Router setup with VLANs

hpet · Fri Jan 29, 2021 6:57 pm

Hello, I have some basic network knowledge, but never did anything more complex (like VLANs, tunnels etc.) and it is also my first Mikrotik experience. Studying documentation and various sources, forums, I came up with some basic setup and would appreciate if you can check it and comment on where I am wrong and why. I commented extensively on how I understand individual commands. Please use layman's wording for me to better understand.
Desired setup in short:
- WAN dynamic from ISP
- LAN 172.31.1.0/24
- DHCP role on router (172.31.1.50-99)
- DNS server 172.31.1.1 (precondition, because I have domain network and to properly resolve domain services this DNS must be used)
- VLANs: ISP provided PBX connected to the routers switch port 10 (VLAN 20) and default PC network (VLAN10) as untagged egress (hybrid ports)
- I want router to be accessible from "PC VLAN", meaning, no special administrative VLAN access or something, because I don't have that understaning yet.

Thank you!

ROUTER SETUP:


############################################################################
#
# ROUTER IDENTITIY, TIME ETC.
#
############################################################################

/system identity set name="HQ"

/system clock set time-zone-name=Europe/Ljubljana


############################################################################
#
# BRIDGE SETUP
#
# - create bridge to switch between desired interfaces
# - disable bridge vlan functionality during configuration
#
# Understanding:
# Bridge is a special kind of interface with functionality to bring together 
# various physical/logical ports/interfaces/lists/tunnels as if they are 
# attached to the same network. Because bridging can introduce network loops, 
# bridge implements various loop preventions mechanisms (STP, RSTP, MSTP).
# Bridge functionality is CPU intensive. Multiple bridges allowed.
# Alternative to bridge(ing) is routing. 
#
############################################################################

/interface bridge add name=BR1 protocol-mode=rstp vlan-filtering=no comment="Bridge" 


############################################################################
#
# BRIDGE PORT SETUP 

# - add interfaces/lists/ports/tunnels to the bridge
#
# - set ingress behaviour on each port (bridge itself can also do this, but we want to be port specific here)
#   - untagged ingress traffic is tagged with PVID (if not set defaults to 1)
#   - tagged ingress traffic is left as is
#   - actual tagging/untagging takes place on egress (when leaving bridge)
#
# Example below:
# - ingress on ether2 will pass on all declared VLANs (uplink trunk)
#   - which VLANs are allowed is defined by bridge vlan filtering (10 and 20 in our case)
# - ingress on ether3-9 (hybrid ports for VoIP phone => PC connection)
#   - will be tagged 10 if untagged (PC ingress)
#   - already tagged 20 will be passed on (VOIP PHONE)
#   - all other (tagged) traffic is dropped
# - ingress on ether10 will be tagged 20 if untagged (VOIP PBX)
# 
# Question: 
# Would use of interface lists be appropriate here? 
# Like grouping ether3-9 under list HYBRID_PORTS?
#
# Bridge VLAN switching in RB4011 doesn't support HW offloading.
# What would be equivalent built-in switch chip VLAN setup?
# Seems like RB4011 switch chip doesn't support hybrid ports? ...so no switch chip alternative?
#
############################################################################

/interface bridge port
add bridge=BR1 interface=ether2 hw=yes comment="Trunk for VLAN 10 and 20,... uplink"
add bridge=BR1 interface=ether3 hw=yes pvid=10 comment="Hybrid: untagged => 10"
add bridge=BR1 interface=ether4 hw=yes pvid=10 comment="Hybrid: untagged => 10"
add bridge=BR1 interface=ether5 hw=yes pvid=10 comment="Hybrid: untagged => 10"
add bridge=BR1 interface=ether6 hw=yes pvid=10 comment="Hybrid: untagged => 10"
add bridge=BR1 interface=ether7 hw=yes pvid=10 comment="Hybrid: untagged => 10"
add bridge=BR1 interface=ether8 hw=yes pvid=10 comment="Hybrid: untagged => 10"
add bridge=BR1 interface=ether9 hw=yes pvid=10 comment="Hybrid: untagged => 10"
add bridge=BR1 interface=ether10 hw=yes pvid=20 comment="VoIP PBX: untagged => 20"

############################################################################
#
# BRIDGE VLAN FILTERING
#
# - egress behaviour
#
# - create bridge vlan filters to manage VLAN switching
# - untag/tag egress port traffic according to vlan ids
#
# Example below: 
# - egress on ether3-9 will be untagged if tagged 10 (PC)
#   - egress tagged V20 will be allowed (Hybrid: PC + VOIP PHONE)
# - egress on ether10 will be untagged if tagged 20 (VOIP PBX)
#   - question: is all other tagged traffic dropped?
# - egress on ether2 will be allowed if tagged 10 or 20 (uplink trunk)
#
############################################################################

/interface bridge vlan
add bridge=BR1 vlan-ids=10 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9 tagged=ether2 comment="PC"
add bridge=BR1 vlan-ids=20 untagged=ether10 tagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8 comment="VOIP"


############################################################################
#
# VLANs
#
# - create VLANs and add them to the bridge (for VLAN filtering)
#   - add address pools and dhcp as required for each VLAN
#
# Example below: 
# - ip address pool for PCs is created (range 172.31.1.50-99)
# - vlan 10 for normal pc network is created
#   - dhcp for assigning IPs to vlan 10 is created
#
# Question:
# I lack understanding how this VLAN setup is related to the bridge vlan setup.
# We already setup bridge vlan filtering, and don't understand what 
# I actualy do here by creating VLAN interface and asigning it to the bridge (BR1).
#
############################################################################

/ip pool add name=PC_POOL ranges=172.31.1.50-172.31.1.99

/interface vlan add interface=BR1 name=PC_VLAN vlan-id=10
/ip dhcp-server add address-pool=PC_POOL interface=PC_VLAN name=PC_DHCP
/ip dhcp-server network add address=172.31.1.0/24 dns-server=172.31.1.1 gateway=172.31.1.254

# IP phones (VLAN 20) have configured static IP/GW configured (current PBX setup)
/interface vlan add interface=BR1 name=VOIP_VLAN vlan-id=20


############################################################################
#
# WAN - internet connection setup
#
############################################################################

# WAN facing port with dynamic IP Address provided by ISP
/ip dhcp-client add interface=ether1


############################################################################
#
# LAN facing router's IP address
# My default PC network is now actualy VLAN 10 so I need to add router's IP 
# on the VLAN 10?
#
############################################################################

/ip address add address=172.31.1.254/24 interface=PC_VLAN

############################################################################
#
# DNS
# We currently have windows domain set up therefore to properly resolve
# domain services AD/DNS must be used.
#
# Question:
# DNS service doesn't require any VLAN configuration?
#
############################################################################

# DNS server (windows domain server), set to cache for LAN
/ip dns set allow-remote-requests=yes servers="172.31.1.1"


############################################################################
#
# INTERFACE LISTS
#
# I don't understand this part clearly.
# What can I do with these lists now or why do I need them?
#
############################################################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=LAN

/interface list member
add interface=ether1 list=WAN
add interface=PC_VLAN list=LAN
add interface=VOIP_VLAN list=LAN

mkx · Fri Jan 29, 2021 9:59 pm

Dobrodošel na forum!

# Because bridging can introduce network loops,
# bridge implements various loop preventions mechanisms (STP, RSTP, MSTP).

If your LAN layout physically doesn't allow network loops, it's best to disable it. At best ports will get live much faster after they get link up, xSTP takes quite some time to decide there isn't a loop created.

# Bridge VLAN switching in RB4011 doesn't support HW offloading.
# What would be equivalent built-in switch chip VLAN setup?
# Seems like RB4011 switch chip doesn't support hybrid ports? ...so no switch chip alternative?

While switch chip in RB4011 does support VLANs, the functionality is abused in ROS for other purposes (e.g. allows to use ports from switch chip in independent fashion), hence VLANs can't be done by switch chip. Bridge VLAN filtering is the only way to do it.

# - egress on ether10 will be untagged if tagged 20 (VOIP PBX)
# - question: is all other tagged traffic dropped?

On egress only frames belonging to configured VLANs will be passed. On ingress without additional setup it is possible to inject frames tagged with unconfigured VLAN IDs (return traffic will get dropped though). To make setup safer on ingress you should set ingress-filtering=yes (uses egress tables as base for ingress filtering) and frame-types= property with appropriate setting. For access ports (untagged only), correct setting would be "admit-only-untagged-and-priority-tagged", for trunk ports (tagged only) correct setting would be "admit-only-vlan-tagged" while for hybrid ports (untagged and one or more tagged) default setting of "admit-all" is the only possible setting.

# Question:
# DNS service doesn't require any VLAN configuration?

No, DNS is L3 (IP) service and thus uses IP setup on any given device (ROS device included).

Regarding DNS setup: if you have external DNS server (e.g. windows server), then you can set its IP address in DHCP network setup (as you already did). Then router will only need DNS setting for its own use and you can secure router by not allowing remote requests (this setting refers to service offered to clients, it is not limiting built-in DNS client to connect remote DNS servers)

/ip dns set allow-remote-requests=no servers="172.31.1.1"

# INTERFACE LISTS
# What can I do with these lists now or why do I need them?

They are handy when constructing firewall rules. Make easy to move certain connection from one interface to another one, in that case only change in interface list membership is enough, no need to change (tens of) firewall filter rules. In your setup, where router is not used as a firewall, they are surplus configuration.

# I lack understanding how this VLAN setup is related to the bridge vlan setup.
# We already setup bridge vlan filtering, and don't understand what
# I actualy do here by creating VLAN interface and asigning it to the bridge (BR1).

Strictly speaking, settings in /interface vlan have no relation to settings in /interface bridge.
But this matter needs some explanation: bridge has actually two personalities: 1) something like a switch, which bridges different interfaces (or bridge ports as they are called in this context) and generally operates as a managed switch. And 2) interface which connects device's CPU (i.e. ROS) to bridged subnet.
Router functions (firewall, routing, DHCP, ...) are performed on untagged frames. If frames ingressing and egressing device are VLAN tagged, then ROS needs a device which work with frames with select VLAN ID. Here come vlan interfaces: they are kind of pipes with tagged end, attached to underlying interface (bridge in your case, can be physical interface in case it is not part of a bridge, in your case ether1 could be used in this manner), which pass only frames with select VLAN ID. The other end is untagged interface. When frame passes from tagged towards untagged end, vlan interface strips VLAN tag, while when frame passes in the opposite direction, vlan interface adds VLAN tag.
Come back to bridge interface: it is vital to set bridge as tagged member of select VLAN for those VLANs where router needs to interact with the VLAN (this is not necessary if device is only switching certain VLAN between interfaces without any interaction, e.g. when used as a switch). This setting goes to /interface bridge vlan section. In your case you have to add bridge as tagged member of vlan-id=10. OTOH you (currently) don't need vlan interface VOIP_VLAN because ROS device is not interacting with that VLAN.

BTW, setting of

/interface bridge add name=BR1 protocol-mode=rstp vlan-filtering=no comment="Bridge"

makes router ignore all VLAN-related configuration on bridge.

BTW2, your comment

Bridge functionality is CPU intensive. Multiple bridges allowed.

needs a bit of clarification: bridge can be offloaded to hardware as well, but that depends on type of configuration and on Mikrotik device type. All devices which have switch chips built in, can HW offload simple bridging, but VLANs are not simple in this context. CRS3xx devices are capable of offloading most of bridge functions, including VLANs (as in your configuration).
Multiple bridges are indeed allowed, but HW offload is possible for only a single bridge per switch chip (some MT devices feature multiple switch chips). When using multiple bridges, it is possible to explicitly select bridge that will offload functions to hardware by setting hw=no on all other bridges.

And a warning: your router is lacking any firewall protection whatsoever. I strongly urge you to add some good firewall rules. Best starting point is to use default firewall rules as set on typical SOHO devices (all Mikrotik devices but CRSxxx, CCRxxxx and select RBxxxx units). There are plenty of tutorials to be found on internet, but most are incomplete or dangerous or outdated (or all of it).

hpet · Sat Jan 30, 2021 2:38 pm

Pozdravljen Metod!

Thank you for your extensive explanation. I gave it a go today, unfortunately with a left foot start. For some reason router bricked (failed to boot after a configuration reset). After "whyme" minute I at least had an opportunity to learn how to netinstall it. In my original post I indeed missed the firewall configuration but I included a default one now. I went through below configuration step by step successfully, but once I turned bridge vpn filtering on:
1. I lost access to the router (IP or mac address)
2. pc didn’t get address from configured dhcp server.
Where the heck did I go so awfully wrong?

running config:

# jan/30/2021 10:58:13 by RouterOS 6.48
# software id = VIVR-KH3V
#
# model = RB4011iGS+5HacQ2HnD

/system identity set name=HQ

/system clock set time-zone-name=Europe/Ljubljana

/interface bridge 
add name=BR1 protocol-mode=none

/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 pvid=10
add bridge=BR1 interface=ether6 pvid=10
add bridge=BR1 interface=ether7 pvid=10
add bridge=BR1 interface=ether8 pvid=10
add bridge=BR1 interface=ether9 pvid=10
add bridge=BR1 interface=ether10 pvid=20
add bridge=BR1 interface=sfp-sfpplus1 pvid=10
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=wlan2 pvid=10

/interface bridge vlan 
add bridge=BR1 comment=PC tagged=ether2 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9 vlan-ids=10
add bridge=BR1 comment=VOIP tagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9 untagged=ether10 vlan-ids=20

/interface vlan 
add interface=BR1 name=PC_VLAN vlan-id=10
add interface=BR1 name=VOIP_VLAN vlan-id=20

/interface list 
add name=WAN 
add name=LAN

/interface list member
add interface=ether1 list=WAN
add interface=BR1 list=LAN

/ip pool 
add name=PC_POOL ranges=172.31.1.50-172.31.1.99

# Should my dhcp server interface be PC_VLAN here?

/ip dhcp-server 
add address-pool=PC_POOL disabled=no interface=BR1 name=PC_DHCP

/ip dhcp-server network
add address=172.31.1.0/24 dns-server=172.31.1.1 gateway=172.31.1.254 netmask=24

/ip neighbor discovery-settings set discover-interface-list=LAN

/ip address
add address=172.31.1.254/24 interface=BR1 network=172.31.1.0

/ip dhcp-client
add disabled=no interface=ether1

/ip dns set allow-remote-requests=yes

#
# DEFAULT FIREWALL 
#

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked comment="defconf: accept established,related,untracked" 
add action=drop chain=input connection-state=invalid comment="defconf: drop invalid"
add action=accept chain=input protocol=icmp comment="defconf: accept ICMP"
add action=accept chain=input dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add action=drop chain=input in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add action=accept chain=forward ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add action=accept chain=forward ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add action=fasttrack-connection chain=forward connection-state=established,related comment="defconf: fasttrack"
add action=accept chain=forward connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add action=drop chain=forward connection-state=invalid comment="defconf: drop invalid"
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN comment="defconf: masquerade"

/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive

/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

mkx · Sat Jan 30, 2021 2:57 pm

Either set pvid=10 on bridge such as

add name=BR1 protocol-mode=none pvid=10

to make bridge BR1 untagged member of VLAN 10 ...

Or covert your L3 setup to tagged (i.e. add BR1 as tagged member of vlan 10 and move all router setup to PC_VLAN, adding said interface to LAN interface list allows to keep using firewall setup as is now).

Untill you get VLANs behave, try to leave ether3 out of all config, just add it to LAN interface list. This will allow you to connect using ether3 and winbox (MAC connection) to fix things without factory reset. You can later add ether3 as untagged access port to bridge.

anav · Sat Jan 30, 2021 5:13 pm

Where are the DHCP settings for the VLANS.
IMHO dont use the bridge to do anything but bridge (dont use it for dhcp for anything).
I would expect to see two sets of everything for vlan 10 and 20
If you need a management vlan as well, then make and use 99 for example.

It also appears that you are attempting to do have you most of your ports on the router provide both untagged and tagged data which is hybrid ports.
Can be tricky but is doable. I think you have done them correctly but will double check.

What I want to know is what is connected to ports 3-9 with hybrid in mind?? (untagged for vlan 10, tagged for vlan20)? Smart switches, ??? You need to have devices which can handle both tagged and untagged frames but this has not been confirmed!
Also why is the sfpplus1 not defined in the bridge vlan rules anywhere, understood technically it doesnt need to (nor do any untagged ports as they are automatically added) but I like to see it in the config for clarity sake, especially when doing hybrid. In this case since you do not the untagged, for consistency sake it should be there to on the first line.......

On all my configs, I also do not use the bridge for the LAN interface list. (see my note above for just using bridge for bridge only function.
Instead I use my LAN interface list as followss
LAN - all vlans on my router
LWI - all vlans allowed internet
LWOI - all vlans not allowed internet
IOTL - all vlans with IOT devices

Etc, you get the idea
In this way you can easily make firewall rules using the block definitions .......
One other point, there are some rules where only Interfaces are allowed to be defined and not firewall address lists....... something to keep in mind.

I use firewall address lists for instance where I have potentially more than one IP address (otherwise source address).
I dont mean subnet because that is easily accomplished by single source address
I mean for multiple IPs, which could be simply more than 1, a range, or IPs from different subnets (mixed bag) is where firewall addresses are the most effective.

mkx · Sat Jan 30, 2021 5:21 pm

What I want to know is what is connected to ports 3-9 with hybrid in mind?? (untagged for vlan 10, tagged for vlan20)?

IP phones with PC port usually require such setup. In this case for VLAN20 OP's router acts as a switch only, he mentioned separate SIP gateway.

anav · Sat Jan 30, 2021 5:23 pm

You are usually right, but I am not so smart or experienced (MT virgin so to speak) and cannot afford to guess or assume LOL.

hpet · Tue Feb 02, 2021 8:31 pm

Hello guys, thank you both for your valuable input.
I have a limited access to play with this MT setup so please excuse my slow reponse.

I think mkx knows what I am after, so the following explanation is maybe more for anav.
My "wanna be" setup is as follows:
I have two small dislocated offices. Office 1 is "main" office and has data shares etc. (windows domain, but this will most likely be retired sooner or later this year).
In both offices I have one utp cable to each workstation - hence hybrid ports for VoIP phone => PC combo.
In main office I have a small PBX controlled by ISP. Using VLANs I would like to bring these two networks (LAN and PBX) to one infrastructure.
I want to learn this so I am starting small and slow. Just office 1 at the moment :) then slowly grow as my understanding gets clearer.
I am about to try my config with adding bridge to be tagged member of VLAN 10 as mkx suggested.

So I imagined this:
Office 1 setup:
- ether1 WAN
- ether2 trunk uplink to smart switch (L3, poe out, available only in main office)
- ether3-10 hybrid ports with VoIP phone/PC combo
- l2tp/ipsec server

Office 2 setup:
- ether1 WAN
- ether2-9 hybrid ports with VoIP phone/PC combo
- ether10 is isolated for my home at this location
- l2tp/ipsec client

hpet · Mon Feb 08, 2021 6:56 pm

Hello,

Over the weekend I had an opportunity to play with my mikrotik setup and finally managed VLANs to behave as expected. I think I understand all parts (mostly), maybe some vague spots here and there :) Below is my currently running setup (left out wlans and sfp for clarity). I would appreciate tons if you could glance over for any fatal errors (security or otherwise) and possibly suggest any points to make it more performant or secure. I configured bridge VLAN filtering since it is said to be the way to configure VLANs now. It is smart enough to hw offload, although my RB4011 is limited in this aspect.

My eye opener for VLAN setup was also the following presentation I warmly suggest to all newbie’s like me to check out: https://www.youtube.com/watch?v=7x5WjkhlEZg
Never experienced so many crappy tutorials and presentations on youtube. Unprepared, incomplete, all over the place… painful to watch or listen :) Found out that forum and mikrotik wiki are best gotos.

A quick setup overview: e1 (wan), e2 (trunk/uplink), e3-e9 hybrid ports for VoIP/PC combo, e10 for PBX. PC VLAN10, PBX/VoIP VLAN20. DHCP server for VLAN10. PBX is managed from ISP (has its own modem/internet connection) therefore I wanted it to be separated from my network for security reasons. I have vey small network and I want to manage mikrotik from "base" PC network so I have configured my management vlan to be BASE (V10).

Configuration:

/interface bridge 
add name=BR1 protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=BR1 name=PC-VLAN vlan-id=10
add interface=BR1 name=VOIP-VLAN vlan-id=20

/interface list
add name=WAN
add name=VLAN
add name=BASE

/ip pool
add name=PC-POOL ranges=172.31.1.50-172.31.1.99

/ip dhcp-server
add address-pool=PC-POOL disabled=no interface=PC-VLAN name=PC-DHCP

/interface bridge port
add bridge=BR1 comment="Trunk/Uplink: V10, V20" interface=ether2
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether5 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether6 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether7 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether8 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether9 pvid=10
add bridge=BR1 comment="Ingress/PBX: V20" ingress-filtering=yes interface=ether10 pvid=20 frame-types=admit-only-untagged-and-priority-tagged

/ip neighbor discovery-settings
set discover-interface-list=BASE

/interface bridge vlan
add bridge=BR1 comment="Egress/Hybrid" vlan-ids=10 tagged=BR1,ether2 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,eoip-studenci
add bridge=BR1 comment="Egress/PBX" vlan-ids=20 tagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,BR1 untagged=ether10

/interface list member
add interface=ether1 list=WAN
add interface=VOIP-VLAN list=VLAN
add interface=PC-VLAN list=VLAN
add interface=PC-VLAN list=BASE

/ip address
add address=172.31.1.254/24 interface=PC-VLAN network=172.31.1.0

/ip dhcp-server network
add address=172.31.1.0/24 dns-server=172.31.1.1 gateway=172.31.1.254

/ip dhcp-client
add disabled=no interface=ether1

/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow L2TP" dst-port=1701 protocol=udp
add action=accept chain=input comment="accept PC_VLAN (base)" in-interface=PC-VLAN

add action=drop chain=input in-interface-list=!BASE
add action=drop chain=input comment="drop everything else"

add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=accept chain=forward comment="accept PC_VLAN internet access" connection-state=new in-interface=PC-VLAN out-interface-list=WAN

add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="443 forward for IIS/RDG access" dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=172.31.1.1 to-ports=443

/tool mac-server set allowed-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE

anav · Mon Feb 08, 2021 9:54 pm

Well done config,
The only nitpicky thing I would do is modify your lines as follows........
add bridge=BR1 comment="Trunk/Uplink: V10, V20" interface=ether2
add bridge=BR1 comment="Trunk:V20/Access: V10" ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 comment="Trunk:V20/Access V10" ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 comment="Trunk:V20/Access V10" ingress-filtering=yes interface=ether5 pvid=10
add bridge=BR1 comment="Trunk:V20/Access V10" ingress-filtering=yes interface=ether6 pvid=10
add bridge=BR1 comment="Trunk:V20/Access V10" ingress-filtering=yes interface=ether7 pvid=10
add bridge=BR1 comment="Trunk:V20/Access V10" ingress-filtering=yes interface=ether8 pvid=10
add bridge=BR1 comment="Trunk:V20/Access V10" ingress-filtering=yes interface=ether9 pvid=10
add bridge=BR1 comment="[b]Access"[/b] interface=ether10 pvid=20 frame-types=admit-only-untagged-and-priority-tagged (ingress filtering??)

Now its clear to me that its access port for PVID10 and trunk port for vlan 20 for eth3-eth9
Also that eth10 is strictly an access port, and thus don't see the benefit of making this line have ingress filtering??

I also would modify the lines for bridge vlans.....
/interface bridge vlan
add bridge=BR1 comment="Hybrid-Access-PCs_3-9" vlan-ids=10 tagged=BR1,ether2 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,eoip-studenci
add bridge=BR1 comment="Hybrid-Trunk-PBX_3-9" vlan-ids=20 tagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,BR1 untagged=ether10

hpet · Tue Feb 09, 2021 9:25 am

I have been back and forth with comments to make them make sense :) I am a sw developer otherwise and writing comments is my weak spot, they make perfect sense now but year later a head scratch :D

Your advise taken.

Now to the next adventure - l2tp/ipsec tunnel to my "home office" :)

Thank you for your valuable support!

Router setup with VLANs [SOLVED]

Router setup with VLANs

Re: Router setup with VLANs

Re: Router setup with VLANs

Re: Router setup with VLANs [SOLVED]

Re: Router setup with VLANs

Re: Router setup with VLANs

Re: Router setup with VLANs

Re: Router setup with VLANs

Re: Router setup with VLANs

Re: Router setup with VLANs

Re: Router setup with VLANs

Who is online