Community discussions

 
mkx
Forum Guru
Forum Guru
Posts: 2604
Joined: Thu Mar 03, 2016 10:23 pm

Re: Using RouterOS to VLAN your network

Mon Feb 11, 2019 8:38 am

Mikrotik uses VLAN ID 1 as synonym for untagged
This is, fortunately or unfortunately, not true. I used to think the same until I've found out that it is not VLAN ID 1 which is always handled untagged but it's actually "the VLAN ID which is configured as bridge's own pvid parameter" which is treated as untagged on the bridge. If you change bridge's own pvid to something else than 1, VID 1 starts behaving normally.
Perhaps things slightly changed with event of bridge vlan-filtering ... in previous times, when bridge was sort of a dumb switch, bridge interface happily utilized packets belonging to VLAN ID 1 just the same as explicitly untagged while one had to use VLAN interface for the rest of VLANs. This might explain why pvid=1 is default setting ... to keep (broken) bridge port behaviour the same as it was before 6.42.
I guess this is the origin of @sindy's explanation about what happens on the bridge.

But then again, setting bridge's pvid to some other value and setting member interfaces' pvid to the same value re-instate the same behaviour ... seemingly untagged packets on bridge, but my own simplification covers that variant just the same.

Anyhow, I'll stop bitching about this ... it is one view vs. another one and unless some MT developer explains the way it's really implemented in ROS it's all just guessing.


/interface bridge port
add bridge=bridgeHallway comment=defconf interface=ether1 (pvid=1)
add bridge=bridgeHallway comment=defconf interface=DevicesHallway pvid=45

/ip bridge vlan
bridge=homebridge untagged=ether1 vlanid=1 is correct as it is consistent with the other interfaces

But what does that mean.......... Will the CapAC remove vlanID1 from packets going to the WLAN?? and the packets will have vlanid0 and if so how will that affect devices connecting??
As you can surmize I am still not sure how to handle the bridge vlan for my capAC for ether1
There's a distinction between untagged frame and frame tagged with VLAN ID=1. The former has ethertype value 0x0800 (or, if it's not about IPv4 packet, appropriate ethertype value), the later has (outer) ether type 0x8100 with additional header (3 bits PCP - priority code point; 1 bit DEI - drop eligible indicator and 12 bits VID with value of 1 in this particular case) followed by usual ethertype 0x0800 (or, if it's not IPv4 packet, appropriate ethertype value).
So in the latter case, receiver would have to know how to deal with 802.1q frames (or blindly strip them which would become a problem in the other direction if switch/router actually expected 802.1q frames with VID set to 1) while in the former case it really is about truly untagged, plain ethernet.

In the quoted case cAPs really should strip VLAN headers even with VID=1 not to confuse wireless clients.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Mon Feb 11, 2019 2:33 pm

Okay so then would this make sense for my capACs.....
/ip bridge vlan
bridge=bridge tagged=eth1 untagged=guest-wifi vlanid=200
bridge=bridge tagged=eth1 untagged=smart-devices vlanid=45
bridge=bridge tagged=eth1 untagged=homeuser-wifi vlanid=1

and because the previous post stated that vlan1 is untagged by default on the bridge we dont need the following as well
bridge=bridge untagged=eth1 vlanid=1 ???

In other words I dont know what to do with trunk port eth1 and vlan1 ????
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 2604
Joined: Thu Mar 03, 2016 10:23 pm

Re: Using RouterOS to VLAN your network

Mon Feb 11, 2019 3:34 pm

The discussion with @sindy was, AFAIK, debate only about how bridge (port and something-like-a-switch) behaves. Now you have your dilemma about ether1 ...

With the first block of settings you're saying that ether1 should be tagged member of VID=1, thus frames, traveling on the wire, should have VLAN tags with VID=1.
With the second block, you're changing that to the state where frames, traveling on the wire, should be untagged when frame belongs to VID=1 inside cAP.

Regardless of VLAN ID (VID=1 should be considered just the same as other VIDs when on ethernet wire) settings should be consistent on both sides of wire. So setting on cAP should mirror those on router/switch/... (I don't know which device is on the other end of that UTP cable).
If you want to be consistent about VIDs on all of your LAN infrastructure devices, you should stick to all tagged trunks ... because it's just too easy to set port pvid on one end to something and on other end to something else. If frames traveled between those two ports tagged, you'd spot such error quite easily (VLAN wouldn't work).

As to how's VID=1 dealt with by default on bridge ... I'm all frustrated and I'll repeat once more (and then shut up forever): don't ever use VID=1 in any setup and always have frames tagged in LAN infrastructure ... untagged should only live on access points (wires outside active LAN infrastructure perimeter and wireless SSIDs). I'm sticking to these rules and I don't have any problems whatsoever (neither conceptual nor real).
Last edited by mkx on Mon Feb 11, 2019 4:02 pm, edited 1 time in total.
BR,
Metod
 
User avatar
mozerd
Member Candidate
Member Candidate
Posts: 250
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Using RouterOS to VLAN your network

Mon Feb 11, 2019 3:56 pm

don't ever use VID=1 in any setup and always have frames tagged in LAN infrastructure ... untagged should only live on access points (wires outside active LAN infrastructure perimeter and wireless SSIDs). I'm sticking to these rules and I don't have any problems whatsoever (neither conceptual nor real)..
100% agree.
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Mon Feb 11, 2019 7:07 pm

Okay so I will create a VLAN for my homelan which DOES NOT sit on vlan1 so to speak and thus will not be in this quandry LOL.
Thanks! Consistent also with pcunite using vlan10 for his MAIN LAN.

Okay, now Im stuck. I want to use vlan11 instead of 1, but the problem I am having is that
pcunite has bridge set to pvid=1

I want my bridge lan to be vlan 11

In other words his example now brings me to MKXs point is that default is far too confusing and we should avoid using vlan1 for everything.....
SO asking pcunite to use vlan=10 for his bridge so that it matches up with the NORMAL MAIN LAN of his examples!!!!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
joystick
just joined
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Using RouterOS to VLAN your network

Mon Feb 18, 2019 8:56 pm

Hi guys,

Even I got help fron this forum (anav), I'm still stuck.
I tried to follow "all in one" post but I need to have also a trunk port (ether5).
How can I do it (I need ID=1 and 10).?

It is to complicated for me this router :( ( i have hap ac2)
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Tue Feb 19, 2019 4:08 am

Go back to your original thread please for more assistance. :-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Sat Feb 23, 2019 4:32 am

Okay I made the big switch tonight using vlan11 vice vlan1 for my homelan.
Problem: No longer have access to my capacs :-(
Both of them are providing connectivity to the internet so there is at least that. ;-)
One note: both of them shows in neighbours in winbox but comes up with IP address 0.0.0.0 vice its actual IP.
On the config one spot I was not sure of is bridge ports for ether2,3 I have ingress filtering on??

Router steps Quick and Easy:
changed ip address and dhcp server interface to vlan11 from bridge (decoupled bridge from lan)
added vlan11 to my interface bridge vlan (tagged for bridge and both eth2, eth3 (if you recall eth2 goes to DLINK MS 24 port, and eth3 goes to 260GS in garage)
Thats it!

Cap ACs (both)
(1) added vlan11 tagged on eth1, untagged on 5AC homeuser wifi WLAN interface.
(remember we do not tag the bridge on the capac for some reason LOL)
(2) added bridge port entry.

/ip bridge interface vlan For one cap ac the other is the same except using 40 and 200 (vice 30 and 100)
add bridge=capbridge tagged=eth1, untagged=WLAN(5ghz) vlan-id=11
add bridge=capbridge tagged=eth1 untagged=WLAN2ghz vlad-id=30
add bridge=capbridge tagged=eth1 untagged=vWLAN5 vlan-id=100

/ip bridge ports
add bridge=capbridge interface=eth1
add bridge=capbridge interface=WLAN5 admit frames untagged only pvid=11
add bridge=capbridge interface=WLAN2 admit frames untagged only pvid=30
add bridge=capbridge interface=vWLAN5 admit frames untagged only pvid=100


DLINK switch:
Added vlan 11 to all trunk ports (leading to capac2, netgear switch, 260GS switch in basement (which feeds capac-1),
changed all none trunk ports to access ports pvid=11
(so my pc is on vlan11 and cannot reach the capacs but I can reach all switches................weird!!!)

260GS Basement
added vlan11 to port1 (From Dlink trunk port) and port 3 (going to capac) a trunk port.

Router:
/interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
set [ find default-name=ether1 ] comment=Port1 name=Eastlink_eth1 speed=\
    100Mbps
set [ find default-name=ether2 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether3 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether4 ] comment=LAN2-DMZ
/interface bridge
add admin-mac=CC:2D:E0:F4:3F:AE auto-mac=no comment=defconf name=HomeBridge \
    vlan-filtering=yes
/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=HomeBridge name=Guests_WIFI-v200 vlan-id=200
add interface=HomeBridge name=MediaStreaming_V40 vlan-id=40
add interface=HomeBridge name=NAS_V33 vlan-id=33
add interface=HomeBridge name=SOLAR-36 vlan-id=36
add interface=HomeBridge name=TheoVLAN vlan-id=666
add interface=HomeBridge name=VOIP_77 vlan-id=77
add interface=HomeBridge name=VideoCamVLAN vlan-id=99
add interface=HomeBridge name=Wifi-SDevices_cap1 vlan-id=30
add interface=HomeBridge name=Wifi_SDevices_cap2 vlan-id=45
add interface=HomeBridge name=vlan11-home vlan-id=11
add interface=Bell_eth5 name=vlanbell vlan-id=35
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANSwInt
add name=VLANSwoInt
/ip pool
add name=dhcp-HomeLAN ranges=192.168.0.33-192.168.0.150
/ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=vlan11-home lease-time=1d \
    name=HoMeLAN
/interface bridge port
add bridge=HomeBridge comment=defconf [color=#4000FF]ingress-filtering=yes[/color] interface=ether2
add bridge=HomeBridge comment=defconf [color=#4000FF]ingress-filtering=yes[/color] interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=VLANSwInt
/ip settings
set allow-fast-path=no icmp-rate-limit=100 rp-filter=loose
/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether2 vlan-ids=\
    30,36,40,45,100,200,666
add bridge=HomeBridge tagged=HomeBridge,ether3 vlan-ids=99,77,33
add bridge=HomeBridge tagged=HomeBridge,ether2,ether3 vlan-ids=11
/interface list member
add comment=defconf interface=HomeBridge list=LAN
add interface=vlan11-home list=LAN
add interface=vlan11-home list=VLANSwInt
/ip address
add address=192.168.0.1/24 interface=vlan11-home network=192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24,192.168.2.100/32 port=xx
set api disabled=yes
set winbox address=192.168.0.0/24,192.168.2.100/32 port=xx
set api-ssl disabled=yes
ip smb
set allow-guests=no
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set interfaces=VOIP_77
/system clock
set time-zone-name=America/Moncton
/system identity
set name="MikroTik RM"
/system ntp client
set enabled=yes server-dns-names=time.nrc.ca,nrc.chu.ca
/system resource irq rps
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
..
FW Rules separated out
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=VLANSwInt src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state="" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE" log-prefix=\
    "INPUT DROP ALL"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related

add action=drop chain=forward comment=" - Drop external DNS - UDP" \
    dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=forward comment=" - Drop external DNS - TCP" \
    dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward comment=\
    " - Drop invalid/malformed packets" connection-state=invalid \
    log-prefix=INVALID
add action=accept chain=forward comment=\
    "defconf: accept established,related, " connection-state=\
    established,related
add action=accept chain=forward comment="ENABLE HomeLAN  to WAN" \
    in-interface=HomeBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" \
    out-interface-list=WAN src-address=192.168.0.0/24
add action=accept chain=forward comment="allow VLANS  to WAN " \
    in-interface-list=VLANSwInt out-interface-list=WAN
add action=accept chain=forward comment="Admin_To_VLANS  \
    dst-address-list=VLANS-theo in-interface=vlan11-home log=yes log-prefix=\
    "Admin to VLANS" src-address=192.168.0.39
add action=drop chain=forward comment=\
    "Alex - DROP ALL other  FORWARD traffic" log-prefix="FORWARD DROP ALL"
..
So why cannot with my pc being on vlan11 use winbox to see capacs.
I see the router fine!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 2604
Joined: Thu Mar 03, 2016 10:23 pm

Re: Using RouterOS to VLAN your network

Sat Feb 23, 2019 8:14 pm

capbridge (the port) should be tagged member of self (the something-like-a-switch) for vlan-id=11 and cap's IP setup should go on vlan11 interface.

It missed my mind why "we don't tag bridges on capacs" ... probably it doesn't make any sense to me, that's why ...
BR,
Metod
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Topic Author
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Using RouterOS to VLAN your network

Sat Feb 23, 2019 8:51 pm

I made the big switch tonight using vlan11 vs. vlan1 for my homelan. However, I can no longer access my capacs to manage them. Remember we do not tag the bridge on the capac for some reason LOL. So why can I not, with my pc being on vlan11, use winbox to see capacs? I see the router just fine!

It is tricky to get a visual understanding of it all. Allow me to explain.

The VLAN examples show an underlying VLAN which I have termed the BASE_VLAN. Depending on what you intend to do with it, you could just as well think of it as being the Management VLAN (MGMT_VLAN). A careful look at the Access Point example apears to show that, we do not tag the Bridge on Trunk ports (because IP Services are not needed). However, I do in fact tag the Bridge! It is shown later under the VLAN Security section. Now, why would I do that?

In my opinion, every device that participates in a VLAN network, should be accessible by a Management VLAN, so that you can continue to access them remotely (in the sense of not standing in front of the them, aka remote over Trunk). In the case of a Switch, sure, you can simply plug your laptop into a free port. But as you've discovered with Access Points, they have no free ports! Thus, Access Point bridges, do in fact benefit from being tagged.

Tell me again why we tag Bridges?
For IP Services. In the Access Point example, the BASE_VLAN has an IP address assigned to it. That is an L3 feature, so we are in fact using L3 over an AP's Trunk port. IP Services (L3) requires tagged bridges.

Blame mkx for your troubles. He insisted I keep it clean and simple. : - )
Last edited by pcunite on Sat Feb 23, 2019 9:15 pm, edited 1 time in total.
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Sat Feb 23, 2019 9:15 pm

Okay guys I have a perfect test for this.
I have a spare cable to my computer room and attached this to port 21 on the dlink and configured it as a hybrid pvid1 and tagged11.
Fired up my computer, NO internet access but I did get access on winbox to my capac2 also attached to a trunk port on this switch.
The capac1 not on a switch as goes from diff router port to 260GS switch so not visible.

I am now going to add tagging bridge as well to see if this makes the diff!!

Failed. I added the bridge on capac2 to my vlan11 line
add bridge=bridge tagged=bridge,eth1 untagged=WLAN5gig pvid=11

On hybrid port my computer can still see and modify via winbox
No internet

On access port my computer cannot access winbox (ip address 0.0.0.0 does show for it though but no access via proper IP adddress or mac address)
Good internet.
++++++++++++++++
@mkx the capac2 IP address is on vlan11 (I changed my homelan interface from bridge to vlan11)
@mkx are you saying that
bridgeport interface=eth1 should have a pvid setting of 11 (THAT IS WRONG............ its a trunk port)
The bridgeport interface=WLAN5g has pvid=11 (that is correct)

@mkx or are you saying when creating the bridge
add bridge=bridge ingress filtering=yes PVID=11???

Capac2config
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] disabled=yes speed=100Mbps
/interface bridge
add admin-mac=xx auto-mac=no comment=defconf name=\
    bridgeHallway vlan-filtering=yes
/interface vlan
add interface=bridgeHallway name=Guests_WIFI-v200 vlan-id=200
add interface=bridgeHallway name=Wifi_SDevices_cap2 vlan-id=45
add interface=bridgeHallway name=homevlan vlan-id=11
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
    dynamic-keys name=Hallway_wifi supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
    dynamic-keys name=devices_only supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
    dynamic-keys name=HouseGuestsSecurity supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-g/n basic-rates-b="" \
    country=canada disabled=no distance=indoors frequency-mode=\
    regulatory-domain installation=indoor mac-address=CC:2D:E1:AF:73:91 mode=\
    ap-bridge name=DevicesHallway rate-set=configured scan-list=\
    2412,2437,2462 security-profile=devices_only ssid=RD2 supported-rates-b=\
    "" wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac \
    channel-width=20/40mhz-Ce country=canada disabled=no frequency-mode=\
    regulatory-domain mode=ap-bridge name=Hallway5G rate-set=configured \
    scan-list=5175-5185,5195-5205,5215-5225 security-profile=Hallway_wifi \
    ssid=Hallway_CellPhones wireless-protocol=802.11 wmm-support=enabled \
    wps-mode=disabled
add disabled=no mac-address=CE:2D:E2:AF:73:92 master-interface=Hallway5G \
    name=VisitorWIFI security-profile=HouseGuestsSecurity ssid=Guest_Wifi \
    wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled
/interface bridge port
add bridge=bridgeHallway comment=defconf interface=ether1
add bridge=bridgeHallway comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=DevicesHallway pvid=45
add bridge=bridgeHallway comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=Hallway5G pvid=11
add bridge=bridgeHallway frame-types=admit-only-untagged-and-priority-tagged \
    interface=VisitorWIFI pvid=200 trusted=yes
/interface bridge vlan
add bridge=bridgeHallway tagged=ether1 untagged=DevicesHallway vlan-ids=45
add bridge=bridgeHallway tagged=ether1 untagged=VisitorWIFI vlan-ids=200
add bridge=bridgeHallway tagged=bridgeHallway,ether1 untagged=Hallway5G vlan-ids=11
/ip address
add address=192.168.0.112/24 disabled=yes interface=ether2 network=\
    192.168.0.0
/ip route
add disabled=yes distance=1 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24 port=xx
set api disabled=yes
set winbox address=192.168.0.0/24 port=xx
set api-ssl disabled=yes
..
I note in your config you dont have the WLANS tagged with eth1?? But I do?
The only time you have eth1 tagged is for the line wanting base vlan etc.................
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Wed Mar 06, 2019 4:18 pm

Looking at the example of all in one..........

(1) what the heck is base vlan???????????????
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN

I also see base vlan in the first router example???
Ahh Okay its the homelan so to speak and using vlan99 here

BUT - I am not sure why assigning ether7 to be an access port has anything to do with admin access - very confused.
On top of that you have left the bridge assigned pvid=1 ????
If 99 is your base vlan, why is it not.

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no pvid=99 ?????????????????????
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Topic Author
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Using RouterOS to VLAN your network

Thu Mar 07, 2019 6:15 pm

1) What the heck is BASE_VLAN?
2) Why assign ether7 to be an access port?

The BASE_VLAN is a special network for accessing the MikroTik hardware. A network consists of routers, switches, and APs, so if every device has a BASE_VLAN interface, you can Winbox them from this special MGMT network. The firewall allows all input from this interface.

The above works great. However, I show optionally, what to do if you need physical access to a device if the router (RoaS) would be down. A special MGMT port will allow you to configure the device (but you could just use the console port). It shows how the BASE_VLAN can allow control to a device in front of you with your laptop plugged in directly. Recall that all other ports are blocking access to the device itself. You don't need it, it is just there for illustration.
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Thu Mar 07, 2019 6:42 pm

Well I beg to differ. I now understand why you made ether7 an access port but the rest of the discussion has not been resolved.
Many are having problems trying to implement your examples and many issues stem from the lack of clarity on pvid=1 vis pvid=99.
In other words what is being assigned to the bridge.................. and what affect it has on reaching devices such as router switches APs etc if selected either way??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Topic Author
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Using RouterOS to VLAN your network

Thu Mar 07, 2019 7:08 pm

The rest of the discussion has not been resolved. Many are having problems trying to implement your examples and many issues stem from the lack of clarity on pvid=1 vs pvid=99. In other words, what is being assigned to the bridge, and what affect it has on reaching devices such as router, switches, APs, etc.

The bridge itself (aka BR1 there is only ever one bridge in my examples), should not have a pvid set, but instead should be left to the default of 1. I don't illustrate nor support the concept of a Native VLAN in these examples.

Quick Overview:
Bridge ~ pvid = 1
Access Port ~ pvid = 2 to 4095, pick your fav
Trunk Port ~ pvid = 1

All Access ports need ingress-filtering=yes, frame-types=admit-only-untagged-and-priority-tagged set and all Trunk ports need ingress-filtering=yes frame-types=admit-only-vlan-tagged set on them. At this point, you are locked out of the device! Thus, the concept of a BASE or MGMT VLAN is necessary.
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Thu Mar 07, 2019 9:45 pm

Concur and I am using vlan10 as base vlan.
The bridge is by itself, no vlan assigned and no subnet assigned.
However when I do that I lose connectivity to my capACs and router, they no longer showup in winbox.
I have to go back to lan on bridge and lan traffic on pvid=1 to see my devices.

Should I be associateding the bridge on capacs to pvid=10 ,,,,,,,,,, I think not.
So how do I ensure all devices are still reachable.

To reiterate my homelan is put on vlan10 in the above scenario, the capacs have a vlan10 address (are on my homelan subnet).
Yet I lose connectivity and funny things happen. Have not been able to nail it down yet.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Topic Author
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Using RouterOS to VLAN your network

Thu Mar 07, 2019 11:21 pm

I lose connectivity to my cAP ACs and router, they no longer show up in Winbox. How do I ensure all devices are still reachable?

Winbox accessibility and visibility are two different features that are possible with MikroTik products. When using VLANs, the Neighbor Discovery protocol will not show devices as visible unless you are on the same VLAN L2 broadcast domain. However, you can always access your devices, using L3 features, if you have configured the firewall to allow for this.

Okay, so let's go over L3 accessibility. This is a Security concept. I've not yet finished writing that section (if I ever do). It is very personable and endlessly customizable. This is what makes it confusing to design because there are so many ways to do it.

MGMT (BASE_VLAN)
Configure the firewall and allow Winbox (8291) access from one or more networks. You could also allow based on port, IP, interface, etc. The point is that you must allow 8291 access from somewhere. You have to pick something and you have to do it before you're locked out.

# "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1     list=WAN
add interface=BASE_VLAN  list=VLAN
add interface=BLUE_VLAN  list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN   list=VLAN
add interface=BASE_VLAN  list=BASE

# Set the VLAN that can "see" L2 broadcast for Neighbor Discovery protocol
/ip neighbor discovery-settings set discover-interface-list=BASE

# Setup a firewall to allow connecting to Winbox (via L3 IP Address)
/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to use DNS services running on the Router
add chain=input action=accept dst-port=53 in-interface-list=VLAN protocol=udp comment="Allow VLAN DNS"

# Allow VLANs to access everything on the Router. NOT recommended
add chain=input action=accept disabled=yes in-interface-list=VLAN comment="Allow VLAN Everything" disabled=yes

# Allow BASE (MGMT) VLAN access to everything. Recommended
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan to MikroTik"

# Allow Winbox access from a list of IP addresses. Change this to be different interfaces, whatever you want
add chain=input action=accept dst-port=8291,22 protocol=tcp src-address-list=RemoteAccess comment="Remote Winbox"

# Standard VLAN rules
add chain=input action=drop comment=Drop
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=drop comment=Drop

Okay, so the above allows access to the router itself (RoaS), that's nice. But what about all the other devices on the BASE_VLAN? There are two ways to get access to them. The easiest way is to simply become a member of the BASE_VLAN. You'll need an access port or SSID, but once you're on that network, you are in the MGMT layer. This is why I show a BASE_VLAN (id 99) option. But this is not always practical. What if you need to be on the RED_VLAN and need to connect via Winbox to an AP to change something?

Well, just like before, it all comes down to firewall rules. This time, we configure them in the forward chain. You could do something like this:

/ip firewall filter

# Forward rules that allow for port forwarding
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=accept connection-nat-state=dstnat in-interface=ether1 comment="Allow port forwards"
add chain=forward action=drop comment=Drop

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN

# Winbox to AP1 & AP2
add chain=dstnat action=dst-nat dst-port=8301 to-ports=8291 in-interface=ether1 protocol=tcp to-addresses=10.0.0.2 src-address-list=RemoteAccess
add chain=dstnat action=dst-nat dst-port=8302 to-ports=8291 in-interface=ether1 protocol=tcp to-addresses=10.0.0.3 src-address-list=RemoteAccess
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Sat Mar 09, 2019 8:22 pm

Thanks PCUNITE, concur matter of ip services winbox and also MAC SERVER under tools (ensuring management vlan is the interface so designated).
Understand about L3 if require access from a different LAN or VLAN will depend upon firewall rules and ensuring the PC (the non vlan IP) has permissions to access winbox.

For me the granular change required is to ensure the managment vlan AND BRIDGE itself are tagged on the Trunk port (for my capac).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Wed Apr 10, 2019 3:30 am

The evolution of the examples is going great. Very useable and straightforward.
I also note that MT is working hard to try and keep their wiki on the topic in better shape too.
One thing they do discuss that you dont mention is hybrid ports.
Where PVID is set but also other vlans are tagged on the same port. I believe they say that is not a safe way to operate security wise in conclusion but it wasnt clear.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Topic Author
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Using RouterOS to VLAN your network

Wed Apr 10, 2019 5:37 am

One thing MikroTik discusses that you don't mention is hybrid ports ... I believe they say this is not a safe way to operate security wise in conclusion but it wasn't clear.

If you trust your equipment, yourself, and your end users, you can use hybrid ports. You're giving a device the ability to send packets with or without a tag. This can be valid for when you want to connect a PC to a VoIP phone.

VoIP phones are really two port switches. One port for themselves, and the other for another device. This is done so that only one port on your switch gets utilized (because running two network drops to each desk is not as cost effective). Traffic from this mini VoIP switch can be tagged (itself) or tag less (the PC).

Unfortunately, this means that an intruder might have the opportunity to access your VoIP VLAN. Imagine someone unplugging both the VoIP phone and the PC. Then plugging in a rogue switch into your hybrid port. They get to choose the VoIP VLAN. Their rogue laptop, connected to this rogue switch, starts hacking away at your PBX server. In any event, they have the security and QoS behavior of the VoIP VLAN. That can be good or bad for their intentions.
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Wed Apr 10, 2019 2:43 pm

I was more thinking of the home scenario where I had my Managed Switch(dlink) which was feeding an unmanaged switch in the basement to which a CAPAC was attached.
The capac needed vlans but the unmanaged switch wasn't cutting the mustard. They hybrid feed from the dlink actually worked and fine for home but not for a business environment.
Since I changed my homelan to a vlan, the option was removed and replaced with a more secure method that you describe in your article. At least I know the option of hybrid is there if ever required.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 2604
Joined: Thu Mar 03, 2016 10:23 pm

Re: Using RouterOS to VLAN your network

Wed Apr 10, 2019 4:53 pm

To add my 5 cents: I don't think using hybrid ports is any less (or more) secure than using trunk (or untagged access) ports. Actually using VLANs doesn't change anything with regard to security ... if a plaintiff has physical access to LAN infrastructure, then he's in admin's nightmare already.
BR,
Metod
 
anttech
just joined
Posts: 12
Joined: Mon Jan 14, 2019 12:05 am

Re: Using RouterOS to VLAN your network

Thu Apr 11, 2019 5:17 pm

Hi all

i have using the info on this page to setup vlans.

The vlans seem to work but i want to route traffic between them

Here is my config file, i need to get this working asap.

I have a Hex router and have etup port 4 as one vland and port 5 as another and want to be able to ping traffic on either vlan from the other
Here is the config



/interface bridge
add admin-mac=B8:69:F4:BF:6A:40 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=Control vlan-id=20
add interface=bridge name=Lighting vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=control-dhcp ranges=10.0.100.230-10.0.100.249
add name=Lighting-dhcp ranges=10.101.10.230-10.101.10.249
/ip dhcp-server
add address-pool=control-dhcp disabled=no interface=Control name=control
add address-pool=Lighting-dhcp disabled=no interface=Lighting name=lighting_dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=lighting tagged=bridge untagged=ether5 vlan-ids=10
add bridge=bridge comment=control tagged=bridge untagged=ether4 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Lighting list=VLAN
add interface=Control list=VLAN
/ip address
add address=10.0.100.254/24 comment=defconf interface=Control network=10.0.100.0
add address=10.101.10.254/24 interface=Lighting network=10.101.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.100.0/24 comment=defconf gateway=10.0.100.254
add address=10.101.10.0/24 gateway=10.101.10.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN inter-VLAN routing" connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
sindy
Forum Guru
Forum Guru
Posts: 3770
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using RouterOS to VLAN your network

Thu Apr 11, 2019 6:07 pm

I cannot spot anything wrong in your configuration, so if you cannot ping between devices in different VLANs, I'd blame the firewalls on those devices themselves. Use /ip dhcp-server lease print to check that the devices in both VLANs got their IP addresses and accepted them, and then use /tool sniffer to see whether ping requests from a device in one VLAN are being sent out the etherX serving as access one to the other VLAN (which will confirm that Mikrotik routes them properly).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mixig
Member Candidate
Member Candidate
Posts: 263
Joined: Thu Oct 27, 2011 2:19 pm

Re: Using RouterOS to VLAN your network

Fri Jun 07, 2019 7:05 pm

This is great but I have one question regarding this topic (exapmle is from wiki):
Add the bridge ports and specify PVID for each access port:

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2 pvid=20
add bridge=bridge1 interface=ether3 pvid=30
Icon-note.png
Note: PVID has no effect until VLAN filtering is enabled.


Add appropriate entries in the bridge VLAN table:

/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=30

Why do we need configure in /interface bridge vlan untagged=ether2 vlan-ids 20 when in step before we setup PVID20 (same form eth3, where PVID 30 iconfigured.
It is also working fine without specifying that particular port to be untagged (PVID will automatically add that port to current untagged...
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Fri Jun 07, 2019 9:06 pm

@antech, this thread is to discuss the examples provided by the author. If you are having VLAN issues please start another thread. When you do I will point out the obvious error I spotted. :-)

@mixig, please read through the reference from beginning to end, the answer you seek is answered within, hint - when you understand the purpose of both functions and how they pertain to the ingress and egress of vlan packets.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
plisken
Forum Guru
Forum Guru
Posts: 2399
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:

Re: Using RouterOS to VLAN your network

Sat Jun 29, 2019 2:32 pm

Great job and very informative. Thank you for this.
I am looking for a vlan configuration for my CCR-1036
VLAN 10.20.30 for example
I want two trunks, one of which goes to a CRS 328 with VLAN
10.20.30 and this via SFP + 1 the second SFP port would be used as a trunk to the CRS-326 and this with VLAN 20 and 30 as
I would also like to set Ethernet ports 23 and 24 as a trunk for connecting a Unifi controller and Unifi access point

Can you work this out if you want?
regards
Plisken
 
sindy
Forum Guru
Forum Guru
Posts: 3770
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using RouterOS to VLAN your network

Sat Jun 29, 2019 3:11 pm

Can you work this out if you want?
I don't think this is the correct topic for this. By means of software bridges, this can be done using the information provided by @pcunite, who has stated the purpose of this topic to be a substitute for a missing layer of the documentation, not a place where people could ask for individual help. So if individual help is what you need, open a new topic for that, please.

If you had in mind extending this topic with howtos for use of hardware VLAN filtering on different switch chip types and the particular configuration you've suggested was just an example, I don't know how to do that any simpler/more comprehensible than the official wiki on the switch chip features.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
HiltonT
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Mon Feb 07, 2011 4:24 am
Location: 'Srayamate
Contact:

Re: Using RouterOS to VLAN your network

Fri Jul 19, 2019 1:31 am

"The router's Purple Trunk port sees a Blue DHCP request and spins up a Blue DHCP server running on a configured Blue VLAN interface."

That's not actually how it works. The DHCP Server needs to be set up and running - it isn't "spun up" by the router receiving a DHCP Request from a device.

Now, I know that you know that, but the wording as originally presented is incorrect and may be confusing for some.
Regards,
Hilton Travis
 
benjaminhso
just joined
Posts: 5
Joined: Wed Jul 17, 2019 4:53 pm

Re: Using RouterOS to VLAN your network

Fri Jul 19, 2019 4:52 pm

Thank you very much PCunite for your tutroial. It helped a lot.

May be sombody has any Idea.

I configurtated the CRS328 like the Switch CRS. VLAN speration is working.

But I don´t want to user an external Router (Its an testing setup), so I tried to confugrate the CRS328 also for routing between the VLAN. Like its descripted in the router.src with:
# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24
/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
But now wehen I try to ping the Blue-VLAN Interface with any client in the VLAN there is no respond. Also DHCP is not working. Also tried the VLAN Interface as untagged and tagged IF in the VLAN.

Can me anbody explain where my thinking fault is?

Thanks Benjamin
 
sindy
Forum Guru
Forum Guru
Posts: 3770
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using RouterOS to VLAN your network

Sat Jul 20, 2019 9:08 am

Can me anbody explain where my thinking fault is?
Create a new dedicated topic an post the complete config there. The few lines you've posted look fine as such so there is likely a firewall issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
marinaman
newbie
Posts: 32
Joined: Tue Jul 30, 2019 9:40 pm

Re: Using RouterOS to VLAN your network

Thu Aug 01, 2019 7:32 pm

Hi pcunite, This is great thread/work! I need help are you for hire?

If so - how can I contact you?

Thanks
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Using RouterOS to VLAN your network

Thu Aug 01, 2019 7:50 pm

I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 20 guests