the router to dynamically ensure that your management network has enough bandwidth available and when there is "free" bandwidth the guest wireless can use more. 

The two vlans can be and should be on different subnets. What I would do is create a bridge for each vlan, assign the appropriate vlan-ids and create an IP address for the vlans. 
/interface bridge
add name="bridge_vlan100"
add name="bridge_vlan200"

/interface vlan
add name=vlan200_bridge interface=bridge_vlan200 vlan-id=200
add name=vlan100_bridge interface=bridge_vlan100 vlan-id=100
add name=vlan200_eth4 interface=ether4 vlan-id=200
add name=vlan200_eth2 interface=ether2 vlan-id=200
add name=vlan100_eth5 interface=ether5 vlan-id=100
add name=vlan200_eth3 interface=ether3 vlan-id=200
add name=vlan100_eth3 interface=ether3 vlan-id-100

/ip address
add interface=vlan200_bridge address=10.10.200.1/24
add interface=vlan100_bridge address=10.10.100.1/24

/interface bridge port
add interface=vlan200_eth4 bridge=bridge_vlan200
add interface=vlan200_eth2 bridge=bridge_vlan200
add interface=vlan100_eth5 bridge=bridge_vlan100
add interface=vlan200_eth3 bridge=bridge_vlan200
add interface=vlan100_eth3 bridge=bridge_vlan100

The last two lines under interface bridge port are an example of how trunks can be created on Mikrotik. Whether or not you need to tag will greatly depend on the vendor you choose to go on the other end of your trunk link. 
Last edited by Revelation on Sat Jul 02, 2016 9:34 pm, edited 2 times in total.
 
Revelation
Member
Member
Posts: 338
Joined: Fri Dec 25, 2015 5:59 am

Re: Complicated VLAN setup

Sat Jul 02, 2016 9:33 pm

After you did all of that you will need to look at firewall rules to prevent the two networks from "speaking" with each other. You will then need to look at queues or QoS to achieve your desired results for bandwidth management. 
 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Re: Complicated VLAN setup

Sat Jul 02, 2016 10:58 pm

Thank you I'll do this and let you know how it went. What should I be looking out for with the firewall? NAT masqurade or something more sinister? I only have basic security set up (eg. port scanner and ssh bruteforce drop) and some port forwards.

David
 
Revelation
Member
Member
Posts: 338
Joined: Fri Dec 25, 2015 5:59 am

Re: Complicated VLAN setup

Sat Jul 02, 2016 11:38 pm

Thank you I'll do this and let you know how it went. What should I be looking out for with the firewall? NAT masqurade or something more sinister? I only have basic security set up (eg. port scanner and ssh bruteforce drop) and some port forwards.

David
For the firewall, you will want to have a rule that denies the traffic between the networks. 
Example:
 chain=forward action=drop src-address=10.10.100.0/24 dst-address=10.10.200.0/24 log=no log-prefix=""
 chain=forward action=drop src-address=10.10.200.0/24 dst-address=10.10.100.0/24 log=no log-prefix=""

That will prevent the two networks from "talking" to each other, you will want to place the at the top of your Firewall rule set. 
 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Re: Complicated VLAN setup

Sat Jul 02, 2016 11:47 pm

neat, thanks
 
User avatar
k6ccc
Member
Member
Posts: 480
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Complicated VLAN setup

Sun Jul 03, 2016 12:49 am

Nice of you to include a graphic of what you are trying to accomplish.  Makes it SO MUCH easier.

Agreed that the unmanaged switch won't likely play well with VLAN traffic.  Go buy a 260GS (since we're in the MikroTik family).  It will handle the gigibit and VLANs just fine for you and they are inexpensive.

Let us all know how the project is going.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Re: Complicated VLAN setup

Mon Jul 04, 2016 8:11 pm

Hi there, I tried what you guys said
...
and I'm totally confused.

I did everything Revelation wrote and as far as I can tell nothing has changed. Computers can still see each other and the subnet is still 192.168.88.0/24.
I've also added two new DHCP servers and IP pools (10.10.100.0/24 and 10.10.200.0/24) but that didn't change anything either and they're shown in red.

My best guess is that some previous settings take precedence but that's as far as I can tell. Here's some ways I managed to break things maybe it'll give you some pointers:
  • disabled bridge-local (bridging eth2-4 and wifi) and everybody lost internet connection
  • started tagging wlan with tag 100 and all the packets seemed to be dropped after that
interface wireless set 0 vlan-mode=use-tag vlan-id=100
  • turned on VLAN tagging on the TP-Link APs and same story (maybe the switch passes tags? it does advertise handling jumbo packets)
  • removed eth2-master from bridge-local (lost internet)
  • that's what I can remember but I'm sure I broke it in many more ways... also I did ipconfig /release and /renew after each one to see if my IP change
I would really like to understand why things are happening I usually suck these things right up but every time I think I understand something RouterOS goes ahead and surprises me. I really appreciate you guys helping :)

I'm guessing you will need me to give you some connfig data so here is all of them:
add admin-mac=D4:CA:6D:06:F2:C7 auto-mac=no mtu=1500 name=bridge-local
add name=bridge_vlan100
add name=bridge_vlan200
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n comment=WiFi country=hungary disabled=no distance=indoors mode=ap-bridge ssid=[redacted] vlan-id=100 \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=Internet name=ether1-gateway
set [ find default-name=ether2 ] comment="POS terminal" name=ether2-master-local
set [ find default-name=ether3 ] comment="2-es epulet" master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] comment=Net-Porta master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] comment="TV-s szoba" master-port=ether2-master-local name=ether5-slave-local
/interface wireless manual-tx-power-table
set wlan1 comment=WiFi
/interface wireless nstreme
set wlan1 comment=WiFi
/ip neighbor discovery
set ether1-gateway comment=Internet
set ether2-master-local comment="POS terminal"
set ether3-slave-local comment="2-es epulet"
set ether4-slave-local comment=Net-Porta
set ether5-slave-local comment="TV-s szoba"
set wlan1 comment=WiFi discover=no
/interface vlan
add interface=bridge_vlan100 name=vlan100_bridge vlan-id=100
add interface=ether3-slave-local name=vlan100_eth3 vlan-id=100
add interface=ether5-slave-local name=vlan100_eth5 vlan-id=100
add interface=bridge_vlan200 name=vlan200_bridge vlan-id=200
add interface=ether2-master-local name=vlan200_eth2 vlan-id=200
add interface=ether3-slave-local name=vlan200_eth3 vlan-id=200
add interface=ether4-slave-local name=vlan200_eth4 vlan-id=200
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik wpa-pre-shared-key=[redacted] wpa2-pre-shared-key=[redacted]
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.240
add name=pool_vlan100 ranges=10.10.100.10-10.10.100.240
add name=pool_vlan200 ranges=10.10.200.10-10.10.200.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=2h name=default
add address-pool=pool_vlan100 disabled=no interface=bridge_vlan100 lease-time=2h name=dhcp_vlan100
add address-pool=pool_vlan200 disabled=no interface=bridge_vlan200 lease-time=1d name=dhcp_vlan200
/snmp community
add addresses=192.168.88.0/24 name=[redacted] write-access=yes
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge_vlan100 interface=vlan100_eth5
add bridge=bridge_vlan200 interface=vlan200_eth3
add bridge=bridge_vlan100 interface=vlan100_eth3
add bridge=bridge_vlan200 interface=vlan200_eth4
add bridge=bridge_vlan200 interface=vlan200_eth2
/ip address
add address=192.168.88.251/24 comment="default configuration" interface=ether2-master-local network=192.168.88.0
add address=192.168.1.60/24 interface=ether1-gateway network=192.168.1.0
add address=10.10.200.1/24 interface=vlan200_bridge network=10.10.200.0
add address=10.10.100.1/24 interface=vlan100_bridge network=10.10.100.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=192.168.88.246 always-broadcast=yes client-id=1:0:19:d2:ae:41:ef comment[redacted] mac-address=00:19:D2:AE:41:EF server=default
add address=192.168.88.244 client-id=1:e4:98:d1:4d:89:74 comment="David's Windows Phone" mac-address=E4:98:D1:4D:89:74 server=default
/ip dhcp-server network
add address=10.10.200.0/24 dns-server=10.10.200.1 gateway=10.10.200.1 netmask=24
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.251 gateway=192.168.88.251 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.251 name=router
add address=192.168.1.254 name=speedport.ip
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP/NULL scan" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" src-address-list="port scanners"
add action=drop chain=input comment="Drop SSH bruteforcers" dst-port=22,6513,4952 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22,6513,4952 protocol=tcp \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22,6513,4952 protocol=tcp src-address-list=\
    ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22,6513,4952 protocol=tcp src-address-list=\
    ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22,6513,4952 protocol=tcp
add chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment="default configuration - accept ICMP" protocol=icmp
add chain=input comment="remote SSH" dst-port=[redacted] protocol=tcp
add chain=input comment="remote Winbox" disabled=yes dst-port=[redacted] protocol=tcp
add chain=input comment="default configuration - accept establilshed" connection-state=established
add chain=input comment="default configuration - accept related" connection-state=related
add action=drop chain=input comment="default configuration - drop all else" in-interface=ether1-gateway
add chain=forward comment="default configuration - forward establilshed" connection-state=established
add chain=forward comment="default configuration - forward related" connection-state=related
add action=drop chain=forward comment="default configuration - drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway to-addresses=0.0.0.0
/ip route
add distance=1 gateway=192.168.1.254
/ip service
set telnet disabled=no
set ftp disabled=yes
set www port=220
set ssh port=[redacted]
set api disabled=yes
set winbox port=[redacted]
/snmp
set contact=admin@[redacted] location=2es_epulet trap-community=[redacted] trap-interfaces=ether3-slave-local trap-target=192.168.88.252
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Budapest
/system identity
set name=[redacted]
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=148.6.0.1 secondary-ntp=198.123.30.132
/system scheduler
add interval=15m name=DDNS on-event="/system script run DDNS" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jul/13/2014 start-time=13:45:00
/system script
add name=wb_disable owner=admin policy=ftp,read,write,policy source=\
    "ip firewall filter disable [/ip firewall filter find comment=\"remote Winbox\"]\r\
    \nuser disable remoteWinbox"
add name=wb_enable owner=admin policy=ftp,read,write,policy source=\
    "ip firewall filter enable [/ip firewall filter find comment=\"remote Winbox\"]\r\
    \nuser enable remoteWinbox"
add name=DDNS owner=admin policy=ftp,read,write,test source="# Set needed variables\r\
    \n:local username \"[redacted]\"\r\
    \n:local password \"[redacted]\"\r\
    \n:local hostname \"[redacted].dlinkddns.com\"\r\
    \n\r\
    \n:global dyndnsForce\r\
    \n:global previousIP \r\
    \n\r\
    \n# print some debug info\r\
    \n:log info (\"UpdateDynDNS: username = \$username\")\r\
    \n#:log info (\"UpdateDynDNS: password = \$password\")\r\
    \n:log info (\"UpdateDynDNS: hostname = \$hostname\")\r\
    \n:log info (\"UpdateDynDNS: previousIP = \$previousIP\")\r\
    \n\r\
    \n# get the current IP address from the internet (in case of double-nat)\r\
    \n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-path=\"/dyndns.checkip.html\"\r\
    \n:delay 1\r\
    \n:local result [/file get dyndns.checkip.html contents]\r\
    \n\r\
    \n# parse the current IP result\r\
    \n:local resultLen [:len \$result]\r\
    \n:local startLoc [:find \$result \": \" -1]\r\
    \n:set startLoc (\$startLoc + 2)\r\
    \n:local endLoc [:find \$result \"</body>\" -1]\r\
    \n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
    \n:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
    \n\r\
    \n# Remove the # on next line to force an update every single time - useful for debugging,\r\
    \n# but you could end up getting blacklisted by DynDNS!\r\
    \n\r\
    \n#:set dyndnsForce true\r\
    \n\r\
    \n# Determine if dyndns update is needed\r\
    \n# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html\r\
    \n\r\
    \n:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
    \n   :set dyndnsForce false\r\
    \n   :set previousIP \$currentIP\r\
    \n   :log info \"\$currentIP or \$previousIP\"\r\
    \n   /tool fetch user=\$username password=\$password mode=http address=\"members.dyndns.org\" \\\r\
    \n      src-path=\"nic/update\?system=dyndns&hostname=\$hostname&myip=\$currentIP&wildcard=no\" \\\r\
    \n      dst-path=\"/dyndns.txt\"\r\
    \n   :delay 1\r\
    \n   :local result [/file get dyndns.txt contents]\r\
    \n   :log info (\"UpdateDynDNS: Dyndns update needed\")\r\
    \n   :log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
    \n   :put (\"Dyndns Update Result: \".\$result)\r\
    \n} else={\r\
    \n   :log info (\"UpdateDynDNS: No dyndns update needed\")\r\

    \n}"


/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
EDIT: added empty lines to space out text
 
Revelation
Member
Member
Posts: 338
Joined: Fri Dec 25, 2015 5:59 am

Re: Complicated VLAN setup

Mon Jul 04, 2016 9:33 pm

I did everything Revelation wrote and as far as I can tell nothing has changed. Computers can still see each other and the subnet is still 192.168.88.0/24.
I've also added two new DHCP servers and IP pools (10.10.100.0/24 and 10.10.200.0/24) but that didn't change anything either and they're shown in red.
That's because you have the 192.168.88.0 network assigned to inter ether2 and made it a master port for other ports. 
 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Re: Complicated VLAN setup

Mon Jul 04, 2016 10:22 pm

Alright, I'll delete that. Do I also set all ports as masters?
How about DHCP, was that redundant?

David
 
Revelation
Member
Member
Posts: 338
Joined: Fri Dec 25, 2015 5:59 am

Re: Complicated VLAN setup

Tue Jul 05, 2016 2:43 am

Alright, I'll delete that. Do I also set all ports as masters?
How about DHCP, was that redundant?

David
No, don't setup any master ports for now. A single DHCP with separate pools will work just fine. 
 
patrickmkt
Member Candidate
Member Candidate
Posts: 157
Joined: Sat Jul 28, 2012 5:21 pm

Re: Complicated VLAN setup

Tue Jul 05, 2016 3:11 am

do you need to have eth2 and eth4 tagged? is your POS and front desk PC playing well with VLAN?

My initial thoughts on your setup would be to setup two bridges: one for management and one for public. You will be using a bit more cpu compare to the switch chip but will have much more control of your traffic.

On eth3 I would create the two VLAN eth3-VLAN200 and eth3-VLAN100.

on bridge_management I would add eth2, eth4, eth3-VLAN200, and WLAN_private
on bridge_public I would add eth5, eth3-VLAN100 and WLAN_public

You create a NAT masquerade src for both bridge_management and bridge_public
In your filter rules you have an accept forward from bridge_management to eth1 and from bridge_public to eth1.
If you have the correct drop for everything else that should be ok, but you may want to be more explicit by adding a drop forward from bridge_public to bridge_management.

I would then create two dhcp server; one for bridge_management and one for bridge_public with each their own subnet.

For the QOS you can then create your queues for each bridge going out to eth1.
 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Re: Complicated VLAN setup

Wed Jul 06, 2016 1:45 pm

Hi,

I tried what patrickmkt suggested because it seemed really straightforward. I created the bridges and assigned ports to it (not every port so far). However I cannot create srcnat between a bridge and the ehter1 interface:
[admin@Mikrotik] /ip firewall nat> add chain=srcnat in-interface=bridge-management out-interface=ether1-gateway action=masquerade
failure: ingoing interface matching not possible in output and postrouting chains
And to clarify:
Image

If ether3 will start receiving taged packets instead of untagged then in this setup the two VLANs will be separated? If yes then I might finally start to understand things!

cheers,
David
 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Re: Complicated VLAN setup

Wed Jul 06, 2016 2:17 pm

Never mind that, I fiddled around with the DHCP server and it seems to be working now. I accidentally set the IP pool to start from 10.10.200.0.

I have a new question however concerning the VLANing APs. Packets from the wifi are getting tagged however I don't think it can tag management packets. Can I do the following:
[admin@Mikrotik] /interface bridge port> add interface=ether3-master bridge=bridge-management
[admin@Mikrotik] /interface bridge port> add interface=eth3_VLAN100 bridge=bridge-public
[admin@Mikrotik] /interface bridge port> add interface=eth3_VLAN200 bridge=bridge-privat
and have the following results:
  • WLAN-Public packets go to bridge-public
  • WLAN-Privat packets go to bridge-management
  • I can access the router webUI from management network but not the public one
David
 
patrickmkt
Member Candidate
Member Candidate
Posts: 157
Joined: Sat Jul 28, 2012 5:21 pm

Re: Complicated VLAN setup

Wed Jul 06, 2016 4:06 pm

Hi,

I tried what patrickmkt suggested because it seemed really straightforward. I created the bridges and assigned ports to it (not every port so far). However I cannot create srcnat between a bridge and the ehter1 interface:
[admin@Mikrotik] /ip firewall nat> add chain=srcnat in-interface=bridge-management out-interface=ether1-gateway action=masquerade
failure: ingoing interface matching not possible in output and postrouting chains
Remove the in-interface. Masquerade only have an out interface.
http://wiki.mikrotik.com/wiki/Manual:IP ... Masquerade
 
patrickmkt
Member Candidate
Member Candidate
Posts: 157
Joined: Sat Jul 28, 2012 5:21 pm

Re: Complicated VLAN setup

Wed Jul 06, 2016 4:13 pm


I have a new question however concerning the VLANing APs. Packets from the wifi are getting tagged however I don't think it can tag management packets. Can I do the following:
[admin@Mikrotik] /interface bridge port> add interface=ether3-master bridge=bridge-management
[admin@Mikrotik] /interface bridge port> add interface=eth3_VLAN100 bridge=bridge-public
[admin@Mikrotik] /interface bridge port> add interface=eth3_VLAN200 bridge=bridge-privat
and have the following results:
  • WLAN-Public packets go to bridge-public
  • WLAN-Privat packets go to bridge-management
  • I can access the router webUI from management network but not the public one
David
I don't understand what you are trying to achieve. Why do you want a management network in that situation ? To access from where? To access what?
Your upstairs AP does not support VLAN and you will have to access it through the eth5 that has no vlan and is the public lan.
Your building 2 ap are the only ones that can have an access different from from the 2 VLAN. But then you need to change their IP addresses to third subnet to make it clear. You can add a third network, untagged on eth3 if you want and decide who can access it by your firewall settings. You may also want to add a masquerade on eth3.
Your mkt router can be accessed from any network or none depending on the settings you choose.
 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Re: Complicated VLAN setup

Wed Jul 06, 2016 6:04 pm

I was unsure as to how I will access the webGUI of the building 2 APs (they connect to the router via the eth3 trunk port). What I did was to issue fix IPs in the 10.10.200.0 domain and remove eth3-master-local from all the bridges. Now I can access the APs from the management IPs but not from the public IPs.

Thanks for all your help it seems to be working now. I'll shout if it doesn't.

cheers,
David
 
stef123
just joined
Posts: 12
Joined: Sun Jul 10, 2016 10:49 pm

Re: Complicated VLAN setup

Sun Jul 10, 2016 11:01 pm

Hi David,

I'm a mikrotik noob on a mission to setup a home office network on my RB2011UiAS. I've been trying to setup VLANs (home(wan),office(eth+wan),voip(eth)) with not much success.
Would you mind sharing your latest setup?

Thanks a mil!

Stefan
 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Re: Complicated VLAN setup

Fri Jul 15, 2016 10:04 am

Hi Stefan,

you can see my config a few posts above this I haven't had time to do much since. Is there anything in particular you would like to ask about? I'd be happy to help.

David
 
stef123
just joined
Posts: 12
Joined: Sun Jul 10, 2016 10:49 pm

Re: Complicated VLAN setup

Sat Jul 16, 2016 11:09 pm

Hi Stefan,

you can see my config a few posts above this I haven't had time to do much since. Is there anything in particular you would like to ask about? I'd be happy to help.

David
Thanks David, I had a look, but with the additional advice received after the export I'm not sure what to keep and what to throw away. Anyway, I decided to start a fresh post with my scenario to keep this thread about yours :)
http://forum.mikrotik.com/viewtopic.php?f=13&t=110278
cheers.
S
 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Re: Complicated VLAN setup

Sat Jul 16, 2016 11:14 pm

Anyway, I decided to start a fresh post with my scenario to keep this thread about yours
That's very considerate :) Glad my making-diagrams-habit is making rounds too 8)
 
bakadave
just joined
Topic Author
Posts: 22
Joined: Fri Jul 01, 2016 11:06 pm
Location: Hungary

Re: Complicated VLAN setup

Sat Jul 23, 2016 7:58 pm

Hey there,

I've been busy with other things for a few weeks but I'm back here with this problem. It's working nicely now however I'm unable to access the APs' GUI when I'm not connected to them.
To make it clear:
  • I am in building 2 connected to TP-Link AP 1/2: everything works perfectly
  • I am connected to the network in any other way: I can't access the TP-Link APs. I can actually ping them from the Mikrotik router but not from any client.
The reason I think this is because of the unmanaged switch. I think the packets that come from the wireless adapter are getting tagged but when I want to reach the AP itself those packets are no longer tagged and get lost in the ether. But when I went to Switch/Port and set ether3-master-local to tag untagged as VLAN200
interface ethernet switch port set ether3-master-local vlan-header=add-if-missing
I lost everything going in or out eth3.

Can anyone shed some light on this. I wouldn't want to buy a managed switch if I can avoid it.

cheers,
David

Who is online

Users browsing this forum: Google [Bot] and 18 guests