Community discussions

MikroTik App
 
brusuillis
just joined
Topic Author
Posts: 11
Joined: Tue Jul 19, 2022 8:11 pm

RB5009 and VLANs

Wed Aug 31, 2022 1:44 pm

Hello,
I'm setting up a RB5009 "according" to article viewtopic.php?t=143620&sid=47033cb5ee25 ... 70#p706997, but I want ether8 to be only on BASE, not TRUNK, in order to be able to manage the router WITHOUT a switch, using a dumb laptop.

This is my config:
# jan/02/1970 01:32:37 by RouterOS 7.4.1
# software id = DAE3-QSLR
#
# model = RB5009UG+S+
# serial number = HC907Q6WJXH
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
add interface=BR1 name=RED_VLAN vlan-id=30
add interface=ether1 name=YELLOW_VLAN vlan-id=835
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=RED_POOL ranges=192.168.1.2-192.168.1.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN lease-time=1d name=BASE_DHCP
/interface bridge port
add bridge=BR1 interface=sfp-sfpplus1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
add bridge=BR1 interface=ether6
add bridge=BR1 interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=BR1 tagged=\
    BR1,sfp-sfpplus1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=10
add bridge=BR1 tagged=\
    BR1,sfp-sfpplus1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=20
add bridge=BR1 tagged=\
    BR1,sfp-sfpplus1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=30
add bridge=BR1 tagged=\
    BR1,sfp-sfpplus1,ether2,ether3,ether4,ether5,ether6,ether7 untagged=\
    ether8 vlan-ids=99
/interface list member
add interface=YELLOW_VLAN list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add disabled=yes interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
add address=192.168.1.1/24 interface=RED_VLAN network=192.168.1.0
add address=10.0.40.1/24 interface=wireguard1 network=10.0.40.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.0.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow WireGuard traffic" src-address=\
    10.0.40.0/24
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Enable BASE control everywhere" \
    in-interface-list=BASE
add action=accept chain=input comment="Allow DNS on VLANs" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow DNS on VLANs" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="Drop everything else"
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow internet traffic" \
    in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow wireguard to VLAN" \
    in-interface=wireguard1 out-interface-list=VLAN
add action=accept chain=forward comment="Enable BASE control everywhere" \
    in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade out-interface-list=WAN
/system identity
set name=Router
Now, I would expect to get a dinamic IP address when connecting to ether8... but it doesn't work.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 and VLANs  [SOLVED]

Wed Aug 31, 2022 2:58 pm

(1) Since you have vlans assigned to the bridge you need to clarify what is going on with the etherports.
Thus far you have all trunk ports sfpplus1 and eth2-ether7. If you want ether8 to be an access port to your PC.........
Suggesting...........
/interface bridge port
add bridge=BR1 interface=sfp-sfpplus1  ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether2  ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether3  ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether4  ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether5  ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether6  ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether7  ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether8  ingress-filtering=yes frame-types=admit-priority-and-untagged  pvid=99
..............

(2) Now you need the /interface bridge vlan settings to match.......... (they look good but can simplify)
/interface bridge vlan
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=10,20,30
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether2,ether3,ether4,ether5,ether6,ether7 untagged=\
ether8 vlan-ids=99

(3) You are allowing a non-local router subnet to access the router assuming for config purposes???............... Do you need the entire subnet or specific IP address.
Typically its easy to allow subnet to enter the tunnel at the remote end and exit the tunnel at the local end but then reduce access to local subnets and especially the router to the admin IPs only.
Up to you.
add action=accept chain=input comment="Allow WireGuard traffic" src-address=\
10.0.40.0/24


(4) You allow all wireguard users to access all vlans............... just ensuring that is what you want to allow................. To make the point clear you allow the BASE to also allow all access to vlans and this is typically for the admin etc.........
add action=accept chain=forward comment="Allow wireguard to VLAN" \
in-interface=wireguard1 out-interface-list=VLAN
 
brusuillis
just joined
Topic Author
Posts: 11
Joined: Tue Jul 19, 2022 8:11 pm

Re: RB5009 and VLANs

Wed Aug 31, 2022 6:40 pm

Thanks, I'm happy I was not so far away!
(3)+(4) I know, but this is for a wireguard VPN I will use to connect my laptop and tablet (manual clients) to connect to home. It will be ME only but I will harden it a little, thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 and VLANs

Wed Aug 31, 2022 6:48 pm

No worries,,,,,,,,,,
most questions answered here as you are pretty self-sufficient!!
viewtopic.php?t=182340

Who is online

Users browsing this forum: intania, jamesperks, mtkvvv and 43 guests