Community discussions

MUM Europe 2020
just joined
Topic Author
Posts: 1
Joined: Thu Feb 13, 2020 5:18 am

VLan help / ROAS

Thu Feb 13, 2020 5:29 am

Hi... very new here to MK devices and config.

I do have experience in other platforms, but just acquired an hAP... the company i work for now uses everything MikroTik for routing and PtP.
Need to catch up.

Anyway, with this hAP i used defcon.

Then created a new vlan assigned to either a bridge or an interface with its own network, dhcp pool and server, however i cant get the devices on tagged vlan to get an IP on the AP side as it goes to a managed switch that worked with the previous router. The idea is to use Router On A Stick for this.
Apreciate any help.

Print of config:

# model = 951Ui-2nD

/interface bridge
add admin-mac=E4:8D:8C:CF:AB:A8 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-CFABAC wireless-protocol=802.11
/interface vlan
add interface=bridge name=error404 use-service-tag=yes vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=
add name=error404 ranges=
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=error404 disabled=no interface=error404 name=error404
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=error404 vlan-ids=3
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address= comment=defconf interface=bridge network=\
add address= interface=error404 network=
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address= comment=defconf dns-server= domain=\
castillohome gateway=
add address= dns-server= domain=Error404 gateway=\
/ip dns
set servers=
/ip dns static
add address= comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=passthrough chain=forward in-interface=ether1 out-interface=error404
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=America/Caracas
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Member Candidate
Member Candidate
Posts: 223
Joined: Sat May 05, 2018 11:55 am

Re: VLan help / ROAS

Thu Feb 13, 2020 1:19 pm

Setting use-service-tag=yes for the VLAN is likely to be wrong. Unless you have a complex setup VLANs normally use the customer rather than service tag type.

Without vlan-filtering=yes on the bridge (under /interface bridge) it will act like an unmanaged switch - any tagged VLANs will pass freely across any ports and all of /interface bridge vlan is ignored. You may wish to use safe mode when enabling it, this will roll back the configuration if you loose connectivity e.g. due to a bad configuration.

A bridge has two personalities, it is both a switch and an interface to the CPU, and so it has to be included in any /interface bridge vlan configurations if you wish the traffic to reach the CPU. Another common mistake is to add the VLAN interface instead of the bridge as you have.

The /ip firewall mangle rule is redundant, it does nothing and is not required. You may wish to review the filter and NAT rules depending on what traffic flows you want to allow and forbid.

Who is online

Users browsing this forum: Google [Bot], IPANetEngineer, wampir and 66 guests