Community discussions

 
VolkerPanama
just joined
Topic Author
Posts: 2
Joined: Mon Jul 15, 2019 5:05 am

Access devices in one VLAN from other VLAN

Mon Jul 15, 2019 6:39 am

I am quite new to networking, especially in setting up a router. So hopefully I can get some help here.
I have a hex lite 5 port router which I want to use to control access devices and surveillance cameras for a small hotel and provide guests with WLAN for personal use and Internet-TV.
In order to separate the guest Wifi from the rest of the network, I have two VLANs (01, 02). The ports are set up as follows:
port1 is connected to my ISP's cable modem
port2 (VLAN01) is connected to the admin PC
port3 (VLAN01) is connected to an unmanaged switch which controls several devices
port4 (VLAN01) is connected to an NVR which controls several IP cameras
port5 (VLAN02) is connected to an unmanaged switch which on its part is connected to several small WiFi Access points. The AP's are accessible in the 192.168.99.xx range (VLAN02).
The admin PC is set to an address in the subnet of VLAN01 (192.168.1.xx)
As I don't have much knowledge how to set up VLANs, I had an external expert set up the router for me about a year ago.
My problem now is that I don't know / don't remember how to access the AP's from the Admin PC in order to change their WiFi passwords. If I try to enter 192.168.99.xx (xx=10-13) in the browser, I get no connection, although the AP's work perfectly, providing internet via WiFi. Is there an error in the config or do I simply commit some dumb error?
Can anybody give a hint of how to resolve the problem? This is the configuration (some numbers obfuscated for security):
# jul/14/2019 21:35:17 by RouterOS 6.43.8
# software id = E7V3-J2PL
#
# model = RouterBOARD 750 r2
# serial number = xxxxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
add name=vlan1_br
add name=vlan2_br
add name=vlan_trunk_br
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether1_ISP
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether2_Admin_PC
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether3_Switch
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether4_NVR
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether5_WIFI
/interface vlan
add interface=vlan_trunk_br name=vlan01 vlan-id=101
add interface=vlan_trunk_br name=vlan02 vlan-id=102
add interface=ether5_WIFI name=vlan5 vlan-id=500
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool3 ranges=192.168.98.100-192.168.98.254
add name=dhcp_pool4 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=vlan2_br name=dhcp1
add address-pool=dhcp_pool4 interface=vlan1_br name=dhcp2
/interface bridge port
add bridge=vlan1_br comment=defconf interface=ether2_Admin_PC
add bridge=vlan1_br comment=defconf interface=ether4_NVR
add bridge=vlan2_br comment=defconf interface=ether5_WIFI
add bridge=vlan1_br interface=vlan01
add bridge=vlan1_br comment=defconf interface=ether3_Switch
add bridge=vlan2_br comment=defconf interface=vlan02
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_ISP list=WAN
/ip address
add address=192.168.1.1/24 comment="Camaras, microcontroladores, pc admin" interface=vlan1_br network=192.168.1.0
add address=192.168.99.1/27 comment="APs Del Hotel" interface=vlan2_br network=192.168.99.0
add address=192.168.98.1/24 comment="Clientes WIFI" interface=vlan2_br network=192.168.98.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1_ISP
add dhcp-options=hostname,clientid disabled=no interface=vlan5
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.98.0/24 gateway=192.168.98.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall address-list
add address=xxxxxxxxxxx.sn.mynetname.net list="Ips Publicas"
/ip firewall filter
add action=accept chain=forward comment="Aceptar todo el trafico entre la red privada" src-address=192.168.9.0/24
add action=drop chain=forward comment="Bloqueo de Clientes Wifi a equipos de admion en subred 192.168.99.0/24" dst-address=192.168.99.0/24 src-address=192.168.98.0/24
add action=drop chain=forward comment="Bloqueo de Clientes Wifi a equipos de admion en subred 192.168.99.0/24" dst-address=192.168.98.0/24 src-address=192.168.99.0/24
add action=drop chain=forward comment="Bloqueo de Clientes Wifi a equipos de admion en subred 192.168.99.0/24" dst-address=192.168.1.0/24 src-address=192.168.98.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Acepto Conexiones al Mikrotik" dst-port=xxxx protocol=tcp
add action=accept chain=input comment="Acepto Conexiones al Mikrotik" dst-port=xxxx protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Camara1 Puerto1 --Web-" dst-address-list="Ips Publicas" dst-port=5001 protocol=tcp to-addresses=192.168.1.240 to-ports=80
add action=dst-nat chain=dstnat comment="Camara1 - Puerto2" dst-address-list="Ips Publicas" dst-port=34568 protocol=tcp to-addresses=192.168.1.240 to-ports=34568
add action=dst-nat chain=dstnat comment="Camara1 - Puerto3" dst-address-list="Ips Publicas" dst-port=8900 protocol=tcp to-addresses=192.168.1.240 to-ports=8900
add action=dst-nat chain=dstnat comment="Camara2 Puerto1 --Web-" dst-address-list="Ips Publicas" dst-port=5002 protocol=tcp to-addresses=192.168.1.241 to-ports=80
add action=dst-nat chain=dstnat comment="Camara2 - Puerto2" dst-address-list="Ips Publicas" dst-port=34567 protocol=tcp to-addresses=192.168.1.241 to-ports=34567
add action=dst-nat chain=dstnat comment="Camara2 - Puerto3" dst-address-list="Ips Publicas" dst-port=8899 protocol=tcp to-addresses=192.168.1.241 to-ports=8899
add action=dst-nat chain=dstnat comment="Camara3 Puerto1 --Web-" dst-address-list="Ips Publicas" dst-port=5003 protocol=tcp to-addresses=192.168.1.242 to-ports=80
add action=dst-nat chain=dstnat comment="Camara3 - Puerto2" dst-address-list="Ips Publicas" dst-port=34569 protocol=tcp to-addresses=192.168.1.242 to-ports=34569
add action=dst-nat chain=dstnat comment="Camara3 - Puerto3" dst-address-list="Ips Publicas" dst-port=8901 protocol=tcp to-addresses=192.168.1.242 to-ports=8901
add action=dst-nat chain=dstnat comment="Camara4 Puerto1 --Web-" dst-address-list="Ips Publicas" dst-port=5004 protocol=tcp to-addresses=192.168.1.243 to-ports=80
add action=dst-nat chain=dstnat comment="Camara4 - Puerto2" dst-address-list="Ips Publicas" dst-port=34570 protocol=tcp to-addresses=192.168.1.243 to-ports=34570
add action=dst-nat chain=dstnat comment="Camara4 - Puerto3" dst-address-list="Ips Publicas" dst-port=8902 protocol=tcp to-addresses=192.168.1.243 to-ports=8902
add action=dst-nat chain=dstnat comment="Camara5 Puerto1 --Web-" dst-address-list="Ips Publicas" dst-port=5005 protocol=tcp to-addresses=192.168.1.244 to-ports=80
add action=dst-nat chain=dstnat comment="Camara5 - Puerto2" dst-address-list="Ips Publicas" dst-port=34571 protocol=tcp to-addresses=192.168.1.244 to-ports=34571
add action=dst-nat chain=dstnat comment="Camara5 - Puerto3" dst-address-list="Ips Publicas" dst-port=8903 protocol=tcp to-addresses=192.168.1.244 to-ports=8903
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=xxxx
set ssh disabled=yes
set api disabled=yes
set winbox port=xxxx
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Panama
/system clock manual
set time-zone=-05:00
/system ntp client
set enabled=yes primary-ntp=72.236.88.2 secondary-ntp=72.236.88.3 server-dns-names=time.nist.gov,utcnist.colorado.edu,time-a.nist.gov
/tool mac-server
set allowed-interface-list=LAN
[admin@MikroTik] >  
 
anav
Forum Guru
Forum Guru
Posts: 3114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Access devices in one VLAN from other VLAN

Mon Jul 15, 2019 6:02 pm

Well the good news is that the OS is somewhat up to date but I would update it to the latest current stable release.
I am not a fan of using vlan01 as that can get confusing and would change the numbering to vlan10.
But before doing that I would have a good read of an excellent resource to help you learn and manage the config!
viewtopic.php?f=13&t=143620

As to the question at hand, in general vlans are blocked at layer2 but could still communicate with each other at Layer3.
I see many block firewall rules to prevent this.
I would, instead, get rid of all the block rules and simply make my last rule in the forward chain a catchall block rule.
add chain=forward action=drop comment="drop all else"
Before this last rule you would have the necessary allow rules as follows
ALLOW VLAN X to internet
ALLOW VLAN Y to internet etc......... PLUS to get that elusive access!!!
add chain=forward action=accept in-interface=vlan10 source address=ADMIN PC IP destination address=SUBNET OF WIFI
comment=" Admin Access to Guest Network"
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
VolkerPanama
just joined
Topic Author
Posts: 2
Joined: Mon Jul 15, 2019 5:05 am

Re: Access devices in one VLAN from other VLAN

Mon Jul 15, 2019 11:58 pm

Thank you very much for your kind and helpful answer. Especially the provided link looks very useful.

I admit that I am a bit wary to change the code as I have so little experience and do not completely understand all of it. But with your example and the link, I will try as soon as I have a bit more time. Problem is, I know it will take a lot of time to study all commands in a way that I really understand what I am doing and this is only a small part of a larger project that absorbs most of my available time.
This router, as small as it is, is a real monster of options.

The good news is, while yesterday I was not able to connect to any of the AP's, after shutting down the pc yesterday and restarting it today, I have been able to connect immediately. So the code works, but I appreciate your hints and will see if I can improve it. Of course, I will keep the backup of the actual configuration.
Is there some kind of a list of all commands that I can study?
I take it that updating the OS will not affect the actual configuration, but I would like to ask you one last question to make sure.
In the router's menu, I did not find a menu item like "update OS", only "System/AutoUpgrade". Is this the same?
 
mkx
Forum Guru
Forum Guru
Posts: 3183
Joined: Thu Mar 03, 2016 10:23 pm

Re: Access devices in one VLAN from other VLAN

Tue Jul 16, 2019 8:40 am

I take it that updating the OS will not affect the actual configuration, but I would like to ask you one last question to make sure.
In the router's menu, I did not find a menu item like "update OS", only "System/AutoUpgrade". Is this the same?
Updating OS might change actual configuration ... if there have been some major changes in ROS. Such changes are not frequent and not within same ROS version series (last major change was between 6.40.x and 6.41 IIRC). The upgrade magic usually takes care of necessary changes, but sometimes it fails to do that properly.

ROS upgrade is "hidden" under System->Packages ...
BR,
Metod

Who is online

Users browsing this forum: Google [Bot] and 31 guests