MikroTik

Community discussions
https://forum.mikrotik.com/

winbox and vlan

https://forum.mikrotik.com/viewtopic.php?t=148307

Page 1 of 1

winbox and vlan

Posted: Wed May 08, 2019 1:57 am
by ddzyfaa
Hello, I just arrive to the mikrotik world. :D

I was configuring a routerboard RB2011UiAS MikroTik RouterOS 6.44.3 and I have a question about it. The config is the default one.
#
#Escenario
#
RB2011UiAS Eth9 is conected a smart switch branding Netgear to the switchport 22 in a tagged port Vlan100, pvid 100 and I allow all kind of packets.

From branding switch UI:

VLAN Membership
VLAN ID vlan100
Port 1 22

Interface PVID Configured Current PVID Acceptable Frame Types Ingress Filtering Port Priority
g1 100 100 VLAN Only Enable 0
g22 100 100 VLAN Only Enable 0

Desktop is conected with Net1 to switch port 1 and tags packets with vlan100.
(I temporary conect another link directly from Net2 to eth2 in Ros in order to do the setup)
i follow examples on:
https://wiki.mikrotik.com/wiki/Manual:I ... AN_routing
Code: Select all
[admin@MikroTik] > /interface vlan add name=VLAN100 vlan-id=100 interface=ether10 disabled=no
[admin@MikroTik] > /ip address add address=10.0.100.1/24 interface=VLAN100  network=10.0.100.0
Ping flow in both direcctions. I put down the NET2 link. Just Net1 VLAN100 is linked. From desktop OS I can ping router:
Code: Select all
 ping -t 10.0.100.1

Haciendo ping a 10.0.100.1 con 32 bytes de datos:
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64

Estadísticas de ping para 10.0.100.1:
    Paquetes: enviados = 7, recibidos = 7, perdidos = 0
    (0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 0ms, Máximo = 0ms, Media = 0ms
But I'm unable to launch winbox/ssh to continue config. I get time outs.
¿Can anyone give me please any advice to where I can look for ? I'm fairly new to this UI.

Thank you for reading :D

Re: winbox and vlan

Posted: Wed May 08, 2019 1:52 pm
by cdiedrich
If I remember correctly, admin access is restricted to 192.168.88.0/24 in the default config, so access from 10.0.0.0/8 will be dropped and you're seeing the timeouts.
Try adding your vlan100 range under IP -> Services in the "available from" field.
To do so, either connect from a 192.168.88.0/24 range to it or by MAC address from WinBox or via console.

-Chris

Re: winbox and vlan

Posted: Thu May 09, 2019 12:05 am
by ddzyfaa
Hello Chris, thanks a lot for your answer. I added the Network 10.0.100.0/24 but the problem wasn't solved.
you gave me an idea so I reset the configuration but this time with no default config and I can now connect with the vlan setup I posted from the vlan network segment.
something on default config avoided to log from vlan network.

Now I wan to do the same restricction on this interface so I will use the "tip" you told me about services and maybe some firewall rules.

I'm watching this video from mikrotik, in the minute 5 Tomas Kirnak explains that the default config has not been exploited, so I'm interested on just move those restricctions onto the vlan interface and leave as much as I'm able of default config.

https://www.youtube.com/watch?v=3aEyqdz7awE

thank you a lot :D

Re: winbox and vlan

Posted: Fri May 17, 2019 8:30 pm
by ddzyfaa
finally I found a way to do use managmment tools on other network segment instead of LAN default one:

1) there is a firewall rule you ned to chek in default config:
Code: Select all
defconf: drop all not coming from LAN
So what ever ip range is your lan network (1.1.1.1/24) if you put another ip range on one interface (2.2.2.2/24) you will never reach the service because of that rule.[/list][/list]

2) services by default are bound to LAN interfaces by rules like:
Code: Select all
/ip neighbor discovery-settings set discover-interface-list=LAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
(adjust LAN to your interface name)

Greetings :D

Re: winbox and vlan

Posted: Fri May 17, 2019 10:11 pm
by mkx
(adjust LAN to your interface name)
Actually the proper way is to adjust /interface list member ports grouped in LAN list ... and WAN as well if WAN port is not the default one. This would fix firewall filter rules, NAT rules, MAC server rules ... all at the same time.
All times are UTC+03:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/