Help with Basic VLAN

BassTeQ · Tue Jul 31, 2018 6:17 am

Hi,

I've recently setup my router using the default settings and latest OS version, things are working well.
I'd now like to add a VLAN into the mix, the purpose of this VLAN is to create a separate network which will be utilised by Unifi Access Points

Current configuration
Eth1 = WAN
Eth2 = LAN (192.168.100.0/24) This goes into my main Unifi Switch where all devices are connected

Default Bridge

[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                     BRIDGE                                     HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2-LAN                                    bridge                                     yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       ether6-master                                 bridge                                     yes    1     0x80         10                 10       none
 2 I   ;;; defconf
       sfp1                                          bridge                                     no     1     0x80         10                 10       none
 3 I H ether3                                        bridge                                     yes    1     0x80         10                 10       none
 4 I H ether4                                        bridge                                     yes    1     0x80         10                 10       none
 5 I H ether5                                        bridge                                     yes    1     0x80         10                 10       none
 6 I H ether7                                        bridge                                     yes    1     0x80         10                 10       none
 7 I H ether8                                        bridge                                     yes    1     0x80         10                 10       none
 8 I H ether9                                        bridge                                     yes    1     0x80         10                 10       none
 9 I H ether10                                       bridge                                     yes    1     0x80         10                 10       none

I'd like to create a new VLAN, eg VLAN 10 and it have a network address of 10.0.10.0/24. What steps are required to implement this?
Appreciate any assistance.

Thanks

usdmatt · Tue Jul 31, 2018 11:15 am

Create a vlan sub-interface on the bridge with your relevant vlan number.

In "/switch vlan" create a vlan entry and add ether2 and switch1-cpu. You can also add other ports if they might handle vlan traffic. If it's something like an RB2011 you may need to add switch2-cpu to the list to use ports 6+

Add an ip to the vlan interface and setup a dhcp server on it

samsung172 · Tue Jul 31, 2018 11:16 am

just add a vlan to your bridge and add an ip to this new interface. next you need to tag the vlan at your ubnt device, and use it for your requirements.

nichky · Tue Jul 31, 2018 11:49 am

see here

https://mum.mikrotik.com/presentations/ ... omeini.pdf

BassTeQ · Wed Aug 01, 2018 3:57 am

Thanks for the tips, will try these suggestions shortly.

Is it best to tag traffic for my current 192.168.100.0 network as well, or leave this untagged as-is?

BassTeQ · Wed Aug 01, 2018 1:50 pm

I've made the suggested changes, does everything look ok? Any obvious mistakes?
When I try connect to the UniFi wireless network, it has VLAN 10 set, it fails trying to obtain IP address.
I think as a starting point I want to first take Unifi and the main switch connected on Eth2 out of the equation. If I can connect a PC to Eth3, and get an IP on the VLAN 10, that would be a good start. Is there anything additional I might need to achieve this?

Unifi Network

Thanks!

skylark · Wed Aug 01, 2018 2:28 pm

VLAN configuration depends on what kind of the device do you use. You can find more setup examples here:
https://wiki.mikrotik.com/wiki/Manual:C ... Based_VLAN
https://wiki.mikrotik.com/wiki/Manual:I ... N_examples
https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29

Samot · Wed Aug 01, 2018 3:24 pm

I'm not sure why the majority of the suggestions are pre-6.41 since that hasn't been the case for almost a year now. You've got most of it right but here is what needs to happen.

1) Do not use the Switch setup. That's wrong, it's done via the Bridge now.
2) Under Bridge go to the VLAN tab, you'll want to add a new VLAN. Add the VLAN ID where it asks and then add the bridge itself and the ether ports (3 in this case) that need to be tagged.
3) Enable VLAN Filtering on the Bridge.

Having the VLAN interface as a port on the bridge, correct.
Having the DHCP/IP Addresses assigned to the VLAN interface, correct.

You just need to set this up on the bridge instead of the switch interface.

BassTeQ · Thu Aug 02, 2018 2:28 am

I'm not sure why the majority of the suggestions are pre-6.41 since that hasn't been the case for almost a year now. You've got most of it right but here is what needs to happen.

1) Do not use the Switch setup. That's wrong, it's done via the Bridge now.
2) Under Bridge go to the VLAN tab, you'll want to add a new VLAN. Add the VLAN ID where it asks and then add the bridge itself and the ether ports (3 in this case) that need to be tagged.
3) Enable VLAN Filtering on the Bridge.

Thanks Samot, this is what caused me confusion, lots of the content in forums, youtube etc is pre 6.41.

I've done as you suggested, removed the config in the "switch"
Enabled VLAN Filtering, and added the details in the VLAN tab.

However when I connect a PC into Eth3 I'm getting a 192.168.100.X IP address when it should be 10.0.10.X.

Cheers

CZFan · Thu Aug 02, 2018 6:11 pm

Vlan10 must be on Bridge
In Bridge-->Ports, change ether3 PVID from 1 to 10
In Bridge-->Vlan make Bridge as tagged and ether3 untagged for Vlan id 10

BassTeQ · Fri Aug 03, 2018 2:17 am

Vlan10 must be on Bridge
In Bridge-->Ports, change ether3 PVID from 1 to 10
In Bridge-->Vlan make Bridge as tagged and ether3 untagged for Vlan id 10

Thanks CZFan,

Vlan10 must be on Bridge
Is this correct?

[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                      VLAN-IDS  CURRENT-TAGGED                      CURRENT-UNTAGGED                     
 0   bridge                      10

In Bridge-->Ports, change ether3 PVID from 1 to 10
Done

[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                  BRIDGE                  HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2-LAN                 bridge                  yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       ether6-master              bridge                  yes    1     0x80         10                 10       none
 2 I   ;;; defconf
       sfp1                       bridge                  no     1     0x80         10                 10       none
 3 I H ether3                     bridge                  yes   10     0x80         10                 10       none
 **--snip--**

In Bridge-->Vlan make Bridge as tagged and ether3 untagged for Vlan id 10
Like this?

Thank you.

CZFan · Fri Aug 03, 2018 9:54 am

Vlan10 must be on Bridge
In Bridge-->Ports, change ether3 PVID from 1 to 10
In Bridge-->Vlan make Bridge as tagged and ether3 untagged for Vlan id 10
Thanks CZFan,

Vlan10 must be on Bridge
Is this correct?
Code: Select all
[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                      VLAN-IDS  CURRENT-TAGGED                      CURRENT-UNTAGGED                     
 0   bridge                      10       
...

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10

BassTeQ · Fri Aug 03, 2018 1:07 pm

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10

I already have this setup using a different name, will this be ok?

[admin@MikroTik] /interface vlan> print
Flags: X - disabled, R - running, S - slave 
 #    NAME                   MTU ARP             VLAN-ID INTERFACE               
 0 R  vlan10_Guest          1500 enabled              10 bridge

CZFan · Fri Aug 03, 2018 4:04 pm

should be good to go, then if you want to prevent the guest vlan communication via layer 3 with other devices, use firewall filter rules

diddie17 · Fri Aug 03, 2018 7:19 pm

I'm not sure why the majority of the suggestions are pre-6.41 since that hasn't been the case for almost a year now. You've got most of it right but here is what needs to happen.

1) Do not use the Switch setup. That's wrong, it's done via the Bridge now.

I'm very happy to be corrected, but for my own education, I hadn't understood is as being as binary as using the switch menu before 6.41 and VLAN filtering after. My understanding was that if there was a VLAN switching requirement, you should still use the switch menu for devices with a switch chip, rather than VLAN filtering on the bridge, in order to maintain HW offload and wirespeed switching (with the exception of the crs3xx range that can maintain HW offload using VLAN filtering on the bridge).

If I've understood correctly, the answer given is right for the eth1 and eth2 question being asked by the OP as there is no switching going on. But wouldn't there be benefit even after 6.41 to using the switch menu and chip to maintain HW offload if eth3, eth4 etc. were also used with VLAN's?

CZFan · Sat Aug 04, 2018 12:40 am

@diddie17, you are 100% correct, if you want to switch VLAN's, i.e. Ether3 and ether4 is in same vlan, then it is best to use switch vlan config except for crs3xx devices.
Between VLAN's will happen with routing and this will go via cpu

BassTeQ · Sat Aug 04, 2018 9:33 am

Getting closer, when I connect to PC to Eth3 I now get an IP in the 10.0.10.0 subnet, however it can't access the internet, or ping google dns 8.8.8.8.
Am I missing something? I've not put in any firewall rules to block traffic, the same rules remain as before I started trying to add this VLAN.
Traffic on the 192.168.100.0 subnet is fine, and has full connectivity.

Thanks again!

CZFan · Sat Aug 04, 2018 1:46 pm

provide output of "export hide-sensitive"

BassTeQ · Sat Aug 04, 2018 2:14 pm

provide output of "export hide-sensitive"

# aug/04/2018 21:09:53 by RouterOS 6.42.6
# software id = UUZ2-Z8I4
#
# model = RouterBOARD 3011UiAS
# serial number = 
/interface bridge
add admin-mac=CC:2D:E0:7B:34:9F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether6 ] name=ether6-master
/interface vlan
add interface=bridge name=vlan10_Guest vlan-id=10
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.1-192.168.100.254
add name=Guest ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=LAN
add address-pool=Guest disabled=no interface=vlan10_Guest name=GUEST
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=10
/interface list member
add interface=ether2-LAN list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1-WAN list=WAN
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2-LAN network=\
    192.168.100.0
add address=10.0.10.1 interface=vlan10_Guest network=10.0.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server network
add address=10.0.10.0/24 comment=GUEST dns-server=10.0.0.1 gateway=10.0.10.1 \
    netmask=24
add address=192.168.100.0/24 comment=LAN gateway=192.168.100.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.254 name=router
/ip firewall address-list
add address=my.dynamic.host list=WANIP
/ip firewall filter
add action=log chain=prerouting disabled=yes dst-port=22 log=yes log-prefix=\
    step1 protocol=tcp
add action=log chain=forward disabled=yes dst-port=22 log=yes log-prefix=\
    step2 protocol=tcp
add action=log chain=postrouting disabled=yes dst-port=22 log=yes log-prefix=\
    step3 protocol=tcp
add action=drop chain=input comment="Drop Ping from WAN" in-interface=\
    ether1-WAN protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp \
    protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward disabled=yes dst-port=8228 in-interface=\
    ether1-WAN log=yes log-prefix="accept forward port 22" protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1-WAN log-prefix="drop all from wan - input"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix="drop invalid"
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-WAN log-prefix=\
    "drop from wan not dstnated"
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN Nat for loopback" \
    dst-address=192.168.100.0/24 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1-WAN
add action=dst-nat chain=dstnat comment="SSH Server" dst-port=9922 \
    in-interface=ether1-WAN protocol=tcp to-addresses=192.168.100.150 \
    to-ports=22
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/lcd
set backlight-timeout=never default-screen=stat-slideshow
/lcd interface
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether6-master disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=ether1-WAN,ether2-LAN
/system clock
set time-zone-name=Australia/Melbourne
/system ntp client
set enabled=yes primary-ntp=150.101.178.147 secondary-ntp=203.7.149.150
/system routerboard settings
set silent-boot=no
/system scheduler
/system script
/tool graphing interface
add interface=ether1-WAN
add interface=ether2-LAN
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

CZFan · Mon Aug 06, 2018 7:41 pm

Below some corrections of mistakes and suggestions, so change these first and come back:

From
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2-LAN network=\
192.168.100.0
add address=10.0.10.1 interface=vlan10_Guest network=10.0.10.0

To
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2-LAN network=\
192.168.100.0
add address=10.0.10.1/24 interface=vlan10_Guest network=10.0.10.0

From
/ip dhcp-server network
add address=10.0.10.0/24 comment=GUEST dns-server=10.0.0.1 gateway=10.0.10.1 \
netmask=24
add address=192.168.100.0/24 comment=LAN gateway=192.168.100.254 netmask=24

To
/ip dhcp-server network
add address=10.0.10.0/24 comment=GUEST dns-server=10.0.10.1,8.8.8.8 gateway=10.0.10.1 \
netmask=24
add address=192.168.100.0/24 comment=LAN dns-server=192.168.100.254,8.8.8.8 gateway=192.168.100.254 netmask=24

From
/ip dns
set allow-remote-requests=yes

To
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

BassTeQ · Wed Aug 08, 2018 4:05 am

Thanks very much, I've made your suggested changes (excluding the google dns ones, as I want to use the ISP DNS for default) and I now have connectivity!!!!
Whats the best method to now block traffic on the Guest VLAN so it can't see the other network, and vise versa?

I've added these rules and it seems to do the job, just wondering if there's a better approach? If I add more VLANS the amount of rules would quickly increase.

chain=forward action=drop in-interface=vlan10_Guest dst-address=192.168.100.0/24 log=no log-prefix=""
chain=forward action=drop src-address=192.168.100.0/24 out-interface=vlan10_Guest log=no log-prefix=""

Cheers

CZFan · Wed Aug 08, 2018 6:27 pm

I will use:

chain=forward action=drop src-address=10.0.10.0/24 dst-address=192.168.100.0/24 log=no log-prefix=""
chain=forward action=drop src-address=192.168.100.0/24 dst-address=10.0.10.0/24 log=no log-prefix=""

BassTeQ · Thu Aug 09, 2018 4:24 am

Any particular reason why you avoid using the "interface" in those rules?

Also I just noticed I'd left VLAN Filtering disabled on the Bridge, however everything seemed to be working ok, I can connect to the UniFi AP Wifi Network which has the VLAN ID set and get an IP in the 10.0.10.0 network. However when I Enable VLAN Filtering on the bridge, and connect to the Wifi Network, I don't get internet connectivity, any ideas why?

Thanks

CZFan · Fri Aug 10, 2018 1:26 am

Personally I use interfaces for bridge filters and IP for firewall filters, another reason would be that you might have multiple interfaces as members of same vlan, the it makes more sense to use the subnet of the vlan, but it is just set a personal choice

Did you tag the vlan on the unify AP's, if so, change ether 3 from untagged to tagged under bridge vlan

BassTeQ · Fri Aug 10, 2018 2:09 am

Personally I use interfaces for bridge filters and IP for firewall filters, another reason would be that you might have multiple interfaces as members of same vlan, the it makes more sense to use the subnet of the vlan, but it is just set a personal choice

Did you tag the vlan on the unify AP's, if so, change ether 3 from untagged to tagged under bridge vlan

Ok fair enough, it makes sense.

Yes I tagged the vlan on the AP's, these are connected to a unfi switch, which is connected to Eth2, Eth3 was only used as a test when I was first having an issue getting the vlan working, nothing is now connected there.

Cheers

CZFan · Fri Aug 10, 2018 7:23 pm

Add ether2 as tagged under Bridge Vlan for Vlan id 10

BassTeQ · Sat Aug 11, 2018 9:58 am

Add ether2 as tagged under Bridge Vlan for Vlan id 10

Done, and enabled VLAN Tagging on the bridge, still no connectivity.
In fact I end up getting a 192.254.51.X IP address if connect a PC to Ether3 or connect to the Guest Wifi VLAN ID=10, when I should be seeing a 10.0.10.X address

Thanks

CZFan · Sat Aug 11, 2018 4:23 pm

As per my post in this topic, post # 10, Bridge must also be tagged for Vlan id's 10, 20, 30, 40, this is to allow access to the CPU for DHCP from these Vlans

BassTeQ · Sun Aug 12, 2018 3:16 am

As per my post in this topic, post # 10, Bridge must also be tagged for Vlan id's 10, 20, 30, 40, this is to allow access to the CPU for DHCP from these Vlans

Is this correct? With this setup like below, and VLAN Filtering enabled I still can't access the internet.

Should the new VLAN 10 be added to the Bridge/Port section, at the moment only the physical ports are listed there Eth2 to Eth10?
I've seen other examples where people had done this, not sure if it was required for my configuration?

Cheers

CZFan · Sun Aug 12, 2018 12:45 pm

look at the differences in the screenshots in your posts # 27 & 29, by adding the bridge as tagged, you have removed ether2 which broke the setup again, add ether2 back as tagged

Should the new VLAN 10 be added to the Bridge/Port section, at the moment only the physical ports are listed there Eth2 to Eth10?
No, you don't need this, I assume some people tried to do some QinQ when they did that

BassTeQ · Mon Aug 13, 2018 12:05 pm

look at the differences in the screenshots in your posts # 27 & 29, by adding the bridge as tagged, you have removed ether2 which broke the setup again, add ether2 back as tagged

Thank you very much for your assistance, it's now working as expected!!!!

Help with Basic VLAN [SOLVED]

Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN

Re: Help with Basic VLAN [SOLVED]

Re: Help with Basic VLAN

Who is online