Community discussions

 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Question about using VLANs to set up a guest network  [SOLVED]

Sun Apr 22, 2018 9:59 am

Hello!

I have a guest network set up that allows guests to login to wifi and access the internet without allowing any access to our internal network. Up until now I have simply been using separate ethernet cables between the guest access point and our gateway router to the internet to isolate traffic (with appropriate firewall rules).

Now however, I have upgraded our core switches to MikroTik CRS125-24G-1S switches so I would like to do away with the additional wires and use a VLAN to separate the guest traffic from our internal network traffic. I would like to route the VLAN from our gateway (which will have to provide DHCP services to the guest network) through one of our new core switches, and to the access point to provide guest wifi. However, I would also like to send non-VLAN traffic to the access point so I can manage it from our core network and disable management access from the wireless interfaces.

I've attached a simplistic diagram showing what I would like to accomplish. I've read through the Wiki regarding VLANs but I am struggling to understand what I should do to set up this type of hybrid tagged and untagged pipeline to the access point. Any pointers you can provide to get me started would be greatly appreciated!

Thanks & Best Regards,

Mitch

VLAN Problem.PNG
You do not have the required permissions to view the files attached to this post.
 
codeworkx
just joined
Posts: 2
Joined: Thu Mar 20, 2014 2:28 pm

Re: Question about using VLANs to set up a guest network

Sun Apr 22, 2018 11:44 am

On the central crs125 create virtual ethernet interfaces on the trunk-ports (ports connecting the mikrotik devices) which have to carry tagged and untagged traffic.
Example: If ether3 connects crs125 and rb952 then add a virtual interface ether3-vlan10 (interface ether3, vlan id 10).

bridge-default (untagged)
- no vlan filtering
- add all your untagged interfaces (ether1, ether2, ether3)

bridge-vlan
- enable vlan-filtering
- add all tagged interfaces (ether1-vlan10, ether2-vlan10, ether3-vlan10) and set PVID 10

Add another virtual interface called vlan10 (interface bridge-vlan, vlan id 10)
Add the interface to bridge-vlan, too.

At bridge->vlan create a new entry for bridge-vlan
- vlan id 10
- tagged: bridge-vlan, vlan10, ether1-vlan10, ether2-vlan10, ether3-vlan10

On the RB750 and RB952 you're doing basically the same.

Don't forget to add a dhcp server to vlan10 on the rb750.
To restrict communication between your lans use the firewall because the RB750 (your router) will do it's job and route everything if you don't block it via firewall.

You can also add more vlans to bridge-vlan by creating another virtual interface of bridge-vlan called vlan20 (with vlan id 20 then), add it to bridge-vlan, and add other vlan ports like ether4-vlan20 and so on to the bridge-vlan.
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Sun Apr 22, 2018 10:23 pm

Thanks -- I have this set up, but when associating with the wlan interfaces on the RB952, I still get a DHCP address in the internal network subnet. Is there more I have to do on the RB952 to insure only the guest network is accessible via the wlan interfaces?

ah -- ok I have wlan1 not on the untagged bridge, but wlan2 is on the untagged bridge. wlan2 provides a DHCP address in the internal network subnet. wlan1 does not provide a DHCP address at all so there is more I have to do I think, I'm working my way back up the ap<->switch<->router change.
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Mon Apr 23, 2018 4:33 am

Here is the configuration for my wireless node, cloud switch, and router -- any thoughts on what I have set up incorrectly?



Wireless Access Point
[admin@MikroTik-Pixiedust] > export hide-sensitive
# apr/22/2018 20:19:47 by RouterOS 6.41.4
# software id = UIM0-1XCU
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 66590271236A
/interface bridge
add admin-mac=D4:CA:6D:B7:E0:B7 auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge-vlan pvid=10 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country="united states" disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=pixiedust vlan-id=10 wireless-protocol=802.11 wps-mode=\
    disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country="united states" disabled=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=pixiedust5 wireless-protocol=802.11
/interface vlan
add interface=ether1 name=ether1-vlan10 vlan-id=10
add interface=bridge-vlan name=vlan10 vlan-id=10
add interface=wlan1 name=wlan1-vlan10 vlan-id=10
add interface=wlan2 name=wlan2-vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=vlan10 name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether1
add bridge=bridge-vlan interface=wlan1-vlan10 pvid=10
add bridge=bridge-vlan interface=wlan2-vlan10 pvid=10
add bridge=bridge-vlan interface=vlan10 pvid=10
add bridge=bridge-vlan interface=wlan1 pvid=10
add bridge=bridge-vlan interface=wlan2 pvid=10
add bridge=bridge-vlan interface=ether1-vlan10 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-vlan tagged=\
    bridge-vlan,ether1-vlan10,wlan1-vlan10,wlan2-vlan10,vlan10 untagged=\
    wlan1,wlan2 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
/ip address
add address=192.168.2.3/24 interface=vlan10 network=192.168.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,4.4.4.4 gateway=192.168.2.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/system clock
set time-zone-name=America/Chicago
/system identity
set name=MikroTik-Pixiedust
/system ntp client
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik-Pixiedust] >


Cloud Switch:
[admin@MikroTik-CRS-1] > export hide-sensitive
# apr/22/2018 20:26:43 by RouterOS 6.41.4
# software id = FKTL-Q3K4
#
# model = CRS125-24G-1S
# serial number = 7445069FC387
/interface bridge
add fast-forward=no name=bridge-vlan10 pvid=10 vlan-filtering=yes
add admin-mac=6C:3B:6B:8E:8B:FA auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface vlan
add interface=ether1 name=ether1-vlan10 vlan-id=10
add interface=ether6 name=ether6-vlan10 vlan-id=10
add interface=bridge-vlan10 name=vlan10 vlan-id=10
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether6
add bridge=bridge-vlan10 interface=ether1-vlan10 pvid=10
add bridge=bridge-vlan10 interface=ether6-vlan10 pvid=10
add bridge=bridge-vlan10 interface=vlan10 pvid=10
/interface bridge vlan
add bridge=bridge-vlan10 tagged=bridge-vlan10,vlan10,ether1-vlan10,ether6-vlan10 vlan-ids=10
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=ether1 list=LAN
add interface=sfp1 list=LAN
/ip address
add address=192.168.1.62/24 comment=defconf interface=bridge1 network=192.168.1.0
add address=192.168.2.2/24 interface=vlan10 network=192.168.2.0
/ip dns
set servers=192.168.1.86,192.168.1.2,192.168.1.3,192.168.1.1
/lcd
set read-only-mode=yes
/lcd interface
add interface=bridge1
/lcd interface pages
set 2 interfaces=sfp1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=MikroTik-CRS-1
/system ntp client
set enabled=yes primary-ntp=192.168.1.89
[admin@MikroTik-CRS-1] >

Router:
[admin@MikroTik-Sparticus] > export hide-sensitive
# apr/22/2018 20:29:14 by RouterOS 6.41.4
# software id = RSDH-S827
#
# model = RouterBOARD 750G r3
# serial number = 6F3907B4A3C0
/interface bridge
add admin-mac=64:D1:54:82:B5:F4 auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge-vlan pvid=10 vlan-filtering=yes
/interface vlan
add interface=ether1 name=ether1-vlan10 vlan-id=10
add interface=ether2 name=ether2-vlan10 vlan-id=10
add interface=bridge-vlan name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GUEST
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=66 name=tftp-server-address value="'192.168.1.8'"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=guest_pool ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=magnolia-network
add address-pool=guest_pool interface=vlan10 name=guest-network
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-vlan interface=ether1-vlan10 pvid=10
add bridge=bridge-vlan interface=ether2-vlan10 pvid=10
add bridge=bridge-vlan interface=vlan10 pvid=10
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-vlan tagged=bridge-vlan,ether1-vlan10,ether2-vlan10,vlan10 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=GUEST
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=192.168.2.1/24 interface=vlan10 network=192.168.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease [removed]
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dhcp-option=tftp-server-address dns-server=192.168.1.86,192.168.1.2,192.168.1.3,192.168.1.1 domain=magnoliamanor.local gateway=192.168.1.1 netmask=24 ntp-server=192.168.1.89 wins-server=192.168.1.2
add address=192.168.2.0/24 dns-server=8.8.8.8,4.4.4.4 domain=pixiedust.local gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.86,192.168.1.2,192.168.1.3
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=reject chain=input dst-address=192.168.1.0/24 in-interface-list=GUEST reject-with=icmp-network-unreachable src-address=192.168.2.0/24
add action=reject chain=input dst-address=192.168.2.0/24 in-interface-list=LAN reject-with=icmp-network-unreachable src-address=192.168.1.0/24
add action=reject chain=forward dst-address=192.168.1.0/24 in-interface-list=GUEST out-interface-list=LAN reject-with=icmp-network-unreachable   src-address=192.168.2.0/24
add action=reject chain=forward dst-address=192.168.2.0/24 in-interface-list=LAN out-interface-list=GUEST reject-with=icmp-network-unreachable   src-address=192.168.1.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex Server port access from outside so Plex.Tv can access Zodiac" dst-port=32400 protocol=tcp to-addresses=192.168.1.94 to-ports=32400
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=MikroTik-Sparticus
/system ntp client
set enabled=yes primary-ntp=192.168.1.89
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik-Sparticus] >
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Question about using VLANs to set up a guest network

Mon Apr 23, 2018 5:22 am

It seems to me this has been made more complicated than it should be. On your AP in wireless setting, use vlan-mode=use-tag & vlan-id=10 and add this port to your main bridge (same bridge as the rest of your interfaces). Then on the router, add VLAN interface with interface=bridge (again, your main bridge). And then on bridge ports add vlan1 to your guest bridge. Viola! You already have firewall rules dropping vlan traffic from local, so you are good there.

You could even add vap to each ap with for you guest and use wlan1 & wlan2 for you local network on both aps....
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Mon Apr 23, 2018 5:36 am

Thanks! I will give that a try tomorrow evening and see how it goes.

EDIT: are you saying I should leave the cloud switch configuration as is?
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Question about using VLANs to set up a guest network

Mon Apr 23, 2018 5:55 am

EDIT: are you saying I should leave the cloud switch configuration as is?
No, move all port back to your main bridge on all device as there should only be the one bridge on your ap's and switch. The router is only device with a second bridge. And there should be only one cable to each device.
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Tue Apr 24, 2018 6:02 am

Getting closer -- my raspberry pi successfully gets an IP address in the guest network range (192.168.2.10-192.168.2.254) and can reach the internet but cannot ping the gateway address 192.168.2.1
Neither windows machine will correctly get the DHCP information, they seem to retain their old 192.168.1.x info even though they claim the DHCP server they are talking to is 192.168.2.1

Here is the router config:

> export hide-sensitive
# apr/23/2018 21:50:51 by RouterOS 6.41.4
# software id = RSDH-S827
#
# model = RouterBOARD 750G r3
# serial number = 6F3907B4A3C0
/interface bridge
add admin-mac=64:D1:54:82:B5:F4 auto-mac=no comment=defconf name=bridge
add fast-forward=no name=guest-bridge pvid=10 vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=66 name=tftp-server-address value="'192.168.1.8'"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=guest_pool ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=magnolia-network
add address-pool=guest_pool disabled=no interface=guest-bridge name=\
    guest-network
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=guest-bridge interface=vlan10 pvid=10
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.2.1/24 interface=guest-bridge network=192.168.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server lease
[removed]
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dhcp-option=tftp-server-address \
    dns-server=192.168.1.86,192.168.1.2,192.168.1.3,192.168.1.1 domain=\
    magnoliamanor.local gateway=192.168.1.1 netmask=24 ntp-server=\
    192.168.1.89 wins-server=192.168.1.2
add address=192.168.2.0/24 dns-server=8.8.8.8,4.4.4.4 domain=pixiedust.local \
    gateway=192.168.2.1 netmask=24 wins-server=0.0.0.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.86,192.168.1.2,192.168.1.3
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=reject chain=input dst-address=192.168.1.0/24 in-interface-list=\
    *2000012 reject-with=icmp-network-unreachable src-address=192.168.2.0/24
add action=reject chain=input dst-address=192.168.2.0/24 in-interface-list=\
    LAN reject-with=icmp-network-unreachable src-address=192.168.1.0/24
add action=reject chain=forward dst-address=192.168.1.0/24 in-interface-list=\
    *2000012 out-interface-list=LAN reject-with=icmp-network-unreachable \
    src-address=192.168.2.0/24
add action=reject chain=forward dst-address=192.168.2.0/24 in-interface-list=\
    LAN out-interface-list=*2000012 reject-with=icmp-network-unreachable \
    src-address=192.168.1.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=\
    "Plex Server port access from outside so Plex.Tv can access Zodiac" \
    dst-port=32400 protocol=tcp to-addresses=192.168.1.94 to-ports=32400
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=MikroTik-Sparticus
/system ntp client
set enabled=yes primary-ntp=192.168.1.89
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik-Sparticus] >


Access Point config:

[admin@MikroTik-Pixiedust] > export hide-sensitive
# apr/23/2018 21:49:03 by RouterOS 6.41.4
# software id = UIM0-1XCU
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 66590271236A
/interface bridge
add admin-mac=D4:CA:6D:B7:E0:B7 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country="united states" disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=pixiedust vlan-id=10 vlan-mode=use-tag wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country="united states" disabled=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=pixiedust5 vlan-id=10 vlan-mode=\
    use-tag wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.33/24 interface=bridge network=192.168.1.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=MikroTik-Pixiedust
/system ntp client
set enabled=yes primary-ntp=192.168.1.89
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik-Pixiedust] >

Switch Config:

[admin@MikroTik-CRS-1] > export hide-sensitive
# apr/23/2018 21:53:29 by RouterOS 6.41.4
# software id = FKTL-Q3K4
#
# model = CRS125-24G-1S
# serial number = 7445069FC387
/interface bridge
add admin-mac=6C:3B:6B:8E:8B:FA auto-mac=no comment=\
    "created from master port" name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether6 ] name=ether6-pixiedust
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface=ether23
add bridge=bridge interface=ether24
add bridge=bridge interface=sfp1
add bridge=bridge interface=ether1
add bridge=bridge interface=ether6-pixiedust
/interface list member
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6-pixiedust list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=ether1 list=LAN
add interface=sfp1 list=LAN
add interface=ether2 list=WAN
/ip address
add address=192.168.1.62/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip dns
set servers=192.168.1.86,192.168.1.2,192.168.1.3,192.168.1.1
/lcd
set read-only-mode=yes
/lcd interface
add interface=bridge
/lcd interface pages
set 2 interfaces=sfp1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=MikroTik-CRS-1
/system ntp client
set enabled=yes primary-ntp=192.168.1.89
[admin@MikroTik-CRS-1] >

 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Question about using VLANs to set up a guest network

Tue Apr 24, 2018 1:47 pm

On your Router, change guest-bridge pvid=1 (or what default is) and vlan-filtering=no as we are un-tagging traffic coming to the bridge.
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 4:43 am

OK I did that. I also removed the firewall rules I had on the access point, I had forgotten about those. It seems to be working for my raspberry pi, but my windows computer I get the following -- notice the addresses are on my core network (192.168.1.x) but the DHCP server that supposedly provided them is on the guest network (192.168.2.x).
wierd-dhcp-result.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 4:56 am

SO a couple of questions to help me understand this configuration.

I'm assuming that setting the VLAN tags on the physical interfaces tells the unit to tag all packets entering the device through that interface? It looks like I cannot set that on the hardwired ethernet interfaces though so there must be more to the story here.

I take it the switch in the middle does not need to be told anything about the VLAN tagged packets to know to keep them segregated from the untagged traffic? However, how does it know what interface to send the tagged packets out of so they get to the router and not to anything else?

I'm asking so I can understand all this because once I do I will probably create a more complex VLAN configuration so that guests might reach printers for example, and our home automation and security systems will be isolated from our main lan to some extent.

Thanks!

Mitch
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 5:09 am

Do you by chance have a Static DHCP-Lease for the Windows computer with server=all?
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 5:32 am

LOL you got it on the first try! I sure do have leases set up that way. That took care of that problem.

thank you very much!
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 6:04 am

I was just testing more of your config, on your router
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
caused some weirdness.

You can do:
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-vlan=no
or at least do no vlan.

As far as your questions, I am no expert, but these are my findings:
I'm assuming that setting the VLAN tags on the physical interfaces tells the unit to tag all packets entering the device through that interface? It looks like I cannot set that on the hardwired ethernet interfaces though so there must be more to the story here.
You can indirectly. Add a vlan on main bridge and new bridge for each vlan-id you want. Then add the ether ports and vlan port to the corresponding bridge So, on your router if you wanted say ether5 on the guest, just change it in bridge-port from main to guest. It would be no different with an of your other devices.
I take it the switch in the middle does not need to be told anything about the VLAN tagged packets to know to keep them segregated from the untagged traffic? However, how does it know what interface to send the tagged packets out of so they get to the router and not to anything else?
It is running as a bridge, and bridges do not care what traffic is on them. They will just pass it along. Bridges are also some what dumb, they send traffic to all interfaces in hopes of finding the intended target. Think of the days before caller-id, when you just missed a phone call and would have call several people to see if was them.....

Hope this helps!
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 6:13 am

Thanks for the info! I have everything working now, let me export the settings and compare them to your notes regarding the firewall. I had to rearrange some of the firewall rules because the guest-bridge and vlan were not on the 'LAN' list -- I made a separate list called 'GUEST' to allow blocking the 192.168.1.x <-> 192.168.2.x traffic. What sort of weirdness did you see?

BTW, you mentioned I could set up vaps on my other access point -- does that impact the performance of the access point much? We were so ecstatic about the performance of the Hap ACs that I was reluctant to try vaps at first, but if there is no real performance impact I will try that.
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 6:20 am

Ok, my bridge is set up as
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
but I'm moving traffic ok, but as I said there was a rule that dropped all !LAN which caused problems. I think I will have to make a 'CORE' list for the internal network so the firewall rules blocking 192.168.1.x <-> 192.168.2.x traffic don't use the list LAN -- that would include the guest interfaces in this new configuration.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 6:47 am

BTW, you mentioned I could set up vaps on my other access point -- does that impact the performance of the access point much? We were so ecstatic about the performance of the Hap ACs that I was reluctant to try vaps at first, but if there is no real performance impact I will try that.
None to minimal impact. Really no more than additional user on it.
 
lukaszg
just joined
Posts: 17
Joined: Thu Apr 28, 2016 10:46 am

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 11:03 am

What should be done if let's say ether4 interface (of csr125-24g-1s) should be also added to vlan guest.
The simplest thing would be to add ether4 to bridge-vlan but I think according to this it is not recommended.

What about:
- in Switch->Port->ether4 set "vlan header" to "always strip" and set "default vlan id" to 10
- in Interfaces -> VLANs create new vlan (e.g. ether4-vlan)
- add ether4-vlan to bridge-vlan


It is a bit tricky to understand differences between different VLAN submenus (Bridge>VLAN, Switch>VLAN, Interfaces>VLANs and Switch>Port>vlan).
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 4:41 pm

What should be done if let's say ether4 interface (of csr125-24g-1s) should be also added to vlan guest.
The simplest thing would be to add ether4 to bridge-vlan but I think according to this it is not recommended.

What about:
- in Switch->Port->ether4 set "vlan header" to "always strip" and set "default vlan id" to 10
- in Interfaces -> VLANs create new vlan (e.g. ether4-vlan)
- add ether4-vlan to bridge-vlan


It is a bit tricky to understand differences between different VLAN submenus (Bridge>VLAN, Switch>VLAN, Interfaces>VLANs and Switch>Port>vlan).
It was those various menus that had me a bit confused, relating the script based wiki examples to the menus made me wonder if I really was understanding the examples.

Sent from my SM-N950U using Tapatalk

 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Question about using VLANs to set up a guest network

Wed Apr 25, 2018 5:59 pm

/interface bridge set protocol=none
Again I am no expert, but it seems to me RSTP is broken on Mikrotik. Every time it gets set with/without vlans it breaks my network. It is possible that it is due to the mix of vendor (Ubiquiti PtMP) on my network and they are not playing nice together or what. And in my testing I have had issues with even having more than 2 Mikrotiks in a network together.

Using “none” I have had zero issues!
 
User avatar
mitchmitchell
just joined
Topic Author
Posts: 22
Joined: Fri Sep 22, 2017 11:05 pm

Re: Question about using VLANs to set up a guest network

Thu Apr 26, 2018 4:20 am

I haven't seen a problem yet, but my network is all MikroTik devices (except for a few dumb switches that will gradually be replaced)

Anyway, thank you very much for your help on this!!

Who is online

Users browsing this forum: No registered users and 46 guests