Noobish Requesting Help - VLANed home network

TallonAM · Sat Apr 13, 2019 10:43 pm

Hi, my name is TallonAM and I'm an over-engineer-er.
{Hi Tallon}

Physically my home network consists of a hex g3 running 6.43.8, two dumb switches, and a unifi AC lite

I started taking the VLAN route because the unifi offered multiple SSIDs but i would need a way to separate the traffic, resulting in VLANs.
Now I want to have a local wifi sharing settings with my wired network, and a kids network so I can control timing and traffic.
I would like there to also be a infrastructure subnet for devices and servers.
I have a setup right now that gives address the way I want, and allows the wired system to connect to the internet; however, I would like to make sure all networks have internet access and that I can see across all networks while keeping them seperate for firewall rules. Well i say all, but I want to make sure I can keep the WiFi traffic from untrusted devics (IoTs) that I have connected to the interent, but not allowed to see the rest of the LAN.
The other thing I would like to do is setup a DMZ VLAN as well, I have a few servers that I want to put there as well as some personal devices to mess with, but this would be over ether 3.

right now eth2 is management port, eth3 is wired network, eth4 is unifi wireless

I could REALLY use some help. I'm starting to chase my tail here. I found enough info that put me on this no bridge path, and reading more about the bridging it seems sloppy.
Please help me out and let me know how wrong I am with a valid setup.

Config:

#RouterOS 6.43.8
/interface vlan
add interface=ether4 name=Guest_VLAN vlan-id=210
add interface=ether4 name=Kids_VLAN vlan-id=230
add interface=ether4 name=Local_VLAN vlan-id=200
add interface=ether4 name=Untrusted_VLAN vlan-id=220
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=Wired_pool ranges=10.10.20.11-10.10.20.250
add name=Local_pool ranges=10.10.30.11-10.10.30.250
add name=Guest_pool ranges=10.10.40.2-10.10.40.250
add name=Untrusted_pool ranges=10.10.50.31-10.10.50.250
add name=Kids_pool ranges=10.10.60.61-10.10.60.250
/ip dhcp-server
add disabled=no interface=ether2 name=Man_DHCP
add address-pool=Local_pool disabled=no interface=Local_VLAN name=Local_DHCP
add address-pool=Guest_pool disabled=no interface=Guest_VLAN name=Guest_DHCP
add address-pool=Untrusted_pool disabled=no interface=Untrusted_VLAN name=Untrusted_DHCP
add address-pool=Kids_pool disabled=no interface=Kids_VLAN name=Kids_DHCP
add address-pool=Wired_pool disabled=no interface=ether3 name=Wired_DHCP
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=200
add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=210
add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=220
add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=230
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether4 list=LAN
add interface=ether3 list=LAN
add list=LAN
/ip address
add address=10.10.0.1/24 interface=ether2 network=10.10.0.0
add address=10.10.0.1/24 interface=ether3 network=10.10.0.0
add address=10.10.0.1/24 interface=ether4 network=10.10.0.0
add address=10.10.30.1/24 interface=ether3 network=10.10.30.0
add address=10.10.10.1/24 interface=ether3 network=10.10.10.0
add address=10.10.20.1/24 interface=ether3 network=10.10.20.0
add address=10.10.40.1/24 interface=ether3 network=10.10.40.0
add address=10.10.50.1/24 interface=ether3 network=10.10.50.0
add address=10.10.60.1/24 interface=ether3 network=10.10.60.0
add address=10.10.70.1/24 interface=ether3 network=10.10.70.0
add address=10.10.30.1/24 interface=ether4 network=10.10.30.0
add address=10.10.40.1/24 interface=ether4 network=10.10.40.0
add address=10.10.50.1/24 interface=ether4 network=10.10.50.0
add address=10.10.60.1/24 interface=ether4 network=10.10.60.0
add address=10.10.30.1/24 interface=Local_VLAN network=10.10.30.0
add address=10.10.40.1/24 interface=Guest_VLAN network=10.10.40.0
add address=10.10.50.1/24 interface=Untrusted_VLAN network=10.10.50.0
add address=10.10.60.1/24 interface=Kids_VLAN network=10.10.60.0
add address=10.10.0.1/24 interface=Local_VLAN network=10.10.0.0
add address=10.10.0.1/24 interface=Guest_VLAN network=10.10.0.0
add address=10.10.0.1/24 interface=Kids_VLAN network=10.10.0.0
add address=10.10.0.1/24 interface=Untrusted_VLAN network=10.10.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1 netmask=24
add address=10.10.0.0/16 gateway=10.10.0.1 netmask=16
add address=10.10.10.0/24 gateway=10.10.10.1 netmask=24
add address=10.10.20.0/24 gateway=10.10.20.1 netmask=24
add address=10.10.30.0/24 gateway=10.10.30.1 netmask=24
add address=10.10.40.0/24 gateway=10.10.40.1 netmask=24
add address=10.10.50.0/24 gateway=10.10.50.1 netmask=24
add address=10.10.60.0/24 gateway=10.10.60.1 netmask=24
add address=10.10.70.0/24 gateway=10.10.70.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

anav · Mon Apr 15, 2019 2:41 pm

Read through this excellent post and find the example that mirrors your situation........
viewtopic.php?t=143620

Samot · Mon Apr 15, 2019 3:52 pm

I could REALLY use some help. I'm starting to chase my tail here. I found enough info that put me on this no bridge path, and reading more about the bridging it seems sloppy.

Since 6.41, so almost a year and a half, the preferred and recommended way of doing VLANs on every model but the CRS1xx/2xx's are to use VLANs in the bridge. This takes about 3 minutes to do and it much better than using the switch menu. You should really being doing it this way.

What was the issue you ran into with using the VLANs on the bridge?

TallonAM · Tue Apr 23, 2019 8:05 pm

Sorry for delays getting back to my own post. I didn't see the notice that it had gone live, and I couldn't remember what I'd named the post. Today I found it doing a search for my profile. Personal forum incompetence aside, thanks for the responses!

Read through this excellent post and find the example that mirrors your situation........
viewtopic.php?t=143620

I'll look this through, initial review says it looks a lot like the posts and tutorials I've been reading, but I will always read more!!

Since 6.41, so almost a year and a half, the preferred and recommended way of doing VLANs on every model but the CRS1xx/2xx's are to use VLANs in the bridge. This takes about 3 minutes to do and it much better than using the switch menu. You should really being doing it this way.
What was the issue you ran into with using the VLANs on the bridge?

I was having a lot of trouble with the VLANs crossing under the bridge. I'd get devices that should be a wired VLAN in my wireless VLAN. I'm sure it was a miss configuration. I'm not completely new to networking or VLANs but building my own system is new and I'm sure I boned something over.

For a much more detailed view that will hopefully let everyone see a much better Idea of what I want to get done I have made two layouts of my designed network:
Logical:

Pysical:

The DMZ and VPN were not in my original config and were not going to go in right away because I didn't want to over complicate things that I was failing to complete on the simplest side.
All suggestions on those two settings as well would be wonderful.

Thank you all so much for the responses so far and all inputs and suggestions or configurations are welcome and well received.
TallonAM

pcunite · Tue Apr 23, 2019 9:25 pm

Read through this post and find the example that mirrors your situation

I'll look this through, initial review says it looks a lot like the posts and tutorials I've been reading, but I will always read more!

This might be a good time to mention the Saddle Ridge Hoard:
A couple found $10 million in buried treasure while out walking their dog. Though they had hiked the trail numerous times previously.

TallonAM · Tue Apr 23, 2019 9:36 pm

This might be a good time to mention the Saddle Ridge Hoard:
A couple found $10 million in buried treasure while out walking their dog. Though they had hiked the trail numerous times previously.

Of course! I'm deep in the suggested post as we speak.
I see it's your handy work! Wonderful so far.
Thank you for this time and effort to help everyone out.

TallonAM · Wed Apr 24, 2019 5:49 pm

Ok, after a full consultation of the reported post, and reviewing the configurations found there. I have compiled what I think is a correct config for my setup.
It ends up being a weird amalgamation of RoaS and All-in-one with the Public VLAN options. I would really appreciate some review by those with LOTS more experience that I have.

I've not had a chance to load this on my device yet, so I don't KNOW this is valid, so any notes are requested.

networkScript2.0.rsc

TallonAM · Wed Apr 24, 2019 6:29 pm

I'm also looking into the VLAN by MAC settings found around the internet, and resulted in this:

# DMZ VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=Main_Bridge name=DMZ_VLAN vlan-id=20
/ip address add interface=DMZ_VLAN address=10.10.70.1/24
/ip pool add name=DMZ_POOL ranges=10.10.70.11-10.10.70.250
/ip dhcp-server add address-pool=DMZ_POOL interface=DMZ_VLAN name=DMZ_DHCP disabled=no
/ip dhcp-server network add address=10.10.70.0/24 dns-server=10.10.0.1 gateway=10.10.70.1

##################
# DMZ switch stuff
##################
/interface ethernet switch port
set ether3 default-vlan-id=100 vlan-header=add-if-missing vlan-mode=fallback

/interface ethernet switch vlan
add ports=ether3 vlan-id=20
add ports=ether3 vlan-id=100

#####################
# DMZ MAC Assignments
#####################
# device 1
/interface ethernet switch mac-based-vlan add new-customer-vid=20 src-mac-address=00:11:22:33:44:55
/ip dhcp-server lease use-src-mac=yes server=DMZ_DHCP mac-address=00:11:22:33:44:55 address=0.0.0.0
# device 2
/interface ethernet switch mac-based-vlan add new-customer-vid=20 src-mac-address=11:22:33:44:55:66
/ip dhcp-server lease use-src-mac=yes server=DMZ_DHCP mac-address=11:22:33:44:55:66 address=0.0.0.0

I know earlier the bridge method is now standard instead of the switch commands, can this be done differently with the bridge based methods?

Edited for reconfigured code after further reading

anav · Wed Apr 24, 2019 10:11 pm

(1) In response to your script, i noted ether3 will be a problem.
Note..
# Wired trunk (trunk regular traffic and DMZ)
add bridge=Main_Bridge interface=ether3

Then.........
add bridge=Main_Bridge tagged=Main_Bridge,ether3 vlan-ids=20
add bridge=Main_Bridge tagged=Main_Bridge,ether3,ether4 vlan-ids=100

Here clearly, you correctly show that ether3 is a trunk port with dmz(20) and local traffic(100)
Good so far and then the errror.......
set bridge=Main_Bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]

(2) I note eth2 will be a problem.
Note: Correctly identified eth2 as an access port for vlan 10 (infrastructure).
add bridge=Main_Bridge interface=ether2 pvid=10

Then. applied the security appropriately and ingress..........
set bridge=Main_Bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]

Good so far and then the errror
add bridge=Main_Bridge tagged=Main_Bridge,ether2 vlan-ids=10
should be (for egress)
add bridge=Main_Bridge tagged=Main_Bridge, untagged=ether2 vlan-ids=10

(3) unable to comment on eth4 but assume this is connected to an AP that can assign vlanIDs.

TallonAM · Wed Apr 24, 2019 10:40 pm

Thank you so much for you input Anav. I see how those would be a problem once you pointed them out. I've also now worked to try and pen and paper my way through how that traffic flows, and I think i understand your points and the changes that I need and your suggestion. On (3) yes you are correct ether4 will handle VLANids, it is attached to a Unifi AC Lite that has been setup with the networks and VLANs so those are already coming in trunked together.

(1) In response to your script, i noted ether3 will be a problem.
...
Good so far and then the errror.......
set bridge=Main_Bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]

I went back to look over what my options here are and how I could set this parameter, it looks like the only way that makes sense in my case is just to let it be "allow-all".
I also realized that I want to have the traffic defaulted to VLAN 100 so i can try the MAC based VLAN 20 to change the appropriate devices later. giving me the following updates to the script (obviously unrelated and out of place)

/interface bridge port
# Wired trunk (trunk regular traffic and DMZ)
add bridge=Main_Bridge interface=ether3 pvid=100
...
# Determine which Access Ports will have ingress with tags and which won't
/interface bridge port
set bridge=Main_Bridge ingress-filtering=yes frame-types=admit-all [find interface=ether3]

(2) I note eth2 will be a problem.
add bridge=Main_Bridge tagged=Main_Bridge,ether2 vlan-ids=10
should be (for egress)
add bridge=Main_Bridge tagged=Main_Bridge, untagged=ether2 vlan-ids=10

I honestly didn't get that before. I had to read through your suggestion, and go back and look at the documentation and examples for tagged and untagged to see for this example. I was too stuck on needing that VLAN on that port to realize it's so that I have the VLAN FROM that port for the rest of the system to use. Thank you so much! Changed to:

add bridge=Main_Bridge tagged=Main_Bridge untagged=ether2 vlan-ids=10

TallonAM · Wed Apr 24, 2019 10:54 pm

Also, after seeing that I wanted to default ether3 to VLAN100 and reading more to research for MAC based VLANs, I found another post with another suggestion and after reading the documentation deeper, i think the following is the correct way to go for my ether3 DMZ VLAN:

# DMZ VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=Main_Bridge name=DMZ_VLAN vlan-id=20
/ip address add interface=DMZ_VLAN address=10.10.70.1/24
/ip pool add name=DMZ_POOL ranges=10.10.70.11-10.10.70.250
/ip dhcp-server add address-pool=DMZ_POOL interface=DMZ_VLAN name=DMZ_DHCP disabled=no
/ip dhcp-server network add address=10.10.70.0/24 dns-server=10.10.0.1 gateway=10.10.70.1

##################
# DMZ switch stuff
##################
/interface ethernet switch vlan
add ports=ether3 vlan-id=20
add ports=ether3 vlan-id=100

#####################
# DMZ MAC Assignments
#####################
# device 1
/interface ethernet switch rule add switch=switch1 src-mac-address=00:11:22:33:44:55 new-vlan-id=20
/ip dhcp-server lease use-src-mac=yes server=DMZ_DHCP mac-address=00:11:22:33:44:55 address=0.0.0.0
# device 2
/interface ethernet switch rule add switch=switch1 src-mac-address=11:22:33:44:55:66 new-vlan-id=20
/ip dhcp-server lease use-src-mac=yes server=DMZ_DHCP mac-address=11:22:33:44:55:66 address=0.0.0.0

again, any thoughts on ANY part of my configs mentioned here are fully welcome!

Thanks again, espeically to Anav.

TallonAM · Wed Apr 24, 2019 11:49 pm

More reading, more links, lots of different pages later:
I started looking for a complete non switch way to handle this MAC based DMZ VLAN since some of my reading took me to the Manual:Switch Chip Features. I'm using a RB750Gr3. It's got a MT7621 switch chip which is supposed to not have a VLAN table. I think that kind of kills what I was originally looking at.
So, looking for a bridge based solution lead me to poking around more. I found the /interface bridge hosts table in winbox and thought that might be an opportunity. After looking at what it does and the details of setting up a static entry, i have concluded I was making it too hard before.
The following should work if I understand the commands and what the MT does with it correctly. I left off the DMZ VLAN description as that has not changed.

#####################
# DMZ MAC Assignments
#####################
# device 1
/interface bridge host add bridge=Main_Bridge vid=20 mac-address=00:11:22:33:44:55
/ip dhcp-server lease use-src-mac=yes server=DMZ_DHCP address=0.0.0.0 mac-address=00:11:22:33:44:55
# device 2
/interface bridge host add bridge=Main_Bridge vid=20 mac-address=11:22:33:44:55:66
/ip dhcp-server lease use-src-mac=yes server=DMZ_DHCP address=0.0.0.0 mac-address=11:22:33:44:55:66

Am I on the right track here? Was this a swing in left field that is so far of the mark? Please let me know if this is a proper use for these commands and if it will process the way I think it will.

Thank you again

Edit to fix link

anav · Thu Apr 25, 2019 12:40 am

Sorry if you dont want to follow the link as prescribed I am of no service. GLuck.

TallonAM · Thu Apr 25, 2019 12:58 am

I did not mean to offend or go off the rails. I didn't see anything in the large VLAN post/tutorial or any comments that pertained to MAC based VLAN but i had tacked that question on here as well. maybe that is just too much.

If the fixes for the config I had that you suggested were a poor response you have my sincerest apologizes, I was trying to make steps based on what you had said and what I could find.

Thank you for all your help.
I'll go back and re read the posts and see if I can find the answer in the post prescribed.
Thank you again.

anav · Thu Apr 25, 2019 3:43 pm

My apologies, I meant that I couldnt be of more help....... I know nothing about using mac based vlans...........

TallonAM · Thu Apr 25, 2019 6:35 pm

@anav - I accepted your suggestions as solution as it should get everything going.

I'll still take any advice on VLAN by MAC if someone else comes through here.

but otherwise i'll make this the final on this post and I'll see if i can add to the tutorial or wiki if i get a good response for the MAC stuff.

Thank you so much.

Noobish Requesting Help - VLANed home network [SOLVED]

Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network [SOLVED]

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Re: Noobish Requesting Help - VLANed home network

Who is online