Community discussions

MikroTik App
 
8577
newbie
Topic Author
Posts: 48
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Migration from hAP-ac2 to RB5009ug vlan question

Mon Aug 08, 2022 5:50 pm

After dragging my feet for a year, I am finally getting ready to cut over to the RB5009 routerboard model. I flashed it to ros7.4. My question is, can I just carry the VLAN config over as is, or do I have to start all over? Since it has a different chip in it from the old router.
I know tdw helped me a ton a few years back when I configured the hAP-ac2 router, so hoping I can just move the config over.

Here is my current vlans config:
/interface bridge
add name=bridge protocol-mode=none pvid=99 vlan-filtering=yes

/interface vlan
add comment=Users interface=bridge name=VLAN10 vlan-id=10
add comment=CCTV interface=bridge name=VLAN20 vlan-id=20
add comment=Guest interface=bridge name=VLAN30 vlan-id=30
add comment=MGMT interface=bridge name=VLAN99 vlan-id=99

/interface list
add comment=DJ name=WAN
add comment=DJ name=LAN
add comment=DJ name=VLAN
add comment=DJ name=MGMT


/interface list member
add interface=VLAN99 list=MGMT
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add interface=VLAN30 list=VLAN

/interface bridge port
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
add bridge=bridge comment=MGMT ingress-filtering=yes interface=ether5 pvid=99
add bridge=bridge comment="Wifi 2.4GHz" frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=10
add bridge=bridge comment="Wifi 5GHz" frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=10
add bridge=bridge comment="Guest Wifi" frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan3 pvid=30


/interface bridge vlan
add bridge=bridge comment=MGMT tagged=bridge,ether2 vlan-ids=99
add bridge=bridge comment="Guest WLAN" tagged=bridge,ether2,ether3 vlan-ids=30
add bridge=bridge comment=CCTV tagged=bridge,ether2,ether3 vlan-ids=20
add bridge=bridge comment=Users tagged=bridge,ether2,ether3 vlan-ids=10

I ask the question, as I know the RB5009 has a different switch chip in it, so I would think I may need to change some of the configuration entries? Thought I would ask before I break it lol
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 167
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: Migration from hAP-ac2 to RB5009ug vlan question

Mon Aug 08, 2022 6:01 pm

There is no difference in settings for VLAN filtering at the bridge level. In your case, another switch chip model will not affect. The only thing is, that there is no Wi-Fi on the new router, so the settings will need to be changed a little.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Migration from hAP-ac2 to RB5009ug vlan question  [SOLVED]

Mon Aug 08, 2022 6:01 pm

Dont Know see (3)

(1) This is not required as the vlans are already captured under VLAN interface list and thus the LAN list has no value,
add interface=bridge list=LAN. Since you failed to provide firewall rules, you may need to change any interface lists with the word LAN to VLAN.

(2) Minor point but I always add untagged to my /interface bridge vlan settings so that I can cross check with the /interface bridge port settings

add bridge=bridge comment=MGMT ingress-filtering=yes interface=ether5 pvid=99

/interface bridge vlan
add bridge=bridge comment=MGMT tagged=bridge,ether2 untagged=ether5 vlan-ids=99

(3) Since you didnt provide the full config, the question you asked remains unanswered.
 
8577
newbie
Topic Author
Posts: 48
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: Migration from hAP-ac2 to RB5009ug vlan question

Mon Aug 08, 2022 6:57 pm

Thanks for the replies, yes I should have clarified I will be changing the wlan interfaces since those will be on another device, not to mention the port configuration. I will spin up capsman when I get to that step as I add more AP's.

For a bit of clarity, here are the firewall rules.
/ip firewall filter
add action=drop chain=input comment="Drop ALL invalid" connection-state=invalid log=yes log-prefix=\
    invalid_
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Drop dns" dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Drop SSH WAN." dst-port=22 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment="CobaltStrike Block - Engress" src-address-list=CobaltStrike
add action=drop chain=forward comment="CobaltStrike - Block Ingress" dst-address-list=CobaltStrike
add action=drop chain=input comment="drop icmp wan" in-interface=ether1 protocol=icmp
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGMT Full Access" in-interface=VLAN99
add action=accept chain=input comment="VPN ingress from WAN" disabled=yes dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow VPN traffic" src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow VPN to forward" src-address=192.168.5.0/24
add action=accept chain=input dst-port=1194 log=yes log-prefix=_ovpn protocol=tcp src-port=""
add action=drop chain=input comment=Drop log=yes log-prefix=drop_
and thanks for the tips anav! I do need to cleanup a few things before I can share the entire config, got kinda sloppy over the years.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Migration from hAP-ac2 to RB5009ug vlan question

Mon Aug 08, 2022 7:28 pm

Your rules dont make much sense to me and so many basic rules are missing. If this is not a public IP facing router and you have one in between then okay............
here is a different organized take on it................

These are duplicate and dont understand without the context of the rest of the config but seem out of place..........
The only reason to let a local subnet access to the INPUT CHAIN is to config the router, it is NOT needed to enter a VPN tunnel!!
add action=accept chain=input comment="Allow VPN traffic" src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow VPN to forward" src-address=192.168.5.0/24
??


/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp { blocking ICMP is not helpful }
add action=accept chain=input dst-port=1194 log=yes log-prefix=_ovpn protocol=tcp src-port="" { assuming this is required currently for vpn to work ?)
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGMT Full Access" in-interface-list=MGMT
add action=accept chain=input in-interface-list=VLAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=VLAN dst-port=53 protocol=udp
add action=drop chain=input comment="Drop all else"
{Forward Chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward

Without seeing the corresponding address list, I left these two rules out as I suspect they are not required.
add action=drop chain=forward comment="CobaltStrike Block - Engress" src-address-list=CobaltStrike
add action=drop chain=forward comment="CobaltStrike - Block Ingress" dst-address-list=CobaltStrike
??

Remember with a drop all rule, all traffic is blocked from WAN to LAN and thus you only have to worry about LAN to WAN traffic.
From the above we allow subnet to internet traffic VLAN to WAN in the above rules. Do you have concerns about individual users in the VLANs having access to the internet???
Last edited by anav on Mon Aug 08, 2022 8:23 pm, edited 1 time in total.
 
8577
newbie
Topic Author
Posts: 48
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: Migration from hAP-ac2 to RB5009ug vlan question

Mon Aug 08, 2022 8:16 pm

Your rules dont make much sense to me and so many basic rules are missing. If this is not a public IP facing router and you have one in between then okay............
here is a different organized take on it................
I have the VPN rules as I do (not so much anymore) on occasion have to access it remote, over vpn tunnel. No firewall in front of it, and it is public facing. The network list is a block list, as per a requirement that was in place at one point. No concerns about VLANs, but at one point I did have some IoT devices that I was blocking access to WAN, and certain users when it was used as a DR site in my old job.

I will clean things up when I stand up the new router. My main concern was the VLAN config stuff as it tends to throw me off, and I do not keep up on best practices so to speak.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Migration from hAP-ac2 to RB5009ug vlan question

Mon Aug 08, 2022 8:25 pm

Understood but more often than naught, one cannot speak to proper config in isolation as the moving parts are integrated, bridge, firewall, routing etc........
 
8577
newbie
Topic Author
Posts: 48
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: Migration from hAP-ac2 to RB5009ug vlan question

Mon Aug 08, 2022 8:53 pm

Understood but more often than naught, one cannot speak to proper config in isolation as the moving parts are integrated, bridge, firewall, routing etc........
Yes indeed. When I get the new config together I will share more detail, as always I appreciate the input from committed Mikrotik helpers like you Anav. Thank you!
Last edited by 8577 on Mon Aug 08, 2022 9:16 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Migration from hAP-ac2 to RB5009ug vlan question

Mon Aug 08, 2022 9:03 pm

Please modify your response to the following........
"I appreciate the input from committed Mikrotik helpers like you Anav.

a. no expert thats for sure, I have just bumbled my way through many configs and have sorted a few things out and actually know very little of MT or networking, beyond a bare bones amount.
b. committed because I should be in a white four padded room, but yes I do spend much time here.
c. helping others out of their frustration and hopefully to learn a few things along the way is the goal

I would be remiss to point out that there are others here who I rely on to help out (keep me honest) and they are truly experts.........sindy, sob, mkx, rextended, and others.........too numerous to mention.
Where I fit in is relating to the common man (not an IT nerd LOL) and hopefully providing some digestible support.
 
8577
newbie
Topic Author
Posts: 48
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: Migration from hAP-ac2 to RB5009ug vlan question

Mon Aug 08, 2022 9:21 pm

Please modify your response to the following........
"I appreciate the input from committed Mikrotik helpers like you Anav.

a. no expert thats for sure, I have just bumbled my way through many configs and have sorted a few things out and actually know very little of MT or networking, beyond a bare bones amount.
b. committed because I should be in a white four padded room, but yes I do spend much time here.
c. helping others out of their frustration and hopefully to learn a few things along the way is the goal

I would be remiss to point out that there are others here who I rely on to help out (keep me honest) and they are truly experts.........sindy, sob, mkx, rextended, and others.........too numerous to mention.
Where I fit in is relating to the common man (not an IT nerd LOL) and hopefully providing some digestible support.
hehe I can relate! I run MT gear in production in some high dollar deployments, yet I know so little about the tech behind what makes it all tick. But I still appreciate the input from others like you. I spend all day on cisco gear, F5, A10 and other big dollar devices, but I still love and rely on mikrotik for most my own needs.

Who is online

Users browsing this forum: chinhbq and 35 guests