Community discussions

MikroTik App
 
sirnef
just joined
Topic Author
Posts: 12
Joined: Sat Dec 07, 2019 4:52 pm

Isolate home devices with VLANs

Sat Mar 28, 2020 12:48 pm

Hi,

please help me to configure my RB962UiGS-5HacT2HnT. I don't know, I tried to read the tutorials, but they are a little confusing and I don't know how to do it.

I would like to make three VLANs at the beginning to isolate the devices from each other:
1) trusted devices (laptops, mobile phones) - Internet and printer access
2) TV - Internet access only
3) printer - cut off from the Internet

I created three VLANs in the following way:
I've made a new Wireless security profile.
2. I've created a new virtual WiFi with this profile.
3) I've created a VLAN with a 'use tag' and assigned it to the virtual WiFi above.
4. I've created a bridge.
5) I made the following ports for the bridge: a) virtual WiFi - bridge b) VLAN - bridge
6. I've set an address for Bridge.
7. I've set up DHCP for Bridge.

This way I have three separate WiFi visible, probably with VLAN, but I have no idea what to do next.
 
mkx
Forum Guru
Forum Guru
Posts: 4634
Joined: Thu Mar 03, 2016 10:23 pm

Re: Isolate home devices with VLANs

Sat Mar 28, 2020 1:09 pm

Did you read this tutorial?
BR,
Metod
 
sirnef
just joined
Topic Author
Posts: 12
Joined: Sat Dec 07, 2019 4:52 pm

Re: Isolate home devices with VLANs

Sat Mar 28, 2020 2:43 pm

I read the text. I'll try to understand the scripts. But I've already noticed one thing.
IP Addressing & Routing:
There is only one hardware device, of which we create one bridge to manage all LAN side devices. We set this IP address to 192.168.0.1. Everything gets routed out the Yellow WAN interface for Internet access.
There is mentioned creating one bridge, and I created a separate bridge and a separate address pool for each VLAN: 192.168.10.1/24 for trusted devices, 192.168.20.1/24 for TV and 192.168.30.1/24 for printers. I don't quite understand the concept of bridges...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate home devices with VLANs

Sat Mar 28, 2020 2:48 pm

Look at this thread,,,,,similar question.........
viewtopic.php?f=13&t=159243
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mkx
Forum Guru
Forum Guru
Posts: 4634
Joined: Thu Mar 03, 2016 10:23 pm

Re: Isolate home devices with VLANs

Sat Mar 28, 2020 3:43 pm

I don't quite understand the concept of bridges...

In context of VLANs, bridges are VLAN-aware switches. So when following tutorial I linked, it is essential to have only one bridge per device.
Tutorials about one bridge per VLAN are old school (before bridges became aware of VLANs) and you shouldn't be looking at them. At all.

I suggest you to scrap your previous config, reset with no defaults and start over ... but follow the tutorial I linked.
BR,
Metod
 
sirnef
just joined
Topic Author
Posts: 12
Joined: Sat Dec 07, 2019 4:52 pm

Re: Isolate home devices with VLANs

Sun Mar 29, 2020 11:32 pm

when I do IP addressing points, something gets mixed up in the configuration so much that it logs me out of the winbox and I can't log in again.

Can you please tell me which points in the RouterSwitchAP.rsc script I should be careful to prevent this? I do the configuration step by step while connected to wifi with default address pool 192.168.88.1/24?
 
mkx
Forum Guru
Forum Guru
Posts: 4634
Joined: Thu Mar 03, 2016 10:23 pm

Re: Isolate home devices with VLANs

Mon Mar 30, 2020 12:00 am

When you change IP setting (and don't do it with safety straps attached ... it's beyond this topic to describe them), then it's somehow expected to loose management access. In such moments it's fine to use winbox with its ability to connect to router via MAC (without IP).
BR,
Metod
 
sirnef
just joined
Topic Author
Posts: 12
Joined: Sat Dec 07, 2019 4:52 pm

Re: Isolate home devices with VLANs

Mon Mar 30, 2020 12:58 pm

That helped me a lot :) Thanks!

So, my problems now are:
1) DHCP seems to be not working on BLUE network
2) I have Internet access from BASE network

Could you please check my config:
# mar/30/2020 11:37:29 by RouterOS 6.46.4
# software id = HF3B-E918
#
# model = RB962UiGS-5HacT2HnT
# serial number = BEC40ADFD700
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=mtii wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no  distance=indoors frequency=auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=mtv wireless-protocol=802.11
/interface vlan
add interface=bridge name=BASE_VLAN vlan-id=99
add interface=bridge name=BLUE_VLAN vlan-id=10
add interface=bridge name=GREEN_VLAN vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=XXX
add authentication-types=wpa2-psk mode=dynamic-keys name=printer supplicant-identity=MikroTik wpa2-pre-shared-key=XXX
add authentication-types=wpa2-psk mode=dynamic-keys name=base supplicant-identity=MikroTik wpa2-pre-shared-key=XXX
/interface wireless
add disabled=no mac-address=XX:XX:XX:XX:XX:XX master-interface=wlan1 name=wlan-base security-profile=base ssid=mtii-b
add disabled=no mac-address=XX:XX:XX:XX:XX:XX master-interface=wlan1 name=wlan-printer security-profile=printer ssid=mtii-p
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=BLUE_POOL ranges=192.168.10.2-192.168.10.254
add name=GREEN_POOL ranges=192.168.20.2-192.168.20.254
add name=BASE_POOL ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-printer pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-base pvid=99
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wlan-printer vlan-ids=20
add bridge=bridge tagged=bridge untagged=wlan-base vlan-ids=99
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.10.1/24 interface=BLUE_VLAN network=192.168.10.0
add address=192.168.20.1/24 interface=GREEN_VLAN network=192.168.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.0.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment="Drop others"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop others"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=XXX
set api disabled=yes
set winbox port=XXX
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RouterSwitchAP
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
And here is the Dynamic Bridge config that I think can't be seen in the export above. This is the remains of the default configuration. Maybe this is the reason? I don't know if and possibly how to get rid of it.:
Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate home devices with VLANs

Mon Mar 30, 2020 3:19 pm

Okay before I delve into the config, I need more info about your network.

Assuming BASE (99) is your home and trusted network
What is your WLAN1 network for (2ghz) Is this just for the TV??
What is your WLAN2 network for (5ghz)

Then you have a virtual WLAN (master being wlan1) just for base (home trusted??)
Then you have second virtual WLAN (master being wlan1) just for the printer.

All require access to the internet EXCEPT the printer.

Who needs access to the printer?

What is connected to ether2? A PC, a managed switch??

Is there anything else wired or just the device(s) on eth2?

As I said, cannot figure out the config without more knowledge of the structure of your network and also the use cases (what users need what).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
tdw
Member
Member
Posts: 453
Joined: Sat May 05, 2018 11:55 am

Re: Isolate home devices with VLANs

Mon Mar 30, 2020 3:53 pm

And here is the Dynamic Bridge config that I think can't be seen in the export above. This is the remains of the default configuration. Maybe this is the reason? I don't know if and possibly how to get rid of it.:
The VLAN-aware bridge documentation indicates you have to configure the PVID in /interface bridge port and the untagged membership in /interface bridge vlan to match each other, you are missing the PVID in the bridge port entry for wlan1 (and a couple of others you may not have tested yet).

In practice if you only configure it in /interface bridge port the corresponding membership is added dynamically to /interface bridge vlan. So
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=???
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=???
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-printer pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-base pvid=99
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wlan-printer vlan-ids=20
add bridge=bridge tagged=bridge untagged=wlan-base vlan-ids=99
 
sirnef
just joined
Topic Author
Posts: 12
Joined: Sat Dec 07, 2019 4:52 pm

Re: Isolate home devices with VLANs

Mon Mar 30, 2020 4:52 pm

First, thanks for your patience. This should clarify things a bit:
Image
Red are connections that I do not test now, because I just tried to use tutorial script and I wanted to check if I can conigure anything working...


wlan1 was the default 2 GHz WiFi and for now I add virtual interfaces to it.
wlan2 was the default 5 GHz WiFi. I havn't disabled it, because I believe I will be able to use it for trusted devices VLAN (don't know how to configure it now).
With the config pasted earlier the current situation is:
Image


All require access to the internet EXCEPT the printer.
No, not only printer. My understanding from the tutorial is that BASE (management) network shouldn't have Internet access too.
(I just realized that BASE VLAN is in BASE and VLAN interface lists, that's why I have Internet access in BASE... :) )
Who needs access to the printer?
BLUE VLAN - trusted devices.
What is connected to ether2? A PC, a managed switch??
I'm going to connect TV here, so it will use cable instead of WiFi. In the tutorial linked above it was said that I should limit wireless VLANs "to minimize WiFi inefficiency".
Is there anything else wired or just the device(s) on eth2?
As in the diagram above, I'd like to connect Synology NAS. Would be perfect to have external access to it.

Who is online

Users browsing this forum: Baidu [Spider] and 27 guests