Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

rualark · Thu Nov 15, 2018 12:43 pm

Here is the network diagram:
https://i.imgur.com/sQFvmZj.png

From PC1 (192.168.9.253) I cannot ping vlan gateway 192.168.9.1 on RB4011iGS+ and vlan ip 192.168.9.2 on HAP AC. Also, all three of these IP addresses cannot ping each other (RB4011iGS+ cannot ping 192.168.9.2 or 192.168.9.253, HAP AC cannot ping 192.168.9.1 or 192.168.9.253).

I disabled firewall completely, but yet no success. I have masquerade going out from internet interface (eth1 on RB4011iGS+). I see that some broadcast traffic is going through the trunk, but PC1 does not even get MAC addresses of 192.168.9.1 and 192.168.9.2 in ARP table.

RB4011iGS+ config:

# nov/15/2018 13:15:25 by RouterOS 6.43.4
# software id = WP4U-Z565
#
# model = RB4011iGS+
# serial number = 968A09187F4C
/interface bridge
add admin-mac=B8:69:F4:92:25:57 auto-mac=no comment=defconf name=br1-lan pvid=11 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598
set [ find default-name=ether2 ] l2mtu=1598
set [ find default-name=ether3 ] l2mtu=1598
set [ find default-name=ether4 ] l2mtu=1598
set [ find default-name=ether5 ] l2mtu=1598
set [ find default-name=ether6 ] l2mtu=1598
set [ find default-name=ether7 ] l2mtu=1598
set [ find default-name=ether8 ] l2mtu=1598
set [ find default-name=ether9 ] l2mtu=1598
set [ find default-name=ether10 ] l2mtu=1598
/interface vlan
add interface=ether10 name=vlan1-lan vlan-id=11
add interface=ether10 name=vlan2-guest vlan-id=22
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-lan ranges=192.168.9.50-192.168.9.254
add name=dhcp-guest ranges=192.168.13.50-192.168.13.254
/ip dhcp-server
add address-pool=dhcp-lan disabled=no interface=br1-lan name=defconf
add address-pool=dhcp-guest disabled=no name=dhcp-guest
/interface bridge port
add bridge=br1-lan comment=defconf interface=ether2
add bridge=br1-lan comment=defconf interface=ether3
add bridge=br1-lan comment=defconf interface=ether4
add bridge=br1-lan comment=defconf interface=ether5
add bridge=br1-lan comment=defconf interface=ether6 pvid=11
add bridge=br1-lan comment=defconf interface=ether7
add bridge=br1-lan comment=defconf interface=ether8
add bridge=br1-lan comment=defconf interface=ether9
add bridge=br1-lan comment=defconf interface=ether10
add bridge=br1-lan comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=br1-lan tagged=ether10 vlan-ids=11
add bridge=br1-lan tagged=ether10 vlan-ids=22
/interface list member
add comment=defconf interface=br1-lan list=LAN
add comment=defconf interface=ether1 list=WAN
add list=LAN
/ip address
add address=192.168.9.1/24 comment=defconf interface=br1-lan network=192.168.9.0
add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
add address=192.168.13.1/24 interface=vlan2-guest network=192.168.13.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.9.0/24 comment=defconf gateway=192.168.9.1 netmask=24
add address=192.168.13.0/24 gateway=192.168.13.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.9.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
add action=netmap chain=dstnat dst-port=21 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=21
/ip route
add distance=1 gateway=192.168.100.1
/ip traffic-flow
set cache-entries=32k enabled=yes interfaces=br1-lan
/ip traffic-flow target
add dst-address=192.168.9.4 version=5
/system clock
set time-zone-name=Europe/Moscow
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether10

HAP AC config:

# nov/15/2018 13:09:47 by RouterOS 6.43.2
# software id = R9TC-1I4K
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6737065A9A5D
/interface bridge
add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no comment=defconf name=bridge pvid=11 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan1-lan vlan-id=11
add interface=ether1 name=vlan2-guest vlan-id=22
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1620290162 wpa2-pre-shared-key=1620290162
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik wpa-pre-shared-key=1620290162 wpa2-pre-shared-key=1620290162
/interface wireless
add disabled=no mac-address=6E:3B:6B:11:EB:C6 master-interface=wlan2 name=wlan5 security-profile=profile ssid=alch19
add disabled=no mac-address=6E:3B:6B:11:EB:C7 master-interface=wlan1 name=wlan6 security-profile=profile ssid=alch19
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=wlan5
add action=drop chain=forward disabled=yes out-interface=wlan5
add action=drop chain=forward disabled=yes in-interface=wlan6
add action=drop chain=forward disabled=yes out-interface=wlan6
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=22
add bridge=bridge comment=defconf interface=ether4 pvid=11
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1 pvid=11
add bridge=bridge interface=wlan5
add bridge=bridge interface=wlan6
/interface bridge vlan
add bridge=bridge tagged=ether1 vlan-ids=11
add bridge=bridge tagged=ether1 vlan-ids=22
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.9.2/24 comment=defconf interface=bridge network=192.168.9.0
add address=192.168.14.2/24 interface=sfp1 network=192.168.14.0
add address=192.168.13.2/24 network=192.168.13.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=sfp1
/ip dhcp-server network
add address=192.168.9.0/24 comment=defconf gateway=192.168.9.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.9.2 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.14.1
/system clock
set time-zone-name=Europe/Moscow
/system routerboard settings
set silent-boot=no
/tool sniffer
set filter-interface=ether1 filter-ip-address=!192.168.13.2/32

anav · Fri Nov 16, 2018 11:34 pm

Try running off the bridge.
vlans use bridge interface
bridge ports identify the ethernet interfaces.

rualark · Sat Nov 17, 2018 5:45 pm

Thanks to grawity for an idea! The full answer to the problem is the following:

1. Add bridge as VLAN member on both bridges (thanks grawity):

        /interface bridge vlan
        add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
        add bridge=bridge tagged=ether10,bridge vlan-ids=22

        /interface bridge vlan
        add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
        add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22

2. Move vlan interfaces from trunk interface to bridge:

        /interface vlan
        add interface=bridge name=vlan11-lan vlan-id=11
        add interface=bridge name=vlan22-guest vlan-id=22

        /interface vlan
        add interface=bridge name=vlan11-lan vlan-id=11
        add interface=bridge name=vlan22-guest vlan-id=22

Fixed RB4011iGS+ config:

    # nov/16/2018 19:24:29 by RouterOS 6.43.4
    # software id = WP4U-Z565
    #
    # model = RB4011iGS+
    # serial number = 968A09187F4C
    /interface bridge
    add admin-mac=B8:69:F4:92:25:57 auto-mac=no name=bridge vlan-filtering=yes
    /interface ethernet
    set [ find default-name=ether1 ] l2mtu=1598
    set [ find default-name=ether2 ] l2mtu=1598
    set [ find default-name=ether3 ] l2mtu=1598
    set [ find default-name=ether4 ] l2mtu=1598
    set [ find default-name=ether5 ] l2mtu=1598
    set [ find default-name=ether6 ] l2mtu=1598
    set [ find default-name=ether7 ] l2mtu=1598
    set [ find default-name=ether8 ] l2mtu=1598
    set [ find default-name=ether9 ] l2mtu=1598
    set [ find default-name=ether10 ] l2mtu=1598
    /interface vlan
    add interface=bridge name=vlan11-lan vlan-id=11
    add interface=bridge name=vlan22-guest vlan-id=22
    /interface list
    add comment=defconf name=WAN
    add comment=defconf name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] supplicant-identity=MikroTik
    /ip pool
    add name=dhcp ranges=192.168.9.50-192.168.9.254
    /ip dhcp-server
    add address-pool=dhcp disabled=no interface=bridge name=defconf
    /interface bridge port
    add bridge=bridge interface=ether10
    add bridge=bridge interface=ether5 pvid=11
    add bridge=bridge interface=ether6
    /ip neighbor discovery-settings
    set discover-interface-list=LAN
    /interface bridge vlan
    add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
    add bridge=bridge tagged=ether10,bridge vlan-ids=22
    /interface list member
    add comment=defconf interface=bridge list=LAN
    add comment=defconf interface=ether1 list=WAN
    add list=LAN
    /ip address
    add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
    add address=192.168.22.1/24 interface=vlan22-guest network=192.168.22.0
    add address=192.168.9.1/24 interface=bridge network=192.168.9.0
    add address=192.168.11.1/24 interface=vlan11-lan network=192.168.11.0
    /ip cloud
    set ddns-enabled=yes
    /ip dhcp-server network
    add address=192.168.9.0/24 gateway=192.168.9.1 netmask=24
    /ip dns
    set allow-remote-requests=yes servers=8.8.8.8
    /ip dns static
    add address=192.168.9.1 name=router.lan
    /ip firewall nat
    add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
    add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
    add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
    add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
    add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
    /ip route
    add distance=1 gateway=192.168.100.1
    /ip traffic-flow
    set cache-entries=32k interfaces=local
    /system clock
    set time-zone-name=Europe/Moscow
    /system identity
    set name=RB4011
    /system routerboard settings
    set silent-boot=no
    /tool mac-server
    set allowed-interface-list=LAN
    /tool mac-server mac-winbox
    set allowed-interface-list=LAN
    /tool sniffer
    set filter-interface=vlan22-guest

Fixed HAP AC config:

    # nov/16/2018 19:20:06 by RouterOS 6.43.4
    # software id = R9TC-1I4K
    #
    # model = RouterBOARD 962UiGS-5HacT2HnT
    # serial number = 6737065A9A5D
    /interface bridge
    add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no name=bridge vlan-filtering=yes
    /interface ethernet
    set [ find default-name=ether3 ] disabled=yes
    /interface wireless
    set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
    set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
    /interface vlan
    add interface=bridge name=vlan11-lan vlan-id=11
    add interface=bridge name=vlan22-guest vlan-id=22
    /interface list
    add comment=defconf name=WAN
    add comment=defconf name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1234567123 wpa2-pre-shared-key=1234567123
    /ip hotspot profile
    set [ find default=yes ] html-directory=flash/hotspot
    /interface bridge port
    add bridge=bridge interface=ether1
    add bridge=bridge interface=ether3
    add bridge=bridge interface=ether4 pvid=11
    add bridge=bridge interface=ether5 pvid=22
    /interface bridge vlan
    add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
    add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22
    /interface list member
    add comment=defconf interface=bridge list=LAN
    add interface=sfp1 list=WAN
    /ip address
    add address=192.168.22.2/24 interface=vlan22-guest network=192.168.22.0
    add address=192.168.9.2/24 interface=bridge network=192.168.9.0
    add address=192.168.11.2/24 interface=vlan11-lan network=192.168.11.0
    /ip dns
    set allow-remote-requests=yes servers=8.8.8.8
    /ip dns static
    add address=192.168.9.2 name=router.lan
    /ip route
    add distance=1 gateway=192.168.9.1
    add distance=1 gateway=192.168.22.1
    /system clock
    set time-zone-name=Europe/Moscow
    /system identity
    set name=HAP_AC
    /system routerboard settings
    set silent-boot=no
    /tool sniffer
    set filter-interface=ether1 filter-ip-address=!192.168.13.2/32

anav · Sat Nov 17, 2018 7:25 pm

Does it work now??

Jotne · Sun Nov 18, 2018 12:35 pm

These can two can be shorten some:

/interface bridge vlan
add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
add bridge=bridge tagged=ether10,bridge vlan-ids=22

/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22

To

/interface bridge vlan
add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11,22

/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether4,ether5 vlan-ids=11,22

This is due to that you on the port itself, tells what vlan should be used as untagged, so even if bridge says vlan 11 and 22 to port 5 as untaged it uses vlan 11 since pvid=11 is set on port 5

PS edit your post and add code tags, easier to read.
Also always upload picture, not use link, other site may go away or delete picture
Upload by click the Attachments button below like this:

example.png

rualark · Sun Nov 18, 2018 1:27 pm

Does it work now??

Yes, it works now, thanks

rualark · Sun Nov 18, 2018 1:28 pm

These can two can be shorten some:

/interface bridge vlan
add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
add bridge=bridge tagged=ether10,bridge vlan-ids=22

/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22
To
Code: Select all
/interface bridge vlan
add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11,22

/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether4,ether5 vlan-ids=11,22
This is due to that you on the port itself, tells what vlan should be used as untagged, so even if bridge says vlan 11 and 22 to port 5 as untaged it uses vlan 11 since pvid=11 is set on port 5

PS edit your post and add code tags, easier to read.
Also always upload picture, not use link, other site may go away or delete picture
Upload by click the Attachments button below like this:
example.png

Thanks for an interesting idea!

Pranja · Sat Dec 08, 2018 11:07 pm

Do you mind if I ask about second DHCP server? I can't see it in your 2nd version of config.

anav · Sun Dec 09, 2018 2:57 am

In general I would leave vlan1 out of any configuration as it exists by default and acts as the LAN on the network so to speak.
Any VLANs created can be viewed as segmented off normal lan traffic.

Did you try jotne's suggestion, if the original works, dont mess with it LOL.

Pranja · Sun Dec 09, 2018 5:51 pm

Well, I would like to configure both multiple VLAN's and DHCP's. That's the reason why I asked OP about multiple DHCP's.

I am working on my config and this is as far as I could go. But I don't know what are steps to change default VLAN from 1 to 100 (since I would like to avoid using 1). Also, my main DHCP is on the bridge itself-should I move it to separate VLAN just like I did with others or should I leave it?

# dec/09/2018 16:45:23 by RouterOS 6.43.4
# software id = S5T0-DASC
#
# model = RB4011iGS+

/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=Uplink
set [ find default-name=ether2 ] comment="Tp-link 120"
set [ find default-name=ether3 ] comment=US-8-60W
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] comment="Tp-Link 100"
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether10 ] mac-address=B8:69:F4:92:20:15 poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan110-guest vlan-id=110
add interface=bridge1 name=vlan120-labos vlan-id=120
/interface bonding
add name=bonding-CRS slaves=ether9,ether10
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN100-pool ranges=192.168.100.101-192.168.100.254
add name=VLAN110-pool ranges=192.168.110.101-192.168.110.254
add name=VLAN120-pool ranges=192.168.120.101-192.168.120.254
/ip dhcp-server
add address-pool=VLAN100-pool disabled=no interface=bridge1 lease-time=1d name=VLAN100-dhcp
add address-pool=VLAN110-pool disabled=no interface=vlan110-guest lease-time=4h name=VLAN110-dhcp
add address-pool=VLAN120-pool disabled=no interface=vlan120-labos lease-time=1h name=VLAN120-dhcp
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=bonding-CRS
add bridge=bridge1 interface=ether2 pvid=120
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=120
add bridge=bridge1 tagged=bridge1 vlan-ids=1
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
add address=192.168.110.1/24 interface=vlan110-guest network=192.168.110.0
add address=192.168.120.1/24 interface=vlan120-labos network=192.168.120.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bonding-CRS
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.100.1 netmask=24
add address=192.168.110.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.110.1
add address=192.168.120.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.120.1
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=ether1 src-address=192.168.100.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add action=accept chain=forward connection-state=established
add action=accept chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.0.1
/snmp
set enabled=yes

anav · Sun Dec 09, 2018 7:34 pm

Think of vlan1 as transparent. Its your basic LAN.
Think of everything else has virtual LANS for segmentation.

For example I have a home network with some core home users on both ethernet and wifi.
I dont do anything special for them.
However I have smart devices vlan10, guest wifi users vlan20, one user gets their own vlan, vlan30 etc.........

Yes the bridge gives out DHCP

/ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=HomeBridge lease-time=1d \
name=HoMeLAN

Jotne · Sun Dec 09, 2018 7:44 pm

@anav

You are correct. Vlan 1 is not shown since pvid=1 is a default setting.

Look at this:

/interface bridge export
/interface bridge
add admin-mac=6C:3B:xxxxxx auto-mac=no name=Bridge1 protocol-mode=none \
    vlan-filtering=yes

And with verbose output:

/interface bridge export verbose
/interface bridge
add admin-mac=6C:3B:xxxxxx ageing-time=5m arp=enabled arp-timeout=auto auto-mac=\
    no dhcp-snooping=no disabled=no ether-type=0x8100 fast-forward=yes frame-types=\
    admit-all igmp-snooping=no ingress-filtering=no mtu=auto name=Bridge1 \
    protocol-mode=none pvid=1 vlan-filtering=yes

Here you see pvid=1

In Winbox and web config its easy to the the VLAN1

Pranja · Sun Dec 09, 2018 8:04 pm

Thank you for clarification. I only wish that Mikrotik gave that configuration on their wiki. Or that anyone created decent guide that would cover entire config since those changes after 6.41 are substatial.

Pranja · Thu Dec 13, 2018 12:37 am

No luck on this one. I always cut myself out and/or lose WAN.

I even tried this tutorial: https://administrator.de/wissen/mikroti ... 67186.html

Is there any start to finish tutorial that works?

anav · Thu Dec 13, 2018 1:01 am

Pranja I tried looking at your code but there are so many discrepanices I cant understand your network.
Please post a diagram. There are conflicting settings and your masquerade rule fails to indicate the outgoing interface.

Pranja · Thu Dec 13, 2018 1:52 am

Here is (more or less) config that I ended up with. Hope it helps. I am currently double NATed until I change provided ISP modem.

# dec/13/2018 00:46:26 by RouterOS 6.43.4
# software id = S5T0-DASC
#
# model = RB4011iGS+
# serial number =
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=Uplink
set [ find default-name=ether2 ] comment="Tp-link 120"
set [ find default-name=ether3 ] comment=US-8-60W
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] comment="Tp-Link 100"
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether10 ] mac-address=B8:69:F4:92:20:15 poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan100-lan vlan-id=100
add interface=bridge1 name=vlan110-guest vlan-id=110
add interface=bridge1 name=vlan120-labos vlan-id=120
/interface bonding
add name=bonding-CRS slaves=ether9,ether10
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN100-pool ranges=192.168.100.101-192.168.100.254
add name=VLAN110-pool ranges=192.168.110.101-192.168.110.254
add name=VLAN120-pool ranges=192.168.120.101-192.168.120.254
add name=VLAN1-pool ranges=192.168.1.101-192.168.1.254
/ip dhcp-server
add address-pool=VLAN100-pool disabled=no interface=vlan100-lan lease-time=1d name=VLAN100-dhcp
add address-pool=VLAN110-pool disabled=no interface=vlan110-guest lease-time=4h name=VLAN110-dhcp
add address-pool=VLAN120-pool disabled=no interface=vlan120-labos lease-time=1h name=VLAN120-dhcp
add address-pool=VLAN1-pool disabled=no interface=bridge1 lease-time=1d name=VLAN1-dhcp
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=100
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=bonding-CRS
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=120
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=vlan1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=vlan100-lan pvid=100
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=vlan110-guest pvid=110
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=vlan120-labos pvid=120
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,vlan1 untagged=ether3,ether4,ether5,ether6,ether7,ether8,bonding-CRS vlan-ids=1
add bridge=bridge1 tagged=bridge1,bonding-CRS,vlan110-guest vlan-ids=110
add bridge=bridge1 tagged=bridge1,vlan120-labos untagged=ether2 vlan-ids=120
add bridge=bridge1 tagged=bridge1,vlan100-lan,bonding-CRS untagged=ether6,ether3 vlan-ids=100
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.100.1/24 interface=vlan100-lan network=192.168.100.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
add address=192.168.110.1/24 interface=vlan110-guest network=192.168.110.0
add address=192.168.120.1/24 interface=vlan120-labos network=192.168.120.0
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bonding-CRS
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.1.1
add address=192.168.100.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.100.1
add address=192.168.110.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.110.1
add address=192.168.120.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.120.1
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=yes
add action=accept chain=input comment="Allow ICMP" disabled=yes protocol=icmp
add action=accept chain=input disabled=yes in-interface=ether1 src-address=192.168.100.0/24
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=yes protocol=tcp
add action=accept chain=forward connection-state=established disabled=yes
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=yes
add action=drop chain=forward disabled=yes src-address=0.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=0.0.0.0/8
add action=drop chain=forward disabled=yes src-address=127.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
add action=drop chain=forward disabled=yes src-address=224.0.0.0/3
add action=drop chain=forward disabled=yes dst-address=224.0.0.0/3
add action=jump chain=forward disabled=yes jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=yes jump-target=udp protocol=udp
add action=jump chain=forward disabled=yes jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" disabled=yes dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=yes dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=yes dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=yes dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=yes dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=yes dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=yes dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=yes dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=yes dst-port=3133 protocol=tcp
add action=drop chain=udp comment="deny PRC portmapper" disabled=yes dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=yes dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=yes dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=yes dst-port=2049 protocol=udp
add action=accept chain=icmp comment="net unreachable" disabled=yes icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=yes icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" disabled=yes icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=yes icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=yes icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=yes icmp-options=11:0 protocol=icmp
add action=accept chain=icmp disabled=yes icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=192.168.0.1
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Zagreb
/system identity
set name="MikroTik RB4011"
/system ntp client
set enabled=yes primary-ntp=161.53.123.5 secondary-ntp=161.53.160.5
/system routerboard settings
set silent-boot=no

Jotne · Thu Dec 13, 2018 8:55 am

I guess this will not work.

I do not see vlan-filtering=yes on the bridge. This is needed when you run one bridge vlan.
Also you have added vlan to /interface bridge vlan
There should only interface or bridge be connected, not vlan.

Pranja · Thu Dec 13, 2018 9:01 am

Vlan filtering is not stated as yes since when I do that, I cut myself out. I would not be able to copy config when it is set as yes. Lets imagine it was set as yes.

I followed guide on the link I provided, you say that guide is no good? So, beside that, should I change something else?

mkx · Thu Dec 13, 2018 9:04 am

VLAN interfaces (vlan1, vlan100-lan, vlan110-guest and vlan120-labos) should not be added as bridge member ports (in section /interface bridge port). Hence they should not be configured as tagged/untagged member ports in section /interface bridge vlan.

VLAN interfaces are only there to help separate VLANs for L3 (IP) use by router itself - this part seems to be right in the config.

Pranja · Thu Dec 13, 2018 9:09 am

Ok, thanks. I will try changed config when get to device.

anav · Sat Dec 15, 2018 6:10 pm

Following what mkx stated, my only comment is that without a diagram I have no idea which vlan is supposed to over which etheport etc...........
As I stated earlier your configuration is too hard for me to understand find frustrated comments below.

I will assume vlan 120 goes to tplink120
I will assume vlan100 goes to tplink 100
I will assume vlan110 is going to guests
I will assume the TP links are unmanaged switches and thus the PVID setting is for all traffic coming from the switch

I removed 4,5,7, sfp1 plus etherports from your config as they are not enabled!!
Again you have not explained what the heck ether10 is about, (i am ignoring it) as I am assuming ether1 is your internet link (or link to another router that is feeding yours).
I also removed vlan1, too confusing. Not sure what your purpose is with it.
You dont mention ether9 anywhere except suddenly bonding it with either10, again no idea what that is all about.
You dont mention ether8 anywhere but suddenly its on a bridge port........... removed.
VLANS are not added to bridge ports (its for ports)!!

/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=Uplink
set [ find default-name=ether2 ] comment="Tp-link 120" (managed switch or not)
set [ find default-name=ether3 ] comment=US-8-60W (what is this)
set [ find default-name=ether6 ] comment="Tp-Link 100" (managed switch or not)
set [ find default-name=ether10 ] mac-address=B8:69:F4:92:20:15 poe-out=off

/interface vlan
add interface=bridge1 name=vlan100-lan vlan-id=100
add interface=bridge1 name=vlan110-guest vlan-id=110 (but where does this go?)
add interface=bridge1 name=vlan120-labos vlan-id=120
/interface bonding
add name=bonding-CRS slaves=ether9,ether10
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN100-pool ranges=192.168.100.101-192.168.100.254
add name=VLAN110-pool ranges=192.168.110.101-192.168.110.254
add name=VLAN120-pool ranges=192.168.120.101-192.168.120.254
add name=bridgepool ranges=192.168.1.101-192.168.1.254 (changed your vlan1 to basically the transparent vlan1 running dhcp off the bridge).
/ip dhcp-server
add address-pool=VLAN100-pool disabled=no interface=vlan100-lan lease-time=1d name=VLAN100-dhcp
add address-pool=VLAN110-pool disabled=no interface=vlan110-guest lease-time=4h name=VLAN110-dhcp
add address-pool=VLAN120-pool disabled=no interface=vlan120-labos lease-time=1h name=VLAN120-dhcp
add address-pool=dhcp-pool disabled=no interface=bridge1 lease-time=1d name=bridge-dhcp
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 frame-types=interface=ether6 pvid=100 ingress-filtering=yes
add bridge=bridge1 frame-types interface=ether2 pvid=120 ingress-filtering=yes

/interface bridge vlan
add bridge=bridge1 tagged=bridge1, untagged=eth2 vlan-id=120
add bridge=bridge1 tagged=bridge1 untagged=eth6 vlan-id=100

BUT WHERE DOES YOUR GUEST VLAN COME INTO PLAY
WHAT GOES TO ETHERPORT 3 ??????

/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN

/ip address
add address=192.168.100.1/24 interface=vlan100-lan network=192.168.100.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
add address=192.168.110.1/24 interface=vlan110-guest network=192.168.110.0
add address=192.168.120.1/24 interface=vlan120-labos network=192.168.120.0
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bonding-CRS
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.1.1
add address=192.168.100.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.100.1
add address=192.168.110.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.110.1
add address=192.168.120.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.120.1

/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=yes
add action=accept chain=input comment="Allow ICMP" disabled=yes protocol=icmp
add action=accept chain=input disabled=yes in-interface=ether1 src-address=192.168.100.0/24
(did you want any allow DNS rules here??)
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=yes protocol=tcp
add action=accept chain=forward connection-state=established disabled=yes
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=yes

GOT RID OF MANY RULES THAT FOR NOW ARE JUST NOISE, use address lists anyway.................
MISSING RULES
rule to allow LAN 2 WAN (bridge dhcp members)
rules to allow VLAN to WAN for all vlans
rule to allow port forwarding if applicable.
add action=drop chain=forward comment="Drop everything else" disabled=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=192.168.0.1
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Zagreb
/system identity
set name="MikroTik RB4011"

Pranja · Mon Dec 17, 2018 1:34 am

Hey guys, sorry for not responding back. Well, seems that thing worked from the start and it was just me being an idiot and forcing "Safe mode" which in turn cut me from device.
I managed to configure my whole network and it's working fine. I do need to sort some things, specially CRS (which is connected via bonding interface with 4011) config. About other devices, TP-Link switches are neither managed or unmanaged (TPL calls them Easy Smart Switch/Unmanaged Pro) since they have web GUI with some features. US-8-60W is Ubiquiti switch.

Yes, I admit, my FW is a mess. It works, but I will need to sort it out.

Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Re: Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+

Who is online