Community discussions

 
MerijnB
just joined
Topic Author
Posts: 3
Joined: Sat Aug 10, 2019 6:52 pm

VLAN / DHCP basics

Sat Aug 10, 2019 7:05 pm

Hi,

I'm quite a beginner with MikroTik and networking in general, so please bear with me :)

I'm using a 2011UiAS-2HnD which currently has a config which came from quickset, and I'm trying to rework towards what I want, so there might be a lot of clutter in my current config.
Currently the setup is very simple, WAN is connected to ether10 and set to be DHCP client. All other ports are bridged together and have a DCHP server running which does basic routing, so far so good.

Now I want to connect an AP to one of the ports which will have 2 wlans, one for private use and one for public use. The private one currently is untagged (like the rest of the configuration so far) and the public one I'm trying to put in VLAN1, with the goal that everything connected to the public WLAN is not able to reach anything on the private side.

I've added a vlan1 interface, DHCP server and IP pool, but when I connect a device to the public WLAN (vlan1) I'm not getting any IP address, so I'm probably messing up something simple. There is currently some wlan config in the routerboard, but this can be ignored, it will be removed once the external AP's are working.

Private is 192.168.88.0/24
Public is 192.168.2.0/24

Hope someone can point me into the right direction, tia!

Here is my current config:
# aug/10/2019 17:49:09 by RouterOS 6.45.3
# software id = 3DKL-L98X
#
# model = 2011UiAS-2HnD
# serial number = 63FA055724F0
/interface bridge
add admin-mac=E4:8D:8C:7A:AA:86 auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=AP
set [ find default-name=sfp1 ] disabled=yes
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=wan name=wan poe-out=off
/interface vlan
add interface=wan name=vlan1 vlan-id=1
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=normal supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=4 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=netherlands disabled=no distance=indoors frequency=\
    auto frequency-mode=regulatory-domain mode=ap-bridge security-profile=\
    normal ssid=test wireless-protocol=802.11
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.88.20-192.168.88.254
add name=dhcp_pool_vlan1 ranges=192.168.2.20-192.168.2.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge-local name=dhcp
add address-pool=dhcp_pool_vlan1 disabled=no interface=vlan1 name=dhcp_vlan1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether6
add bridge=bridge-local interface=wlan1
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local hw=no interface=ether7
add bridge=bridge-local hw=no interface=ether8
add bridge=bridge-local hw=no interface=ether1
add bridge=bridge-local interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=wan list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6 list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7 list=mactel
add interface=ether6 list=mac-winbox
add interface=ether8 list=mactel
add interface=ether7 list=mac-winbox
add interface=ether9 list=mactel
add interface=ether8 list=mac-winbox
add interface=wan list=mactel
add interface=ether9 list=mac-winbox
add interface=sfp1 list=mactel
add interface=wlan1 list=mactel
add interface=bridge-local list=mactel
add interface=wan list=mac-winbox
add interface=sfp1 list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2 \
    network=192.168.88.0
add address=192.168.2.1/24 interface=vlan1 network=192.168.2.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=wan
/ip dhcp-server lease
add address=192.168.88.6 client-id=1:d8:d:17:3e:59:9a comment=AP1 \
    mac-address=D8:0D:17:3E:59:9A server=dhcp
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.88.0/24 comment="default configuration" gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=wan
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=wan
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=wan
/system clock
set time-zone-name=Europe/Amsterdam
/system logging
add topics=dhcp
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
CapFloor
just joined
Posts: 8
Joined: Sat Feb 06, 2016 1:38 pm

Re: VLAN / DHCP basics

Sun Aug 11, 2019 12:21 am

Hi,

your AP is connect to one of the LAN ports. Therefore you need a VLAN configuration on the bridge ("bridge-local"), not on your WAN interface.

Read https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table to learn more about VLAN filtering with bridges. My advice is to use VLAN#1 for private and some other VLAN for public network.

After that, you can separate "private" from "public" traffic by one or two firewall filter rules. But first get the VLAN config for the bridge running.

br
Frank
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: VLAN / DHCP basics

Sun Aug 11, 2019 1:15 am

Just a follow up on previous answer (which is quite sufficient)

Better advice would be to not use vlan 1 at all, as it is used for internal purpose by too many manufacturers. VLANs like 1,2, 4095 etc are quite popular among manufacturers for separating traffic internally and some devices simply strip any VLAN tag on ingress of the packet.
Even if your network is simple and contains only mikrotik devices, it is better to follow it anyway as a part of "best practice" so you won't get surprised later.
Other numbers (10,11,...420,666,...) are safer choice.
 
MerijnB
just joined
Topic Author
Posts: 3
Joined: Sat Aug 10, 2019 6:52 pm

Re: VLAN / DHCP basics

Sun Aug 11, 2019 5:36 pm

Tx for the info; would it be better to have two vlans (one for private and one for public) or one vlan (for private or public) and the other one untagged (and why)?
 
MerijnB
just joined
Topic Author
Posts: 3
Joined: Sat Aug 10, 2019 6:52 pm

Re: VLAN / DHCP basics

Mon Aug 12, 2019 10:27 am

your AP is connect to one of the LAN ports. Therefore you need a VLAN configuration on the bridge ("bridge-local"), not on your WAN interface.
I've changed that and it works like a charm (now I nicely get an IP from the right pool when connecting to the public VLAN)

Read https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table to learn more about VLAN filtering with bridges. My advice is to use VLAN#1 for private and some other VLAN for public network.
I'm reading through this, but I'm having a bit wall of text issues. For starters, it mentions stuff under
/interface bridge vlan
, but I didn't define the VLAN there, I did it under
/interface vlan
(I think), did I define the (wrong) VLAN in the wrong place?

After that, you can separate "private" from "public" traffic by one or two firewall filter rules. But first get the VLAN config for the bridge running.
So currently the VLAN seems to be working, when you say "get the VLAN config for the bridge running", does that include more than what I have now?

BTW, here is a small diagram showing the end result I'm trying to achieve, in the end there will be 2 access points, both working with the same 2 VLANS (just in case this idea is flawed or needs another approach). All wired stuff (including the PC behind the switch) should be in the private network (not sure yet if that should be untagged or also be on a VLAN).

Image

Thanks for all the support!

Who is online

Users browsing this forum: No registered users and 20 guests