Community discussions

MikroTik App
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

ISP PPPOE with VLAN filtering

Wed Jun 02, 2021 11:46 pm

I'm looking for some help with my network setup. I've been monkeying around with it for a while now, and its time I ask for a hand. I have a configuration that works, with no vlan separation or filtering. My end goal is to be able to have several different networks established and be able to control the traffic between them. I followed viewtopic.php?t=143620#p706997 for some basic guidance, but am still at a loss for how I adapt this to me specific needs or if I'm just going down the wrong road all together. My networking knowledge is pretty elementary, so any advice is welcome.
  • ISP has me connecting with PPPOE with a specific vlan id tag and user/pass. I've got this working successfully and know it works on their end.
  • Current hardware:
    1. RB4011 Router
      • ether1: WAN
      • ether2-5: All under the same vlan, will have hosts
      • ether6: Unmanaged netgear switch, ideally on its own vlan as it has no need to get to the other. Not essential, nothing important.
      • ether7: N/A
      • ether8: CRS1112
      • ether9: hAP1
      • ether10: (future) hAP2
    2. CRS112-8P-4S-IN Switch
      • ether1: In
      • ether2: NAS, want this separated from rest of network. The cameras below will need access as well as some personal hosts, but I'd like to define those specifically. Utilizing the synology DS Cam app, I'll want to setup port forwarding to here so i can access off network.
      • ether3-8: Cameras, nothing but the NAS needs to access.
    3. RB962UiGS-5HacT2HnT-US hAP AC
      • ethernet port will be used for desktops and can live on same VLAN as RB4011's 2-5
      • Ideally setup several networks in here, 2/5Ghz for personal devices and a 2ghz for IoT and Guest
I've started cobbling some scripts for the configuration but they, unsurprisingly, don't work. Current issues seem to be stemming from DHCP not working whether I'm connected to the Router or Switch, not getting an IP. Looking for any kind of pseudo code or assistance that can be offered. Today/Tomorrow are my best window to get this configured, so looking for any help I can get :) Happy to upload current scripts, but they're really just a slightly modified version of the ones uploaded to the referenced article.
You do not have the required permissions to view the files attached to this post.
Last edited by IanM on Thu Jun 03, 2021 11:44 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Thu Jun 03, 2021 6:55 pm

/export hide-sensitive file=anynameyouwish to see whats going on.
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Thu Jun 03, 2021 11:45 pm

/export hide-sensitive file=anynameyouwish to see whats going on.
Done, I've attached both to the first post. This configuration is not the working one, but the in progress, just for clarification.
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Fri Jun 04, 2021 1:38 am

If I have PVID set on a bridge port on the switch, should I be able to see that anywhere on router (maybe packet sniffing/vlan field) if its actually being assigned?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Fri Jun 04, 2021 2:44 am

If I have PVID set on a bridge port on the switch, should I be able to see that anywhere on router (maybe packet sniffing/vlan field) if its actually being assigned?
For the specific question, YES, if you look at bridge vlan settings you will see what has been entered by you as the admin or dynamically assigned by the router.
Note that when you put a PVID on the Bridge port settings (where they belong), the router will dynamically assign an untagged port on the vlan-id where applicable but I PREFER to do it manually in the bridge vlan settings so they show up in the config script when I am troubleshooting and can visually map the traffic flows easier.

The best article to read is
viewtopic.php?f=23&t=143620

I am assuming the hap devices will be more like switch access points and will not do any routing (not advised anyway as RB4011 is more than up to the task :-) )
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Fri Jun 04, 2021 4:23 am

Sorry, I meant specifically to be able to inspect if its actually getting from the switch to the router. I'm failing to get an IP assigned from the 10.0.10.0/24 despite the port having pvid of 10 assigned.

And yes, no intention of having anything other than the RB4011 handle the routing.

The linked article is the same one I started with, the scripts uploaded were based on the examples given in that post. Are there any debug tools/tips I can use to help figure out where I'm failing? Ignoring PPPOE, I would assume that the configuration I uploaded should at least get me an internal IP, not necessarily internet access... but thats not working.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Fri Jun 04, 2021 5:54 am

Its gettng late here but will have a quick look at RB4011 config

(1) You are missing the POOL, address, DHCP etc, for the BASE vlan.

(2) If ether2-5 are the same vlan why does ether2 not have the other settings of vlan filtering tagged frames only??

(3) ON bridge port settings; If ether6 is going to an unmanaged switch why does it have tagged frames it should be untagged or priority frames and the PVID for the appropriate vlan to the unmanaged switch

(4) On the vlan setting side same deal for ether6 ???? It should untagged for the applicable vlanid.

(5) You seem to have many vlans setup not yet made. If all the tagged ports are the same one can group vlan-ids so all that could be put on ONE line.

(6) Input chain fw rules. The second allow base vlan is redundant as you have already done that by allow VLAN.
Light bulb on?
The point is only the admin should have access and everyone else just needs necessary service such as DNS
So see the improvement below which include dropping invalid traffic and all other traffic at the end of the input chain.

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN


/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface-list=BASE src-address-list=adminaccess ***
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="drop all else" { only add this AFTER you have the allow admin rule setup! }

*** So now only those with access to the BASE VLAN can access the router itself for config purpose, the source address is optional.
I use to only allow certain IP addresses access (admin desktop, admin laptop, smartphone etc.........) However I dont have a separate BASE VLAN and that may be good enough for you.

++++++++++++++++++++++++++++++++++++++++

7. Forward chain Fw Rules. Also incomplete, and assume you are not doing any port forwarding based on the config thus far and no VPN...........
See below for better config, more complete and safer.

add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN


TO
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"

(8) Note for mac server ---- >winmac Server make sure you select interface BASE.
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Fri Jun 04, 2021 9:12 pm

(1) You are missing the POOL, address, DHCP etc, for the BASE vlan.
Added with the following block as outlined in the referenced article's example:
# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
(2) If ether2-5 are the same vlan why does ether2 not have the other settings of vlan filtering tagged frames only??
It was commented out in my script while trying things. The following should resolve this, correct?
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]

Should these ports have a pvid assigned? Should it just be the base_vlan of 99?
(3) ON bridge port settings; If ether6 is going to an unmanaged switch why does it have tagged frames it should be untagged or priority frames and the PVID for the appropriate vlan to the unmanaged switch

(4) On the vlan setting side same deal for ether6 ???? It should untagged for the applicable vlanid.
I believe the following line will add the tagging, but I'm a little confused ont he tagged/untagged.
add bridge=BR1 interface=ether6 pvid=60
Something like this?
add bridge=BR1 untagged=ether6 vlan-ids=60
(5) You seem to have many vlans setup not yet made. If all the tagged ports are the same one can group vlan-ids so all that could be put on ONE line.
I believe the following is what you're suggesting, if so yes that seems cleaner. I omitted ether 6 from the list, would 2-5 also be omitted? Or do they get moved to untagged. Also wasn't entirely certain if 60 is needed in the list of IDs.
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether7,ether8,ether9,ether10 vlan-ids=10,20,30,99
(6) Input chain fw rules. The second allow base vlan is redundant as you have already done that by allow VLAN.
Light bulb on?
The point is only the admin should have access and everyone else just needs necessary service such as DNS
So see the improvement below which include dropping invalid traffic and all other traffic at the end of the input chain.

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN


/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface-list=BASE src-address-list=adminaccess ***
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="drop all else" { only add this AFTER you have the allow admin rule setup! }

*** So now only those with access to the BASE VLAN can access the router itself for config purpose, the source address is optional.
I use to only allow certain IP addresses access (admin desktop, admin laptop, smartphone etc.........) However I dont have a separate BASE VLAN and that may be good enough for you.

++++++++++++++++++++++++++++++++++++++++

7. Forward chain Fw Rules. Also incomplete, and assume you are not doing any port forwarding based on the config thus far and no VPN...........
See below for better config, more complete and safer.

add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN


TO
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
Easy enough change.
(8) Note for mac server ---- >winmac Server make sure you select interface BASE.
Would this be to the list or the interface BASE_VLAN?

Thank you very much for working with me on this, I truly appreciate the help.
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Fri Jun 04, 2021 9:21 pm

Uploading current work in progress router configuration script.
  • I assume I need to setup DHCP for the 30 and 60 VLANs, if I intend on having guest/iot vlans will that need to have its own as well?
  • Is BASE_VLAN typically a safe place for all normal desktops etc to live? Any reason to split that out?
Last edited by IanM on Sun Jun 06, 2021 6:01 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Fri Jun 04, 2021 9:40 pm

I dont have a base VLAN because I use my trusted HOME VLAN to assign IPs to any attached smart devices (switches and access points) and limite access to my router only to certain IPs.
So the quick answer if you have a trusted LAN at home you dont really need a management vlan. For a business yes you should have one.
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Fri Jun 04, 2021 9:51 pm

How does your HOME VLAN differ? This is just for home, so if its simpler to do so with no real loss I'm game. I just don't udnerstand the difference. Is your HOME VLAN just specific ports/devices?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Fri Jun 04, 2021 11:00 pm

No but I have approx 4-5 smart switches on the go, about 4 access points and 15 or so vlans.
So my home vlanXX provides dhcp for all the attached smart devices and basically its a trusted LAN.
So no need for a management vlan if you are happy to use your trusted VLAN.

I could and will think about using a base or management vlan, but would have to move all smart devices to it.
I would just have to make sure that from where I am, I can access the base/management vlan, so some forward chain rule for me to access vlan base.
Just lazy I guess not to do it,

Now in my router rules and for any of the above devices that are MT, I also only allow myself access via winbox.

On my main router
I have the default rules plus
add action=accept chain=input comment="Allow ADMIN to Router" \
src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"


The admin access has all the IPs I use for my devices, laptop, desktop, iphone etc..... that I use to configure MT. (set dhcp leases to static)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Sat Jun 05, 2021 3:32 am

Hi ian, the config looks real good,

(1) The only thing I noticed was the untagged vlan.

/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]

set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether10]


should be
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority and untagged [find interface=ether6]

(2) I set this to none. (only mac-winbox requires BASE)
# /tool mac-server set allowed-interface-list=BASE
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Sat Jun 05, 2021 6:46 pm

Thanks Anav, I had had a couple more questions posted above around your first assist. Any guidance?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Sat Jun 05, 2021 7:07 pm

Yes you need a separate vlan with dhcp, pool, ip address, dhcp-server-network settings for each group of users.
or group of like devices etc. whatever you think hey, person A or device P should not talk to others, then you have a vlan requirement
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Sun Jun 06, 2021 6:01 pm

Ran as attached. Still not getting an IPs assigned, currently trying attached to ethernet 2 with my PC. Am I making a poor assumption that I can add pvid 99 to ether 2-5?
An error occurred while renewing interface Ethernet 2 : unable to contact your DHCP server. Request has timed out.
I poked around in the packet sniffer as well, only saw tagging 201 on ether 1, everything else was tagless, not sure if thats expected.

Does VLAN filtering need to be enabled for all of this magic to start working?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Sun Jun 06, 2021 6:07 pm

Yes of course, as per the link, its the last step LOL
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Sun Jun 06, 2021 6:10 pm

Okay, so I shouldn't expect an IP address until I enable filtering?

EDIT: Okay, so enabling IP filtering worked and I started getting IPs assigned. Ugh.. can't believe I missed that, it even says it IN the docs. Anyhow, getting an IP now but no external access. What special thing do I need to do to get my ISP assigned vlan etc working? Also had to switch the bridge ports for 2-5, does this make sense?
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether10]
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Sun Jun 06, 2021 7:55 pm

Worth mentioning, looking in the logs I can see the pppoe client connected successfully to my ISP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Sun Jun 06, 2021 10:38 pm

Post the regular complete router config, not the vlan document style
/export hide-sensitive file=anynameyouwish
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Mon Jun 07, 2021 12:34 am

Attached.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Mon Jun 07, 2021 4:25 am

Sticking with standard config
change this
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

To this And when we get a working config you can modify back for example.....
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

Looking at bridge ports you have base vlan traffic untagged for port 2-5, and For some strange reason you have untagged traffic for VLAN60 on ether6.
It doesnt even exist???
Bridge port 7-10 are for tagged vlan traffic assuming going to smart devices that can read vlan tags.

YOur bridge vlan settings are meaningless. Hard to believe you read the best reference and fell so far short LOL.
Not to worry will work on it.

/interface bridge vlan
add bridge=BR1 untagged=ether6 vlan-ids=60[/i]
Again vlan60 doesnt exist so not sure what you mean by it??

This is the rest of it,
/interface bridge vlan
add bridge=BR1 tagged=\
BR1,ether2,ether3,ether4,ether5,ether7,ether8,ether9,ether10 vlan-ids=\
10,20,30,9
9

This tells the router that ports ether2-20 are tagged with vlans 10,20,30,99 ??
Where in the heck did vlan30 come from?????????????????
So to match what your bridge ports are saying it would be more like

add bridge=BR1 tagged=BR1,ether7,ether8,ether9,ether10 vlanid=10,20
add bridge=BR1 tagged+BR1,ether7,ether8,ether9,ether10 untagged=ether2,ehtr3,ether4,ether5 vlanid=99 ***

Not sure which tagged vlans 7-10 carry 99 so included all so remove those that dont.,
If you do add an unmanaged switch on etherpor6 and make vlan60 for it, then this is okay
add bridge=BR1 untagged=ether6 vlan-ids=60
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Tue Jun 08, 2021 12:02 am

Working on this now. So, I owe you an apology for the confusion. I was trying to just get ether2 for my desktop working prior to configuring everything else, so a lot of it was half baked. Before my next upload, I'll get the rest of it filled out so you're not chasing red herrings for me. So, sorry anav, you're helping me a lot and I appreciate it.

Question though, if I'm assigning a pvid to a bridge port would that then be added as tagged or untagged on the bridge vlan configuration? Ether 2-6 will not be tagged by anything other than the router as they're all going to be devices or that unmanaged switch. (I'm assuming untagged)
Last edited by IanM on Tue Jun 08, 2021 1:47 am, edited 1 time in total.
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Tue Jun 08, 2021 1:43 am

Attached latest configuration. Still not able to get out to the internet but getting IPs, desktop on ether2 is getting assigned to vlan30 as expected with an IP.
 IPv4 Address. . . . . . . . . . . : 10.0.30.242(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, June 7, 2021 3:32:44 PM
   Lease Expires . . . . . . . . . . : Monday, June 7, 2021 3:46:21 PM
   Default Gateway . . . . . . . . . : 10.0.30.1
   DHCP Server . . . . . . . . . . . : 10.0.30.1
Notes on desired layout, different than original request.
#######################################
# VLAN Overview
#######################################

# 10 = VLAN10 - NAS
# 20 = VLAN20 - Cameras
# 30 = VLAN30 - Trusted Devices
# 40 = VLAN40 - Untrusted Devices (IoT & Guest)
# 50 = VLAN50 - Unmanaged Switch from media center
# 99 = BASE (MGMT) VLAN


#######################################
# Interface Overview
#######################################

# ether1 - WAN
# ether2 - VLAN30
# ether3 - VLAN30
# ether4 - VLAN30
# ether5 - VLAN30
# ether6 - hAP - VLAN 40 & 50, tagged by device
# ether7 - N/A
# ether8 - hAP - VLAN 40 & 50, tagged by device
# ether9 - Netgear Family Room - VLAN 50, untagged
# ether10 - CRS112-8P-4S - VLAN 10 & 20, tagged - Cameras and NAS
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: ISP PPPOE with VLAN filtering

Tue Jun 08, 2021 8:15 am

Question though, if I'm assigning a pvid to a bridge port would that then be added as tagged or untagged on the bridge vlan configuration?

Brdige comes with multiple personalities, they are very well explained in this thread. When assigning PVID to bridge, you're assigning it to bridge port and bridge port is treated just any other port member of bridge (e.g. ether2). Which means that in this case bridge port will be added as untagged to the bridge vlan configuration (unless you manually override that with explicit configuration in which case you risk of messing things).

There are a few problems with your posted configuration:
  • ports ether2,ether3,ether4,ether5 are set as untagged members of both VLAN IDs 30 and 99 in bridge vlan configuration. That's not right, each port can only be member of one VLAN untagged and that should be the one with PVID set (in bridge port configuration).
  • your WAN interface is (I guess) pppoe-out1. Not e1-201 and not ether1. So you should set it correctly in /interface list member. This is probably the show stopper about your non-working internet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Tue Jun 08, 2021 1:21 pm

Thanks MKX, I missed that pppoe-1 out thing all this time, not ever using it for anger I thought that if it was the type that was assigned a vlan like my bell fibre it was the vlan that was the client.
My apologies to the OP for not picking up on that......

Where I disagree with my esteemed colleague, who wishes he was in the land of maple syrup and no architecture, is the bridge vlan filtering setup.
As stated, ONLY one pvid (one untagged subnet) can be set on any port. I think you can logically understand that as if you had two streams of untagged traffic coming out a wire, how the heck would a dumb or smart device deal with that??

In MT routers, once you designate a pVID, the router will automatically fill in the bridge vlan untagged setting for the correct pvid DYNAMICALLY. Which means, that you dont have to do it on the config. So technically correct. However I Always do manually insert them. WHY because when I make my config I like to map one to one all my settings from the bridge port to the bridge vlans.
The automagic method means that you dont see any entries in the bridge vlan confg when
a. constructing the config
b. troubleshooting the config.

I rely on a more positive handover type approach to life and thus like to touch, and feel the config visually seeing the relationships between bridge ports and bridge vlans, I dont do so well interpolating. Less talented than MKX (in that regard) ;-)

So its personal preference, he is afraid of making errors, I am simply ensuring I dont have errors....... do you want to live in the fear state of mkx, or the positive assurance method of anav LOL.
The important thing is I think we are there!!!
Last edited by anav on Tue Jun 08, 2021 1:25 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering  [SOLVED]

Tue Jun 08, 2021 1:25 pm

As for the config as noted by mkx

(1) /interface list member
add interface=ether1 list=WAN
add interface=pppoe-1out list=WAN or whatever its called is require.

(2) Issues with bridge port. Ethe6 iif untagged requires a PVID. Ether9 if an access port and pvid is correct, change frame types!!.
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=30

add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6

add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether8

add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether9 pvid=50

add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether10


(3) The Bridge vlans is a bit messy, lets try to clean up.....................
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether10 vlan-ids=10,20
add bridge=BR1 tagged=BR1,ether6,ether8 vlan-ids=40
add bridge=BR1 tagged=BR1 untagged=ether9 vlan-ids=50
add bridge=BR1 tagged=BR1,ether6,ether8 untagged=ether2,ether3,ether4,ether5 \
vlan-ids=30
add bridge=BR1 tagged=BR1,ether8,[color=#008000çether9[/color],ether10 untagged=\
ether2,ether3,ether4,ether5,ether6 vlan-ids=99

@mkx This is a perfect illustration of why ITS IMPORTANT TO MANUALLY CONFIGURE THE BRIDGE VLAN SO THAT AN UNDERSTANDING OF THE FUNCTIONALITY IS GAINED PRIOR TO USING IT AUTOMAGICALLY!!!


NOTES: There are three types of ports on the MT devices.

Bridge ports
a. trunk port = only allow tagged frames / no pvid / ingress filtering yes
b. access port = only allow priority and untagged frames / PVID required / ingress filtering=yes
c. hybrid port = PVID required

Bridge vlan filtering
i. Trunk ports: tagged for all appropriate vlan-ids (bridge for trunk ports normally tagged as well)
ii. access ports: untagged for all appropriate vlan-ids (mt router does this part automagically if you dont manually assign but not visible in config)
iii. hybrid ports: untagged for single pvid, (see i. for tagged vlans)

note: Devices at other end of hybrid port must be able to deal with untagged and tagged vlans (typically voip phone [tagged goes to phone, untagged goes to PC] or ubiquit wifi,[untagged management vlan to device, tagged vlans for wlan]
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Wed Jun 09, 2021 1:23 am

anav & mkx ... thank you! I have IPs being assigned and I've got internet access. Few new questions...
  • Enabling the following rules drops my WinBox access on the router. Can't access the AP or Switch regardless if I'm connected to those. This was taken directly from the example configurations in the references forum post.
    /ip neighbor discovery-settings set discover-interface-list=BASE
    /tool mac-server mac-winbox set allowed-interface-list=BASE
    /tool mac-server set allowed-interface-list=BASE
    
  • Maybe more of a request for direction as you two seem well acquainted with good links, but firewall holes. Now that I have things separated I need to start poking holes. How do I allow traffic to go between two different vlans (from specific devices and/or specific ports)?
I can do the config export if requested, will just be tricky now that I don't have consoles... have to reset everything. Attached the files used to configure.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Wed Jun 09, 2021 4:07 am

Well the source-address-list entry on the input chain for base vlan interface access to the router was optional.
If you have that added and no source address list entries, yeah no way .
So drop the firewall address list or populate it.......

Also I have no idea what vlan you are on when trying to get at the router are you on vlan99 (base vlan) or something else....

For additional allow rules between vlans you need to add accept rules for that traffic in the forward chain
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Wed Jun 09, 2021 4:27 pm

Ah, I missed that. I've removed that rule for now and have access to the router with winbox from any of the vlans. Still can't access the switch or AP from winbox.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ISP PPPOE with VLAN filtering

Wed Jun 09, 2021 4:47 pm

No need to remove the rule just the part that was blocking.........

As for the other items,
a. does a tagged vlan99 reach the smart devices?
b. do the smart devices have IP addresses on the base vlan?
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Wed Jun 09, 2021 11:06 pm

The device I'd like to configure from is on VLAN30 connecting from ether2 on the MikroTik hAP. In winbox, I can see the router but not the hAP. I believe all of my networking devices have an IP in the BASE_VLAN (99)
#######################################
# IP Addressing & Routing
#######################################

# LAN facing AP's Private IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.3/24 interface=BASE_VLAN

# The Router's IP this AP will use
/ip route add distance=1 gateway=192.168.0.1
EDIT: Separate test, I can telnet to the devices through my router in winbox. Not sure its really related, but might shed light on the issue
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: ISP PPPOE with VLAN filtering

Thu Jun 10, 2021 12:44 am

Got it... had to punch a hole in FW for it.

Who is online

Users browsing this forum: No registered users and 45 guests