Community discussions

 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Mikrotik VLAN setup

Wed Jan 09, 2019 4:12 pm

Dear all,

This is my first post on this forum. I'm very happy with my router: MK HaP AC2. I have a residential PPPoE gigabit internet connection.
I bought this device because i'd like to create 2 separated networks. My actual network is 192.168.0.0/24.
I need to link 1 SSiD and 1 device port to the IoT devices.
The second port will be connected to a TP Link switch with management. I will connect also some wired IoT decices but also my private network.

I have some IoT devices that should be placed in a separated network so my plan looks like this:
1. 2 SSID (1 for both networks) =>done
2. Addresses 192.168.0.0/24 and 192.168.10.0/24 (default one and another one) => Done
3. 2 DHCP servers 1 default and the second one for 192.168.10.0/24 => Done

The problem is that i don't know what should I do next.
I created with success a different configuration with 2 VLAN
192.168.0.0/24 => the management network
192.168.10.0/24 => VLAN 10 for private network
192.168.20.0/24 => VLAN 20 for IoT devices.

Everithing was ok but:
- i couldn't connect the SSID to VLAN
- i prefer to have just 1 VLAN if is possible and management network to be the same as my private network.

I don't know to use CLI :(.

Can someone help ne a little bit?

Thank you for your time.
 
anav
Forum Guru
Forum Guru
Posts: 2723
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik VLAN setup

Wed Jan 09, 2019 5:35 pm

You already have a private VLAN, the default VLAN of PVID1.
What you have created extra is a management VLAN and to be honest I don't yet see the need for this type of VLAN>??/
Where is the added value?

So I will look at it from that perspective, if you want to add a management vlan after fill your boots.

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=HomeBridge \
protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=HomeBridge name=loT_devices20 vlan-id=20

All the usual setup based on the following
192.168.0.0/24 => the private network (using default vlan1, transparent) (homelan)
192.168.20.0/24 => VLAN 20 for IoT devices

WLAN1 for private network
WLAN2 for loT devices running over vlan20.

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface bridge port
add bridge=HomeBridge comment=defconf interface=ether2 PVID=20 ingress filtering=yes (access type port)
add bridge=HomeBridge comment=defconf interface=ether3 frame-types=admit-only-vlan tagged ingress-filtering=yes (wired to switch) (trunk type port)
add bridge=HomeBridge interface=WLAN1
add bridge=HomeBridge interface=WLAN2

/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether3,ether2,WLAN2 vlan-ids=20

/interface list member
add comment=defconf interface=eth1 list=WAN (assuming this is your ISP connection)
add comment=defconf interface=HomeBridge list=LAN (this covers off the default private LAN network and WLAN1,2)
add interface=loT_devices20 list=LAN (this covers off the vlan)

Be sure to include the following rules besides the others.......
/ip firewall filter
{forward chain}
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
HomeBridge out-interface=WAN \
add action=accept chain=forward comment="ENABLE VLAN20 to WAN" in-interface=\
loT_devices20 out-interface=WAN

In the wireless setup, WLAN1 affiliated interface is HomeBridge, and WLAN2 affiliated interface is loT_devices20.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Mikrotik VLAN setup

Thu Jan 10, 2019 9:14 am

Thank you very much.
I don't have access to the router in this moment but \I will try to configure tonight.

It is not very easy but I hope that I will be able to do it.

I'll come back with feedback. And yes, you are right, I don't need a management network. I followed an exempla from another site...but I prefer your solution. This was also my idea.

Thanks again.
 
anav
Forum Guru
Forum Guru
Posts: 2723
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik VLAN setup

Tue Feb 19, 2019 4:07 am

post your config here so we can help.

/export hide-sensitive file=yourconfig
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Mikrotik VLAN setup

Tue Feb 19, 2019 9:36 pm

Thank you anav.
I tried your config but I did something wrong.
Then I tried to follow pcunite post. I did it, but I kept firewall default settings because I saw some strange logs when I removed all default rules.
In this moment I don't have the router on my network. I have it on my table. I also have a TP Link TL-SG108E (VLAN capable). I want to use a cable from port 4 to switch port no 1.
on port 2 of the switch I want to have vlan1 and in port 3 I want to have vlan 10. From port 8 i'll go to another switch. I think that I can handle the switch settings (i did it before).

I wist to: to have a trunk port on ether5.

With this config:
- a receive different IPs on the 2 vlans (1 and 10). I liked your idea about have "private network in pvid 1)
- If i ping from each vlan the gateway from the other vlan i receive response
I stopped here because I can't change my default router each time because I will have a fight with my wife :)))

I didn't try to access the NAS connected to the second vlan or something like this. I should take it step by step.


# feb/19/2019 23:02:09 by RouterOS 6.43.7
# software id = 4LJ9-06RT
#
# model = RBD52G-5HacD2HnD
# serial number = 8FDE093Axxx
/interface bridge
add admin-mac=B8:69:F4:2F:x:x auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=BV1637xxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    ReteaAcasaMK wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-2FA7D2 wireless-protocol=802.11
/interface vlan
add interface=bridge name=ReteaAcasaIoTMK_VLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=guest supplicant-identity=""
/interface wireless
add disabled=no mac-address=BA:69:F4:2F:A7:D1 master-interface=wlan1 name=\
    wlan3 security-profile=guest ssid=ReteaAcasaIoTMK
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=ReteaAcasaMK_POOL ranges=192.168.0.2-192.168.0.254
add name=ReteaAcasaIoTMK_POOL ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=ReteaAcasaMK_POOL disabled=no interface=bridge name=\
    ReteaAcasaMK_DHCP
add address-pool=ReteaAcasaIoTMK_POOL disabled=no interface=\
    ReteaAcasaIoTMK_VLAN name=ReteaAcasaIoTMK_DHCP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether5,wlan3 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ReteaAcasaIoTMK_VLAN list=VLAN
/ip address
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
add address=192.168.10.1/24 interface=ReteaAcasaIoTMK_VLAN network=\
    192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
anav
Forum Guru
Forum Guru
Posts: 2723
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik VLAN setup

Tue Feb 19, 2019 10:29 pm

Hi there,
It looks pretty good after a quick review.

I would change your server network DNS setup so tis consistent.,
Make both of them 192.168.0.1 and 192.168.10.0 respectively
Add 8.8.8.8 (google) or 1.1.1.1 (cloudfare) or 208.67.220.220 (opendns) or any combo thereof
under
/ip dns

Then delete the default static DNS setting you have under IP DNS.

Kewl you got three WLANs, on my capAC i get two WLANS if I want more I make virtual wlans.

Okay after looking again I think MAYBE but not sure you are missing one bridge interface vlan rule....... but not sure

however I think by default that is implicitly there already as the bridge is assigned pvid=1.
Which still means I am not sure what is wrong here????
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Mikrotik VLAN setup

Wed Feb 20, 2019 2:48 pm

Hi anav,

Thank you for your review.

Ok, I will modify the dns....and I will continue to play with the settings.

Have a nice day!
 
anav
Forum Guru
Forum Guru
Posts: 2723
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik VLAN setup

Wed Feb 20, 2019 6:49 pm

Took another look saw this default setting still set to yes, which you should set to NO.
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=BV1637xxx

that tells the router to use ISP DNS and I believe you wanted all the DNS to use 8.8.8.8 or whatever DNS you chose in the IP DNS settings.

For the bridge ports that are access ports (for vlan10) in other words they are tagged on ingress to the router and stripped on egress back out hte port it would not hurt to state
or use the admit-frames-only feature on the bridge port setting such as admit only untagged for optimal security.

What is it that you cannot do at the moment so we can focus better?
Also please post your latest config.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Mikrotik VLAN setup

Fri Feb 22, 2019 6:16 pm

For the moment I don't use internet (on this stage because i keep the router on my desk).
So, the main problem is that I want to have a trunk port (with both 1 and 10 vlans)...let's say no 4.
I use a switch and I want to have port 2-5 on vlan 1 and 6-8 to vlan10.,.
 
anav
Forum Guru
Forum Guru
Posts: 2723
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik VLAN setup

Fri Feb 22, 2019 9:24 pm

bridgeport eth4
bridge interface vlan tagged=bridge,eth4 vlan-id=10

Assuming this is a separate switch
Assuming its a managed switch of some unknown brand

eth4 router goes to eth1 switch (trunk port to trunk port)
switch eth2-5 basically just keep as default no change required.
switch eth6-8 access port, pvid set to vlan-id 10 (accept untagged packets on ingress, strip on egress)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Mikrotik VLAN setup

Sat Feb 23, 2019 12:43 pm

Hmmm...but this means that on ether4 I will have just VLAN 10, right?

So, please take a look over those 2 pictures.

In one case the VLAN is under bridge and in one case under bridge.
I think that it is impossible to ad WLAN3 on VLAN if the VLANS are under ether2...
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Guru
Forum Guru
Posts: 2723
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik VLAN setup

Sat Feb 23, 2019 4:26 pm

It is not clear what the second picture is all about.
If it was me the vlans would be placed under interface = bridge.
if you wanted those vlans running on ether2,
the place to put that is under bridge ports rule.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Mikrotik VLAN setup

Sat Feb 23, 2019 9:37 pm

Ok, good. Clear for me. will delete the second configuration.
I started from scratch...config without firewall.

It should be ok, right? On the WLANS i don't get the right IPs...waht can be wrong?
Of course I'm tring now with 2 vlans....
/interface bridge
add admin-mac=B8:69:F4:xxxx auto-mac=no comment=defconf fast-forward=no \
    name=bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=BV
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    ReteaAcasaMK10 vlan-id=10 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-2FA7D2 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:2F:A7:D1 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=\
    ReteaAcasaV20 vlan-id=20 wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan10 name=DHCPvlan10
add address-pool=dhcp_pool2 disabled=no interface=vlan20 name=DHCPvlan20
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether2,wlan1 vlan-ids=10
add bridge=bridge tagged=ether2,wlan3 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
    192.168.0.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router.lan
 
anav
Forum Guru
Forum Guru
Posts: 2723
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik VLAN setup

Sat Feb 23, 2019 9:51 pm

Your DNS setup is messy but will address later.

two things stand out........ and I can assume that your WLAN2 is not on a vlan (home user wifi)

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1 admit-frames-only-untagged pvid=10
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3 admit-frames-only untagged pvid=20

/interface bridge vlan
add bridge=bridge tagged=ether2 untagged=wlan1 vlan-ids=10
add bridge=bridge tagged=ether2 untagged=wlan3 vlan-ids=20
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Mikrotik VLAN setup

Sun Feb 24, 2019 12:28 pm

Ok, changed.
Still the same problem. I get the IP fro 192.168.0.1...

But...as I told you, I tried the config from this post:
viewtopic.php?f=13&t=143620#p706998
And it seems that on wireless interface he didn't put any ID...and it was working....
You do not have the required permissions to view the files attached to this post.
 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Mikrotik VLAN setup

Sun Feb 24, 2019 12:35 pm

And I'm not sure about this....
I tried your syntax but something is wrong....
You do not have the required permissions to view the files attached to this post.
 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Mikrotik VLAN setup

Sun Feb 24, 2019 5:05 pm

And back again. I solved something:

- I have the correct VLAN IP on WLAN1 and WLAN3 (vlan10 an vlan20)
- I have the correct VLAN IP on ether4 &5 (Vlan 10 on ether4 and vlan 20 on ether5)
The solution was to put bridge on tag...not ether2 :) I don't know if it is a problem with the TP-LINK switch or not. I still dig in.

I still don't have a solution for trunk port.

=> on wireless interface we don't need any pvid
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Guru
Forum Guru
Posts: 2723
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik VLAN setup

Sun Feb 24, 2019 5:27 pm

Glad you are making progress.
A good diagram always helps and posting a complete config.
Its hard to work with pieces.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
joystick
just joined
Topic Author
Posts: 12
Joined: Wed Jan 09, 2019 3:42 pm

Re: Mikrotik VLAN setup

Sun Feb 24, 2019 5:58 pm

It seems that I solved also the trunk port...
Everything is working on tplink switch.

Now, I need to come back to just 1 vlan: vlan10 and default pvid 1 :).

Thank you for all your help. I'll continue to work on this and after I will do all the things, maybe we will discuss about the DNS problem that you wrote earlier :).

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 16 guests