Community discussions

MikroTik App
 
BD01
just joined
Topic Author
Posts: 3
Joined: Mon Aug 30, 2021 11:16 am

Private VLAN on a RB4011

Mon Aug 30, 2021 1:53 pm

When I Google, I get mixed results :?

Can someone confirm that it is possible to do Private VLAN on the RB4011 router?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 2:12 pm

Yes it is very possible.
TO help you get there, draw a network diagram of what you would like to achieve.
and post your current config
/export hide-sensitive file=anynameyouwish
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 3:31 pm

Can someone confirm that it is possible to do Private VLAN on the RB4011 router?

As @anav already wrote (using different words): what exactly does "Private VLAN" mean in your context? If wikipedia article describes your view of the matter, then ... hell yes, RB4011 can run large number of private VLANs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 4:28 pm

a vlan is semi-private to start with LOL
perhaps he is talking military ranks and he really wants a Captain VLAN.

Without the big 3, we can only play games.

1. /export hide-sensitive file=anynameyouwish
2. network diagram
3. Set of detailed requirements (users/devices needs (allowed and not allowed) without any mention of config.
 
BD01
just joined
Topic Author
Posts: 3
Joined: Mon Aug 30, 2021 11:16 am

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 4:35 pm

Can someone confirm that it is possible to do Private VLAN on the RB4011 router?

As @anav already wrote (using different words): what exactly does "Private VLAN" mean in your context? If wikipedia article describes your view of the matter, then ... hell yes, RB4011 can run large number of private VLANs.
I would like everyone connecting to RB4011 to be isolated from each other and only connect to internet and a few other internal services.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 4:41 pm




As @anav already wrote (using different words): what exactly does "Private VLAN" mean in your context? If wikipedia article describes your view of the matter, then ... hell yes, RB4011 can run large number of private VLANs.
I would like everyone connecting to RB4011 to be isolated from each other and only connect to internet and a few other internal services.
Easy peasy and please read this article to get you going.
When you have a config to present of your best attempt, please come back and we can go from there.........
viewtopic.php?f=23&t=143620
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 4:45 pm




As @anav already wrote (using different words): what exactly does "Private VLAN" mean in your context? If wikipedia article describes your view of the matter, then ... hell yes, RB4011 can run large number of private VLANs.
I would like everyone connecting to RB4011 to be isolated from each other and only connect to internet and a few other internal services.
What do you mean ? Everyone isolated from everyone ? Even if they are on the same VLAN ?
 
BD01
just joined
Topic Author
Posts: 3
Joined: Mon Aug 30, 2021 11:16 am

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 4:48 pm


I would like everyone connecting to RB4011 to be isolated from each other and only connect to internet and a few other internal services.
What do you mean ? Everyone isolated from everyone ? Even if they are on the same VLAN ?
Yes - only cloud services are used. So we want everyone to be in their own bubble.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 4:59 pm

That is fine, you will need to create a vlan for every person.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 4:59 pm

You will need to enable the use-ip-firewall feature in the Bridge settings or use-ip-firewall-for-vlan if you use VLANs so that you can filter Layer 2 traffic....
Isolating everyone from everyone is not something that will happen just because you createVLANs..
Also, you will need to adjust the firewall as well...
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 5:09 pm

Or use bridge split horizon.
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 horizon=1 interface=ether1
add bridge=bridge1 horizon=1 interface=ether2
add bridge=bridge1 horizon=1 interface=ether3
add bridge=bridge1 horizon=1 interface=ether4
Ports ether1-ether4 are now isolated & cannot communicate with each other.

https://help.mikrotik.com/docs/display/ ... rizonusage
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 9:46 pm

If more that one users exist on the same port, that would not work ...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Private VLAN on a RB4011

Mon Aug 30, 2021 11:37 pm

If more than one user exists on the same port, then nothing on MT device can prevent those users talk to each other as long as they are in same VLAN (or none VLAN).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Private VLAN on a RB4011

Tue Aug 31, 2021 12:56 am

Hence each user gets a vlan :-)
Doesnt hotspot authentication (and or user manager) separate users as well??
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Private VLAN on a RB4011

Tue Aug 31, 2021 11:17 am

Any mechanism trying to separate users can work as long as the port (or pseudo port[*]), used by user, is dedicated one. As soon as multiple users share one port (even through a downstream switch which is not managed with goal to separate users, e.g. a dumb switch), there's nothing device can do to keep them separate.

[*] wifi interface itself is kind of a switch because wifi clients can only talk to AP, they can not talk directly to each other. Which means that client separation works even for clients connected to same AP. And I think of every client registered to AP as a pseudo-port.

The concept of "each user gets a VLAN" can work if access point knows to deal with VLANs, which implies managed switch (or smart AP which can do MAC-based VLANs). This concept can't be delegated to end devices though.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Private VLAN on a RB4011

Tue Aug 31, 2021 2:09 pm

If more than one user exists on the same port, then nothing on MT device can prevent those users talk to each other as long as they are in same VLAN (or none VLAN).
Why not if i enable the Bridge Firewall ?
You can successfully block users to reach each other using the Bridge Firewall even if they exist on the same interface...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Private VLAN on a RB4011

Tue Aug 31, 2021 4:40 pm

Why not if i enable the Bridge Firewall ?
You can successfully block users to reach each other using the Bridge Firewall even if they exist on the same interface...

Only if you somehow force both hosts to communicate through bridge, which is usually hard to achieve.

Basics of IP over ethernet networking:
  1. hostA with IP address A.B.C.d/24 tries to establish connection with hostB with IP address A.B.C.e/24 (any IP adress/mask pair will do as long as both IP addresses are inside same IP subnet and mask correctly covers both addreeses)
  2. consults IP routing table and notices that hostB is inside same IP subnet. This means traffic can be performed directly on L2 (ethernet). Thus starts ARP whohas procedure which includes ethernet frame sent to broadcast address.
  3. broadcast frame is received by
    1. all hosts connected to same collision domain (e.g. an ethernet hub) because that's the way collision domain works
    2. all hosts connected to same ethernet domain because switches (and bridges) forward broadcast frames to all ports except ingress port
      this bullet is true if switches are not specially configured to do some funky stuff
      Note that ethernet switches and bridges in general don't transmit a frame through ingress port (basic requirement to avoid loops in L2), neither unicast, broadcast nor multicast.
    Bullet 3.a is not very common these days, vast majority of ethernet networks go with bullet 3.b. If hostA and hostB share same bridge port, this usually means there's an ethernet switch between bridge port and both hosts.
    There are a few special cases where two (or more) L2 hosts share common physical connection towards the rest of network but can not communicate directly in the manner described (e.g. HPE ProLiant servers with iLO when using combined network port for both iLO and LAN), the only way such devices can communicate with each other is via router.
  4. hostB receives broadcast frame, notices hostA (identified by src MAC address) is asking about hostB's MAC address. hostB replies with unicast ARP reply which gets delivered back to hostA
  5. hostA starts to send IP payload using hostB's MAC address and hostB happily replies using hostA's MAC address.

If trafic between hostA and hostB doesn't have to pass specially configured bridge due to any reason, then frames will flow between hostA and hostB because specially configured bridge can not drop frames not passing it, can it?

The only way bridge can block traffic between clients connected to same bridge port is when clients (hostA and hostB) are not aware that they could communicate directly. Which mostly means that they are either in different IP subnets and thus have to use gateway to route traffic between both subnets ... or both clients are actually configured (this way or another) to be in different VLANs (but in this case while they use same physical port, they are in different VLANs) ... or either host (or both) are tricked to think the peer is behind completely different MAC address (e.g. bridge's MAC address if bridge is configured with arp=proxy-arp on all ports, but even this is not huaranteed to "pull" traffic to bridge, success depends on how quick is bridge when relying to ARP whohas requests compared to real host ... it seems that the faster one wins).

Wireless interface, configured with forwarding=no logically falls in the same category as mentioned as special cases in bullet #3 above ... frames use same bridge "port" but wireless clients can not communicate with each other because bridge will not transmit frames back through ingress port (necessary to reach the other wireless client). Configuring wireless interface with forward=yes virtually adds a switch, in which case frames between wireless clients never enter bridge as they are sent out via radio.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Private VLAN on a RB4011

Tue Aug 31, 2021 5:00 pm

@mkx, i have nothing to disagree with...

But, when using the Bridge Firewall, in order for it to work, you must disable the hardware offload, otherwise the traffic will bypass the CPU and the Bridge Firewall filter will not work...
So, since it works ( at least on a quick lab test i run ), i can only think that the traffic flows through the CPU even if both devices are on the same port, thats why it works...
At least that makes sense to me..
What is your opinion ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Private VLAN on a RB4011

Tue Aug 31, 2021 5:10 pm

But, when using the Bridge Firewall, in order for it to work, you must disable the hardware offload,...

As I wrote (more than once ;-) ): for bridge to block traffic between two hosts traffic has to travel through bridge. If hosts are connected to different bridge ports (e.g. ether13 and ether42), then device is able to interfere, technicalities on how to achieve that are minor (yes, if using IP firewall for in-bridge traffic, it is necessary to force packets through CPU and disabling HW offload on (at least) one of those ports does the trick).
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Private VLAN on a RB4011

Tue Aug 31, 2021 5:49 pm

@mkx, my actual test was on a Wireless interface (i know it can be done with setting forwarding to no)... On a wireless interface it is obvious that more than 1 hosts can exist on that same interface... And ofcorse on the wireless interface all the traffic goes through the CPU... Thus i could effectively allow or drop traffic selectively between hosts using the Bridge Firewall...

I think we are saying the same thing... Yes, the only way two hosts to exist on the same physical port is if they are actually connected to a secondary switch and then to that specific port (and again technically they are not connected to the same port) ... In that case ofcorse they can communicate without reaching that port... So yes you can't block anything ...

It makes sense only on different ports or on Wireless interfaces in case you want to selectively allow or drop traffic ...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Private VLAN on a RB4011

Tue Aug 31, 2021 6:54 pm

And ofcorse on the wireless interface all the traffic goes through the CPU...
AFAIK (but I may be wrong) traffic between two wireless clients of same radio (i.e. same wifi interface) is handled by wireless driver. While technically they are handled by CPU (because whole wireless driver runs on CPU), they don't pass bridge logic handled by CPU.

So the traffic between client1 and client2 goes like this (when forwarding=yes):
client1 -> air -> wireless chip -> wireless driver -> wireless chip -> air -> client2

If you want bridge to interfere with traffic, it would have to go like this:
client1 -> air -> wireless chip -> wireless driver -> bridge port A -> bridge (on CPU) -> bridge port A -> wireless driver -> wireless chip -> air -> client 2
which, AFAIK, doesn't happen. If wireless interface was configured with forwarding=no, then frames would follow the above path from left to the point bridge (on CPU) but would not proceed to point bridge port A (the right one).
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Private VLAN on a RB4011

Tue Aug 31, 2021 7:00 pm

they don't pass bridge logic handled by CPU.
With forwarding=yes, Enabled Bridge firewall was working just fine between 2 wireless clients on the same radio....
I could allow or drop traffic between those hosts...

Edit: On different device with not the same wireless chip ( as my first test ), Bridge firewall is not working on the wireless interface...
Maybe they use different driver and behave differently ?
It does work for other interfaces though e.g from wireless to some physical port ...
 
forenuser
just joined
Posts: 10
Joined: Sat Aug 07, 2021 10:04 pm
Location: Germany

Re: Private VLAN on a RB4011

Wed Sep 29, 2021 1:38 am

Hello world!

First i have to apologize for capturing this thread. But it is about the RB4011 and VLAN so it is perfect for my purposes.

HELP! Please Help!
I thougt i understand the basic concept about VLAN and on my previous router (Turris MOX) the VLAN setup was a no-brainer. But for the RB4011 and/or Router OS (6.48.4) it seems i am just too dumb.

I want/need
- ether1 for WAN (default)

- ether2, ether3, ether4, ether5 and 5GHz WLAN for VLAN "Office"
-- PIV 30, 10.10.30.1/24, Lease room 10.10.30.10 - 10.10.30.250

- ether6, ether7, ether8, ether9 and ether10 VLAN for "Fun"
-- PIV 50, 10.10.50.1/24, Lease room 10.10.50.10 - 10.10.50.250

- 2.4 GHz WLAN for VLAN "Guest"
-- PIV 70, 10.10.70.1/24, Lease room 10.10.70.10 - 10.10.70.250

sfp-sfplus1 is disabled as i currently have no use for it.

I read pcunite's and sindy's article Using RouterOS to VLAN your network and RouterOS bridge mysteries explained (i really appreciate your work!), studied the different examples and tried them - and i tried some things on my own. But no matter what i tried, after turning VLAN on (/interface bridge set bridge vlan-filtering=yes) the connection to the router had been cut and i had to reset the router (I wish it had a power button). And the "Safe Mode" is not really working, is it?

Below my currently used configuration - with no VLAN setup at all. Beside the DHCP and WLAN settings it is pretty default but i hope to use it as starting point. I read that only one Bridge is neccessary for VLAN but a bridge for each DHCP-Server seems more... eem... smooth(?) to me.

--->>>
Edit: cut the configuration settings. As it is not longer relevant it seems useful to spare space.
<<<---

Sorry for that but I can not attach files.

I would be most happy and gradeful if someone has a hint or a push in the right directio - or a configuration file.
I am almost certain that i just miss some small but most vital point. But meanwhile i tried too many variantions and i just lost overview and focus.


With kind regards!
forenuser
Last edited by forenuser on Thu Sep 30, 2021 7:13 pm, edited 1 time in total.
 
forenuser
just joined
Posts: 10
Joined: Sat Aug 07, 2021 10:04 pm
Location: Germany

Re: Private VLAN on a RB4011

Thu Sep 30, 2021 7:13 pm

Hello world!

Thanks to all reading my text and trying to help!
I started over with pcunite's RouterSwitchAP configuration and sadly VLAN still not working (cross VLAN communication and access is possible). However, beside this the network is running and i do not lose contact to the router. The solution for not working VLAN i guess is to find in the ip filter options so i will go there.


With kind regards!
forenuser
 
ath
just joined
Posts: 18
Joined: Thu May 12, 2016 4:17 am
Location: Melbourne, VIC

Re: Private VLAN on a RB4011

Fri Jan 26, 2024 4:56 am

There is considerable confusion as to what is meant by ‘private VLAN’, so let me clarify.

Private VLANs are defined in RFC 5517 and are implemented on many brands of switches, most notably Cisco, so they are not unusual.

It is possible to implement a private VLAN on MikroTik routers, but there’s a catch. The following example shows how.

Let ether2 be a promiscuous port, ether6 an isolated host port, and ether7 and ether8 community host ports. VLAN 100 is the primary VLAN, VLAN 200 is an isolated secondary VLAN, and VLAN 300 is a community secondary VLAN.

The following commands implement the private VLAN.
/interface bridge
add name=bridge1 vlan-filtering=no

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=100 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether6 pvid=200 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether7 pvid=300 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether8 pvid=300 frame-types=admit-only-untagged-and-priority-tagged

/interface bridge vlan
add bridge=bridge1 untagged=ether6,ether7,ether8 vlan-ids=100
add bridge=bridge1 untagged=ether2 vlan-ids=200
add bridge=bridge1 untagged=ether2 vlan-ids=300

/interface bridge set bridge1 vlan-filtering=yes
So, what’s the catch? Because the last command activates independent VLAN learning (IVL), the MAC addresses of the hosts connected to ether6, ether7, and ether8 don’t appear in the MAC forwarding table for VLAN 100. Consequently, the promiscuous port broadcasts to all three host ports. This consumes bandwidth and reduces security.

Implementing shared VLAN learning (SVL) would fix the problem, but MikroTik seems to be dumbing down its switches by eliminating many of the commands under /interface ethernet switch. (Compare the CRS3xx/5xx series switches with the CRS1xx/2xx series switches, which appear to be being phased out.) Consequently, this catch is unlikely to go away.

Who is online

Users browsing this forum: onnyloh and 46 guests