Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Bridge with Ethernet ports, Management VLAN and Hotspot VLAN

Locked
 
jnsilver
just joined
Topic Author
Posts: 4
Joined: Wed Mar 06, 2019 11:25 pm

Bridge with Ethernet ports, Management VLAN and Hotspot VLAN

Wed Mar 06, 2019 11:43 pm

Hi there,
I'm struggeling with the Bridge Setup on a CCR1009.
What I want to achieve:
Bridge with 2 ethernet ports (ether2 & ether3) and 2 VLAN's (vlan1 for management access to my Access Points and vlan10 for Hotspot SSID).
Everything is fine for normal conection. AP's are online and reachable. Client attached to SSID get's an IP and is online. But as long as the vlan10 is attached to the bridge I didn't get the Hotspot login. Works only when I attach the vlan10 directly to one of the ethernet ports.

I checked/tried several posts about bridge/vlan setup without success.
I'm not sure if there is a problem with the bridge/vlan settings or with the firewall rules...
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan10 vlan-id=10
/interface list
add name=LAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=vlan10 list=LAN
/ip pool
add name=dhcp_pool4 ranges=10.10.100.20-10.10.103.250
add name=dhcp_pool5 ranges=10.10.10.20-10.10.10.254
add name=dhcp_pool6 ranges=192.168.1.20-192.168.1.50
add name=dhcp_pool7 ranges=10.0.100.50-10.0.101.254
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=vlan10 name=WLAN
add address-pool=dhcp_pool5 disabled=no interface=vlan1 lease-time=30m name=\
    Management
add address-pool=dhcp_pool6 disabled=no interface=lan-bridge lease-time=30m \
    name=LAN
add address-pool=dhcp_pool7 disabled=no interface=ether4 name="WLAN alt"
/ip hotspot
add address-pool=dhcp_pool4 disabled=no interface=vlan10 name=hotspot1 \
    profile=hsprof1
/interface bridge port
add bridge=lan-bridge interface=ether7
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=vlan1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=vlan10
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,vlan10,ether2,ether3 vlan-ids=10
add bridge=bridge1 tagged=vlan1,bridge1 untagged=ether2,ether3 vlan-ids=1
/interface ethernet switch vlan
add disabled=yes ports=ether2,ether3 switch=switch1 vlan-id=1
add disabled=yes ports=ether2,ether3 switch=switch1 vlan-id=10
/ip address
add address=192.168.1.1/24 comment="LAN Internet Terminals" interface=\
    lan-bridge network=192.168.1.0
add address=10.0.100.1/23 comment="WLAN BBG" interface=ether4 network=\
    10.0.100.0
add address=10.10.10.1/24 interface=vlan1 network=10.10.10.0
add address=10.10.100.1/22 interface=vlan10 network=10.10.100.0
/ip dhcp-server network
add address=10.0.100.0/23 gateway=10.0.100.1
add address=10.10.10.0/24 dhcp-option=vSZ-Option43 gateway=10.10.10.1
add address=10.10.100.0/22 dhcp-option=vSZ-Option43 gateway=10.10.100.1
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set servers=10.10.100.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=10.0.100.1 list=DHCPSERVERS
add address=192.168.1.1 list=DHCPSERVERS
add address=85.183.135.162 list=erlaubte-IP
add address=10.10.10.1 list=DHCPSERVERS
add address=10.10.100.1 list=DHCPSERVERS
/ip firewall filter
add action=accept chain=input comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid log-prefix=invalid
add action=drop chain=input comment="drop dns from internet" disabled=yes \
    dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop dns from internet" disabled=yes \
    dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Drop Rogue DHCP-Servers" dst-port=68 \
    log=yes log-prefix=RogueDHCP protocol=udp src-address-list=!DHCPSERVERS \
    src-port=67
add action=accept chain=input comment="accept https & winbox von erlaubte-IP" \
    dst-port=8291,443,161,1022 log-prefix=accept protocol=tcp \
    src-address-list=erlaubte-IP
add action=accept chain=input comment="accept snmp von erlaubte-IP" dst-port=\
    161,162 log-prefix=accept protocol=udp src-address-list=erlaubte-IP
add action=accept chain=input comment=\
    "Accept all connections from local network" in-interface-list=LAN
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22,1022 \
    log=yes log-prefix="drop brute forcers" protocol=tcp src-address=\
    !85.183.135.162 src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
    address-list-timeout=1d chain=input connection-state=new dst-port=22,1022 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22,1022 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22,1022 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22,1022 \
    protocol=tcp
add action=drop chain=input comment=\
    "Drop all packets which are not destined to routes IP address" disabled=\
    yes dst-address-type=!local src-address=!85.183.135.162
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    disabled=yes src-address=!85.183.135.162 src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet whi\
    ch should not exist in public network" disabled=yes in-interface=ether1 \
    src-address=!85.183.135.162 src-address-list=NotPublic
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet w\
    hich should not exist in public network" disabled=yes in-interface=ether1 \
    src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to \
    internet which should not exist in public network" disabled=yes \
    dst-address-list=NotPublic in-interface-list=LAN
add action=drop chain=forward comment="Drop all packets in local network which\
    \_does not have local network address" disabled=yes in-interface-list=LAN \
    src-address-list=!NotPublic
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=drop chain=input comment="drop all" log-prefix=drop
add action=accept chain=forward comment="accept erlaubte-IP" \
    src-address-list=erlaubte-IP
add action=drop chain=forward comment="drop privat <-> privat" \
    dst-address-list=NotPublic src-address-list=NotPublic
add action=accept chain=forward comment="accept privat -> internet" \
    out-interface=PPPoEClient src-address-list=NotPublic
add action=drop chain=forward comment="drop all"
/ip firewall mangle
add action=log chain=forward disabled=yes log-prefix=HAMFREEWIFIGateway1 \
    protocol=tcp tcp-flags=!,ack
add action=log chain=forward disabled=yes log-prefix=HAMFREEWIFIGateway1 \
    protocol=udp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network alt" \
    out-interface=PPPoEClient src-address=10.0.100.0/23
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    out-interface=PPPoEClient src-address=10.10.100.0/22
add action=masquerade chain=srcnat comment="masquerade managemet network" \
    out-interface=PPPoEClient src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="masquerade LAN" out-interface=\
    PPPoEClient src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="DST-NAT auf DAH" dst-port=4443 \
    in-interface=PPPoEClient protocol=tcp to-addresses=10.10.10.10 to-ports=\
    443
add action=dst-nat chain=dstnat comment="DST-NAT auf Switch" dst-port=4444 \
    in-interface=PPPoEClient protocol=tcp to-addresses=10.10.10.2 to-ports=\
    443
/ip firewall service-port
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11598
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge with Ethernet ports, Management VLAN and Hotspot VLAN

Thu Mar 07, 2019 8:59 am

You should not add vlan interfaces as member ports of the bridge (in /interface bridge port). You should not set vlan intrerfaces as members of VLAN port group (in /interface bridge vlan).

Both are already done while creating those vlan interfaces.
The only necessary thing is to make bridge1 tagged member port of appropriate VLANs ... which you did.
Top
 
jnsilver
just joined
Topic Author
Posts: 4
Joined: Wed Mar 06, 2019 11:25 pm

Re: Bridge with Ethernet ports, Management VLAN and Hotspot VLAN

Fri Mar 08, 2019 12:26 pm

Hi mkx,
Thanks for your reply. I tried to fix that. Situation changed a little bit after that. Now I did not get an IP over DHCP on. DHCP server stopps in state "offered". I didn't see the difference between adding the vlan to an ethernet port (where everything works fine) or adding it to the bridge to have 2 physical ports (ether2 and 3) where tagged packets can be handled.

Here is the latest config (which does not give IP over DHCP on vlan10).
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
add name=lan-bridge

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mru=1480 max-mtu=1480 name=PPPoEClient password=xxxxxxxx use-peer-dns=yes \
    user=xxxxxxxx

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10

/interface list
add name=LAN

/interface bridge port
add bridge=lan-bridge interface=ether7
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10

# List for firewall rules
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=vlan10 list=LAN

/ip pool
add name=dhcp_pool4 ranges=10.10.100.20-10.10.103.250
add name=dhcp_pool5 ranges=10.10.10.20-10.10.10.254
add name=dhcp_pool6 ranges=192.168.1.20-192.168.1.50
add name=dhcp_pool7 ranges=10.0.100.50-10.0.101.254

/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=vlan10 name=WLAN
add address-pool=dhcp_pool5 disabled=no interface=bridge1 lease-time=30m name=Management
add address-pool=dhcp_pool6 disabled=no interface=lan-bridge lease-time=30m name=LAN
add address-pool=dhcp_pool7 disabled=no interface=ether4 name="WLAN alt"

/ip address
add address=192.168.1.1/24 comment="LAN Internet Terminals" interface=lan-bridge network=192.168.1.0
add address=10.0.100.1/23 comment="WLAN BBG" interface=ether4 network=10.0.100.0
add address=10.10.10.1/24 interface=bridge1 network=10.10.10.0
add address=10.10.100.1/22 interface=vlan10 network=10.10.100.0

/ip dhcp-server network
add address=10.0.100.0/23 gateway=10.0.100.1
add address=10.10.10.0/24 dhcp-option=vSZ-Option43 gateway=10.10.10.1
add address=10.10.100.0/22 dhcp-option=vSZ-Option43 gateway=10.10.100.1
add address=192.168.1.0/24 gateway=192.168.1.1

/ip dns
set servers=10.10.100.1

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=10.0.100.1 list=DHCPSERVERS
add address=192.168.1.1 list=DHCPSERVERS
add address=85.183.135.162 list=erlaubte-IP
add address=10.10.10.1 list=DHCPSERVERS
add address=10.10.100.1 list=DHCPSERVERS

/ip firewall filter
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid log-prefix=invalid
add action=drop chain=input comment="drop dns from internet" disabled=yes dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop dns from internet" disabled=yes dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Drop Rogue DHCP-Servers" dst-port=68 log=yes log-prefix=RogueDHCP protocol=udp src-address-list=\
    !DHCPSERVERS src-port=67
add action=accept chain=input comment="accept https & winbox von erlaubte-IP" dst-port=8291,443,161,1022 log-prefix=accept protocol=tcp \
    src-address-list=erlaubte-IP
add action=accept chain=input comment="accept snmp von erlaubte-IP" dst-port=161,162 log-prefix=accept protocol=udp src-address-list=\
    erlaubte-IP
add action=accept chain=input comment="Accept all connections from local network" in-interface-list=LAN
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22,1022 log=yes log-prefix="drop brute forcers" protocol=tcp \
    src-address=!85.183.135.162 src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input connection-state=new dst-port=22,1022 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22,1022 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22,1022 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22,1022 \
    protocol=tcp
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" disabled=yes dst-address-type=!local \
    src-address=!85.183.135.162
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" disabled=yes src-address=\
    !85.183.135.162 src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" disabled=yes \
    in-interface=ether1 src-address=!85.183.135.162 src-address-list=NotPublic
add action=accept chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" disabled=yes \
    in-interface=ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" disabled=\
    yes dst-address-list=NotPublic in-interface-list=LAN
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" disabled=yes \
    in-interface-list=LAN src-address-list=!NotPublic
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=drop chain=input comment="drop all" log-prefix=drop
add action=accept chain=forward comment="accept erlaubte-IP" src-address-list=erlaubte-IP
add action=drop chain=forward comment="drop privat <-> privat" dst-address-list=NotPublic src-address-list=NotPublic
add action=accept chain=forward comment="accept privat -> internet" out-interface=PPPoEClient src-address-list=NotPublic
add action=drop chain=forward comment="drop all"

/ip firewall mangle
add action=log chain=forward disabled=yes log-prefix=HAMFREEWIFIGateway1 protocol=tcp tcp-flags=!,ack
add action=log chain=forward disabled=yes log-prefix=HAMFREEWIFIGateway1 protocol=udp

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network alt" out-interface=PPPoEClient src-address=10.0.100.0/23
add action=masquerade chain=srcnat comment="masquerade hotspot network" out-interface=PPPoEClient src-address=10.10.100.0/22
add action=masquerade chain=srcnat comment="masquerade managemet network" out-interface=PPPoEClient src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="masquerade LAN" out-interface=PPPoEClient src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="DST-NAT auf DAH" dst-port=4443 in-interface=PPPoEClient protocol=tcp to-addresses=10.10.10.10 \
    to-ports=443
add action=dst-nat chain=dstnat comment="DST-NAT auf Switch" dst-port=4444 in-interface=PPPoEClient protocol=tcp to-addresses=10.10.10.2 \
    to-ports=443

/ip firewall service-port
set sip disabled=yes

/ip proxy
set max-cache-size=none parent-proxy=0.0.0.0 src-address=0.0.0.0
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11598
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge with Ethernet ports, Management VLAN and Hotspot VLAN

Fri Mar 08, 2019 1:31 pm

Any good reason to have this setting?
Code: Select all
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

You're missing all of VLAN config for bridge that should go to individual ether ports:
Code: Select all
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10
which, combined with /interface bridge port should be something like
Code: Select all
/interface bridge port
# ether2 configured as access port, i.e. untagged on wire side and member of VLAN VID=10
add bridge=bridge1 interface=ether2 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=10
# ether3 configured as hybrid port: tagged VID=10 and untagged on wire side ... the untagged part will be VID=1 on bridge
add bridge=bridge1 interface=ether3 ingress-filtering=yes pvid=1 
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3 untagged=ether2 vlan-ids=10
Top
 
jnsilver
just joined
Topic Author
Posts: 4
Joined: Wed Mar 06, 2019 11:25 pm

Re: Bridge with Ethernet ports, Management VLAN and Hotspot VLAN

Fri Mar 08, 2019 2:56 pm

That works. I disabled the bridge firewall settings for vlan and pppoe. I let this active.
/interface bridge settings set use-ip-firewall=yes

Now it works as expected. Thanks.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11598
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge with Ethernet ports, Management VLAN and Hotspot VLAN

Fri Mar 08, 2019 3:40 pm

/interface bridge settings set use-ip-firewall=yes

Still ... any good reason for crippling LAN traffic by forcing it go through firewall?
Top
 
jnsilver
just joined
Topic Author
Posts: 4
Joined: Wed Mar 06, 2019 11:25 pm

Re: Bridge with Ethernet ports, Management VLAN and Hotspot VLAN

Fri Mar 08, 2019 4:02 pm

Mhm. If the ip firewall rules work above the bridge when set in bridge to no, then not. Maybe, I'm outing me as a fool with this statement ;-)
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11598
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge with Ethernet ports, Management VLAN and Hotspot VLAN

Fri Mar 08, 2019 4:28 pm

/ip firewall rules work for whatever packets traversing router on L3 level (IP) ... that's between router's IP interfaces.

Other options in /ip bridge force L2 traffic through firewall (which otherwise would not go there), e.g. between ethernet ports in a switch-group.

I guess you don't need it ... but it's your executive decision, not mine :wink:
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Bridge with Ethernet ports, Management VLAN and Hotspot VLAN

Fri Mar 08, 2019 4:32 pm

That works. I disabled the bridge firewall settings for vlan and pppoe. I let this active.
/interface bridge settings set use-ip-firewall=yes

Now it works as expected. Thanks.
This is just plain dumb.
Use filter forward chain for firewall rules NOT THE ABOVE!!!
Top
Locked

Who is online

Users browsing this forum: hasan, massinia, pfturner and 54 guests
  4. RouterOS
  5. Beginner Basics