Community discussions

MUM Europe 2020
 
ikiji
just joined
Topic Author
Posts: 12
Joined: Tue Aug 13, 2019 9:59 pm

VLANs setup (the new way)

Tue Dec 31, 2019 5:29 pm

Hi,

Apologies for adding another VLAN post to the forums, and I have read all the official pages, great tutorials from the likes of @pcunite but after nearly 4 solid days, I am raising my hand and asking for help please and thanks :)

Equipment:
  • Mikrotik RB951G-2HnD (also have a spare unit which any suggestions can be tested on) running 6.46.1
  • HPE (Aruba) 2530 PoE+ 24 port switch
  • Ubiquiti AP
  • BT Openreach Modem for WAN connection
Objectives:
  • Logical separation of different device and user types, with suitable firewall rules
  • Majority of devices connected to HPE switch, and carried over Uplink Trunk to Mtk
  • Management VLAN (99) to be used for Mtk router, HPE switch and Ubnt AP administration and BT Openreach modem too if possible?
  • Port 1 - WAN
  • Port 2 - Unused
  • Port 3 - Corporate (for testing only)
  • Port 4 - Management (for get out of jail times)
  • Port 5 - Trunk uplink between Mtk and HPE switch, carrying all VLANs as tagged with the exception of Mgmt which would be untagged
VLANs and subnets:
  • VLAN1 - 192.168.100.0/24 Needed? e.g. for WAN?
  • VLAN10 - 10.0.10.0/24
  • VLAN20 - 10.0.20.0/24
  • VLAN30 - 10.0.30.0/24
  • VLAN50 - 10.0.50.0/24
  • VLAN99 - 192.168.99.0/24
Network diagram attached.
VLAN_Network.pdf

Config attempt based on PCUnite's example router and switch.rsc files
VLAN_Configuration.rsc
#######################################
# Naming
#######################################

# name the device being configuFamily
/system identity set name="Ikiji Router"


#######################################
# VLAN Overview
#######################################

# 10 = Corporate
# 20 = Voice
# 30 = Family

# 50 = IoT

# 99 = Mgmt


#######################################
# Bridge
#######################################

/interface bridge 

# create one bridge, set VLAN mode off while we configure
add name=bridge protocol-mode=none vlan-filtering=no

# Make sure that PVID on the bridge interface matches the PVID value on the management ports:
set bridge pvid=99


#######################################
#
# -- Access Ports --
#
#######################################

#
# Most of the Access Ports will be defined on the HP Switch
#

# ingress behaviour
/interface bridge port

# Default 
add bridge=bridge interface=ether2

# Corporate VLAN
add bridge=bridge interface=ether3 pvid=10

# Mgmt VLAN
add bridge=bridge interface=ether4 pvid=99

# egress behaviour
/interface bridge vlan

# Corporate and Mgmt VLAN Untagged Ports (for debugging)
add bridge=bridge untagged=ether3 vlan-ids=10
add bridge=bridge untagged=ether4 vlan-ids=99



#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behaviour
/interface bridge port

# Main Trunk. pvid set to mgmt default of 99 
add bridge=bridge interface=ether5 pvid=99

# egress behaviour
/interface bridge vlan

# Main Trunk. These need IP Services (L3), so add Bridge as member
set bridge=bridge tagged=bridge,ether5 [find vlan-ids=10]
add bridge=bridge tagged=bridge,ether5 [find vlan-ids=20]
add bridge=bridge tagged=bridge,ether5 [find vlan-ids=30]
add bridge=bridge tagged=bridge,ether5 [find vlan-ids=50]
set bridge=bridge untagged=ether5 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the Mgmt_VLAN
/interface vlan add interface=bridge name=Mgmt_VLAN vlan-id=99
/ip address add interface=Mgmt_VLAN address=192.168.99.1/24 

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="1.1.1.1"

# WAN facing port with IP Address provided by ISP
#/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0

# router's gateway provided by ISP
#/ip route add distance=1 gateway=b.b.b.b


#######################################
# IP Services
#######################################

# Corporate VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=Corporate_VLAN vlan-id=10
/ip address add interface=Corporate_VLAN address=10.0.10.1/24
/ip pool add name=Corporate_POOL ranges=10.0.10.11-10.0.10.250
/ip dhcp-server add address-pool=Corporate_POOL interface=Corporate_VLAN name=Corporate_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1

# Voice VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=Voice_VLAN vlan-id=20
/ip address add interface=Voice_VLAN address=10.0.20.1/24
/ip pool add name=Voice_POOL ranges=10.0.20.11-10.0.20.250
/ip dhcp-server add address-pool=Voice_POOL interface=Voice_VLAN name=Voice_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1

# Family VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=Family_VLAN vlan-id=30
/ip address add interface=Family_VLAN address=10.0.30.1/24
/ip pool add name=Family_POOL ranges=10.0.30.11-10.0.30.250
/ip dhcp-server add address-pool=Family_POOL interface=Family_VLAN name=Family_DHCP disabled=no
/ip dhcp-server network add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1

# IoT VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=IoT_VLAN vlan-id=50
/ip address add interface=IoT_VLAN address=10.0.50.1/24
/ip pool add name=IoT_POOL ranges=10.0.50.11-10.0.50.250
/ip dhcp-server add address-pool=IoT_POOL interface=IoT_VLAN name=IoT_DHCP disabled=no
/ip dhcp-server network add address=10.0.50.0/24 dns-server=10.0.50.1 gateway=10.0.50.1

# Create a DHCP instance for Mgmt_VLAN. Convenience feature for an admin.
/ip pool add name=Mgmt_POOL ranges=192.168.99.11-192.168.99.250
/ip dhcp-server add address-pool=Mgmt_POOL interface=Mgmt_VLAN name=Mgmt_DHCP disabled=no
/ip dhcp-server network add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=MGMT

/interface list member
add interface=ether1            list=WAN
add interface=Mgmt_VLAN         list=VLAN
add interface=Corporate_VLAN    list=VLAN
add interface=Voice_VLAN        list=VLAN
add interface=Family_VLAN       list=VLAN
add interface=IoT_VLAN          list=VLAN
add interface=Mgmt_VLAN         list=MGMT

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow Mgmt_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=Mgmt_VLAN comment="Allow Mgmt_Vlan Full Access"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"


##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"

#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]

# Only allow ingress packets WITH tags on Trunk Ports
set bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from Mgmt_VLAN
/interface list add name=Mgmt
/interface list member add interface=Mgmt_VLAN list=Mgmt
/ip neighbor discovery-settings set discover-interface-list=Mgmt
/tool mac-server mac-winbox set allowed-interface-list=Mgmt
/tool mac-server set allowed-interface-list=Mgmt


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge vlan-filtering=yes
* I should also mention that when using the examples, and splitting out the code for Access vs Trunk ports, that I had to change "add" to "set" for some lines, otherwise the router would error due to the VLAN already having been created and me trying to change further settings.

Export from the router to compare against the initial config file:
VLAN_Test_Config.rsc
For now, I seem to get an IP on port 3 on the 10.0.10.0/24 range but on ports 4 and 5, the NIC just sits at "Identifying", where I'd have expected a Mgmt IP to have been given.
If I set the VLAN on my PC's NIC to VLAN10, and connect to port 5 then it also works just like port 3.

However, if I set the NIC to VLAN20, 30 or 50 then it does not get an IP :shock:

On the Mtk Management Access Config page, I read:
Make sure that PVID on the bridge interface matches the PVID value on these ports:

/interface bridge set bridge1 pvid=1
/interface bridge port set ether3,ether4 pvid=1
So in my case, I set both to pvid=99 to no avail.

I'm sure I've done something silly but cannot see the wood for the trees.

Any help/guidance would be much appreciated.

Many thanks, and a Happy New Year in advance.

Neil
You do not have the required permissions to view the files attached to this post.
Last edited by ikiji on Tue Dec 31, 2019 6:30 pm, edited 2 times in total.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VLANs setup (the new way)

Tue Dec 31, 2019 5:35 pm

Before reading all the post, the @pcunite's guide of VLANs, which is a nice one by the way, talks about a Mikrotik Router and a Mikrotik Switch, at least for your case...
Your Switch is an Aruba, so this has to do with the way VLANs are configured on an Aruba switch... am i right ?
 
ikiji
just joined
Topic Author
Posts: 12
Joined: Tue Aug 13, 2019 9:59 pm

Re: VLANs setup (the new way)

Tue Dec 31, 2019 5:46 pm

Hi Zacharias,

Thanks for the prompt reply ... the Aruba is doing the majority of the switching but for testing out the basics I am not even using the Aruba and connecting to ports 3 and 4 via untagged VLANs to try out the basics.

Might be best explained via the drawing/PDF I attached above?

Many thanks
 
mkx
Forum Guru
Forum Guru
Posts: 3622
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANs setup (the new way)

Tue Dec 31, 2019 6:02 pm

The .rsc file you posted is config you're applying to the unit? But what does it end up as? Do /export file=actual-config.rsc and post the file. I suspect that there are a few commands that cancel effect of previous commands and that the end config is not exactly what one might expect ...

One example:
/interface bridge vlan
add bridge=bridge untagged=ether4 vlan-ids=99
# later on
set bridge=bridge untagged=ether5 vlan-ids=99
The last command removes ether4 as untagged member of VLAN with ID=99 ... because the object here is "bridge=bridge vlan-ids=99" which gets created by the second line (with property "untagged=ether4"). The last line changes the property of existing object to "untagged=ether5" ...

There are other similar gotchas ... and reading and studying the resulting configuration might reveal similar problems.
BR,
Metod
 
ikiji
just joined
Topic Author
Posts: 12
Joined: Tue Aug 13, 2019 9:59 pm

Re: VLANs setup (the new way)

Tue Dec 31, 2019 6:28 pm

Hi Mkx,

Thanks, and good point about the "unsetting" of certain settings.

Sorry, my post's attachments were possibly not clearly labelled ...
  • VLAN_Configuration.rsc - commands applied via Terminal
  • VLAN_Test_Config.rsc - this is the export of what was actually applied
 
ikiji
just joined
Topic Author
Posts: 12
Joined: Tue Aug 13, 2019 9:59 pm

Re: VLANs setup (the new way)

Fri Jan 03, 2020 6:03 pm

Happy New Year all!

Any thoughts on where I've gone wrong?

Much appreciated.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: VLANs setup (the new way)

Fri Jan 03, 2020 6:43 pm

Beautiful diagram. I love to see nicely put together information.

I am grateful to mkx, sindy, and others for helping me to create the article. I'm not good at editing configurations, and I'm in a rush at the moment, so they'll have to chime in on this one. Something that caught my eye is that your first line has:

/interface bridge
add name=bridge protocol-mode=none pvid=99 vlan-filtering=yes

I don't think you should be setting a pvid on the bridge itself unless that is your intention. Also, don't name the bridge simply bridge. Name it BR1 or Bridge1, something unique so that we can scan the rsc files easier. Lastly, I would reset the MikroTik, memorize the article and then start over. : - )
 
ikiji
just joined
Topic Author
Posts: 12
Joined: Tue Aug 13, 2019 9:59 pm

Re: VLANs setup (the new way)

Fri Jan 03, 2020 8:02 pm

Hi pcunite,

Thanks for the reply, I took the "bridge PVID" part from https://wiki.mikrotik.com/wiki/Manual:I ... figuration
In case VLAN filtering is used and access from trunk and/or access ports with untagged traffic is desired

To allow untagged traffic to access the router/switch, start by creating an IP address on the bridge interface.
/ip address
add address=192.168.88.1/24 interface=bridge1
It is required to add VLAN 1 to ports from which you want to allow the access to the router/switch, for example, to allow access from access ports ether3, ether4 add this entry to the VLAN table:
/interface bridge vlan
add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1
Make sure that PVID on the bridge interface matches the PVID value on these ports:
/interface bridge set bridge1 pvid=1
/interface bridge port set ether3,ether4 pvid=1
After that you can enable VLAN filtering:
/interface bridge set bridge1 vlan-filtering=yes
Each time, I've wiped and then re-run config to ensure I'm working from a clean slate.

I'll try again but tbh, not really sure now on where I've gone wrong :(

Thanks
Neil
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: VLANs setup (the new way)

Fri Jan 03, 2020 10:20 pm

Thanks for the reply, I took the "bridge PVID" part from here.

And the wiki is also extremely confusing. If you look closely they are showing you multiple ways to setup management access. You don't truly want to connect to the switch with untagged traffic, do you? In the article you will see that we always leave the bridge pvid itself left to the default of 1. If you change this, then untagged traffic, by default, becomes 99. Others can explain it better.
 
ikiji
just joined
Topic Author
Posts: 12
Joined: Tue Aug 13, 2019 9:59 pm

Re: VLANs setup (the new way)

Sat Jan 04, 2020 2:22 am

For the purposes of hooking up a PC on port 4 when needed for management, yes I'd thought leaving it as untagged on VLAN 99 as no-one else will have physical access to this and it was purely a quick way should I be locked out. I can of course tag my NIC to VLAN 99 so not an issue if it's a tagged port instead.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: VLANs setup (the new way)

Sat Jan 04, 2020 3:18 am

For the purposes of hooking up a PC on port 4 when needed for management, yes I'd thought leaving it as untagged on VLAN 99 as no-one else will have physical access to this and it was purely a quick way should I be locked out.

Just make ether4 an Access port for VLAN 99.
 
mkx
Forum Guru
Forum Guru
Posts: 3622
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANs setup (the new way)

Sat Jan 04, 2020 10:42 am

For the purposes of hooking up a PC on port 4 when needed for management, yes I'd thought leaving it as untagged on VLAN 99 as no-one else will have physical access to this and it was purely a quick way should I be locked out.

Just make ether4 an Access port for VLAN 99.
... which means setting "pvid=99" should go to ether4 not bridge.
BR,
Metod
 
ikiji
just joined
Topic Author
Posts: 12
Joined: Tue Aug 13, 2019 9:59 pm

Re: VLANs setup (the new way)

Sat Jan 04, 2020 11:35 am

Thanks both,

OK shall try just as an access port ... you're not wrong that the Wiki is confusing ;)
 
anav
Forum Guru
Forum Guru
Posts: 3187
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VLANs setup (the new way)

Sat Jan 04, 2020 4:28 pm

Stick with PCUnites examples. They will not steer you wrong.'
Post your latest config so that we can assist, once you have run away from the wiki LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ikiji
just joined
Topic Author
Posts: 12
Joined: Tue Aug 13, 2019 9:59 pm

Re: VLANs setup (the new way)

Fri Jan 10, 2020 7:55 pm

Hi guys,

Really sorry for the delay, but getting somewhere .. however, the annoying thing for me is I don't understand fully the "why".

Working setup - Commands applied (no errors on terminal)
#######################################
# Naming
#######################################

# name the device being configuFamily
/system identity set name="Ikiji Router"


#######################################
# VLAN Overview
#######################################

# 10 = Corporate
# 20 = Voice
# 30 = Family

# 50 = IoT

# 99 = Mgmt


#######################################
# Bridge
#######################################

/interface bridge 

# create one bridge, set VLAN mode off while we configure
add name=bridge1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- VLAN Ports --
#
#######################################

#
# Most of the Access Ports will be defined on the HP Switch
#

#
# ingress behaviour
#
/interface bridge port

# Port 2 - Unused - No DHCP setup for default VLAN1
# Port 3 - Access on VLAN10 - Corporate
# Port 4 - Access on VLAN99 - Mgmt
# Port 5 - Trunk port, leave default PVID which is 1 (implicit)

add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=99
add bridge=bridge1 interface=ether5

#
# egress behaviour
#
/interface bridge vlan

# Port 2 - Unused
# Port 3 - Untagged (access) on VLAN10 - Corporate
# Port 4 - Untagged (access) on VLAN99 - Mgmt
# Port 5 - Tagged (trunk) carrying VLAN10, 20, 30, 50 & 99

add bridge=bridge1 untagged=ether3 tagged=bridge1,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=50
add bridge=bridge1 untagged=ether4 tagged=bridge1,ether5 vlan-ids=99



#######################################
# IP Addressing & Routing
#######################################

#
# WILL SETUP LATER
#
# LAN facing router's IP address on the Mgmt_VLAN
/interface vlan add interface=bridge name=Mgmt_VLAN vlan-id=99
/ip address add interface=Mgmt_VLAN address=192.168.99.1/24 

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="1.1.1.1"

# WAN facing port with IP Address provided by ISP
#/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0

# router's gateway provided by ISP
#/ip route add distance=1 gateway=b.b.b.b


#######################################
# IP Services
#######################################

# Corporate VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=Corporate_VLAN vlan-id=10
/ip address add interface=Corporate_VLAN address=10.0.10.1/24
/ip pool add name=Corporate_POOL ranges=10.0.10.11-10.0.10.250
/ip dhcp-server add address-pool=Corporate_POOL interface=Corporate_VLAN name=Corporate_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1

# Voice VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=Voice_VLAN vlan-id=20
/ip address add interface=Voice_VLAN address=10.0.20.1/24
/ip pool add name=Voice_POOL ranges=10.0.20.11-10.0.20.250
/ip dhcp-server add address-pool=Voice_POOL interface=Voice_VLAN name=Voice_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1

# Family VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=Family_VLAN vlan-id=30
/ip address add interface=Family_VLAN address=10.0.30.1/24
/ip pool add name=Family_POOL ranges=10.0.30.11-10.0.30.250
/ip dhcp-server add address-pool=Family_POOL interface=Family_VLAN name=Family_DHCP disabled=no
/ip dhcp-server network add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1

# IoT VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=IoT_VLAN vlan-id=50
/ip address add interface=IoT_VLAN address=10.0.50.1/24
/ip pool add name=IoT_POOL ranges=10.0.50.11-10.0.50.250
/ip dhcp-server add address-pool=IoT_POOL interface=IoT_VLAN name=IoT_DHCP disabled=no
/ip dhcp-server network add address=10.0.50.0/24 dns-server=10.0.50.1 gateway=10.0.50.1

# Create a DHCP instance for Mgmt_VLAN. Convenience feature for an admin.
/ip pool add name=Mgmt_POOL ranges=192.168.99.11-192.168.99.250
/ip dhcp-server add address-pool=Mgmt_POOL interface=Mgmt_VLAN name=Mgmt_DHCP disabled=no
/ip dhcp-server network add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=MGMT

/interface list member
add interface=ether1            list=WAN
add interface=Mgmt_VLAN         list=VLAN
add interface=Corporate_VLAN    list=VLAN
add interface=Voice_VLAN        list=VLAN
add interface=Family_VLAN       list=VLAN
add interface=IoT_VLAN          list=VLAN
add interface=Mgmt_VLAN         list=MGMT

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow Mgmt_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=Mgmt_VLAN comment="Allow Mgmt_Vlan Full Access"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"


##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"

#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]

# Only allow ingress packets WITH tags on Trunk Ports
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from Mgmt_VLAN
/interface list add name=Mgmt
/interface list member add interface=Mgmt_VLAN list=Mgmt
/ip neighbor discovery-settings set discover-interface-list=Mgmt
/tool mac-server mac-winbox set allowed-interface-list=Mgmt
/tool mac-server set allowed-interface-list=Mgmt


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge vlan-filtering=yes

If I take the premise that I want port 3 to be an access port on VLAN10, then my assumption was that I could do:
add bridge=bridge1 untagged=ether3 vlan-ids=10
but then I get no IP, and need to add "tagged=bridge1" to get things working.

I had thought that was only required for Trunk ports but I've obviously misunderstood something or have it working more by luck than good design?

Export config to validate against above code
VLAN_working_export.rsc
Thanks
Neil
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 3622
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANs setup (the new way)

Fri Jan 10, 2020 8:54 pm

I had thought that was only required for Trunk ports but I've obviously misunderstood something or have it working more by luck than good design?
Adding bridge as tagged port has nothing to do with "trunk" status of ports members of bridge (neither tagged nor untagged). With untagged port packets ingressing through such port get tagged and are hence forth tagged on bridge.

Here's the story: bridge has two personalities:
  1. something like managed switch ... takes care of forwarding packets between member ports
  2. interface, which allows ROS (the L3 - IP - part of it) to interact with devices connected to bridge ports

The personality #2 gets automatically created when bridge is created and gets some basic default configuration (e.g. pvid=1). But most of config has to be added by hand.

It is quite easy to distinguish when each personality is used: whenever config line contains interface=<bridge name> it's about interface ... in other cases it's about switch-like personality. If config line refers to both bridge=<bridge name> and interface=<bridge name>, it's again about interface.

Knowing the above: DHCP server (and IP address) is bound to vlan interface, which in turn is anchored on bridge interface, but bridge interface has to be tagged member of VLAN or else vlan interface doesn't see packets.
Also: if ROS device only acts as a switch for certain VLAN (e.g. for voice VLAN, where PBX communicates to other PBXes via other means of connectivity and ROS device only switches packets between phones and PBX without providing any higher level service, such as DHCP service or routing), then ROS CPU doesn't need any access to that VLAN and bridge interface doesn't have to be VLAN member port (neither tagged nor untagged).

Another source of confusion is nature of vlan interfaces ... these are kind of pipes with tagged and untagged end. The tagged end is anchored on a trunk interface, untagged end is then used for untagged operations (e.g. IP connectivity). Such vlan interface accepts packets tagged with correct VLAN ID on the tagged side, strips VLAN tag and delivers it on untaged end. Similarly it accepts packet on untagged side, adds VLAN tag and delivers it on tagged end.
Just because there's vlan interface anchored to bridge it doesn't make bridge get access to that VLAN! One has to do that explicitly.
BR,
Metod
 
mducharme
Trainer
Trainer
Posts: 890
Joined: Tue Jul 19, 2016 6:45 pm

Re: VLANs setup (the new way)

Fri Jan 10, 2020 9:09 pm

I would actually discourage setting "untagged=etherx" for any /interface bridge vlan - leave it unset, and set the correct PVID for the etherx port in /interface bridge port and that etherx port will also be added dynamically as an untagged port for that /interface bridge vlan without you needing to set it manually.

This helps to prevent errors if you ever want to change what VLAN the port is untagged for, so that you can change it in a single place instead of two.
 
ikiji
just joined
Topic Author
Posts: 12
Joined: Tue Aug 13, 2019 9:59 pm

Re: VLANs setup (the new way)

Sat Jan 11, 2020 11:24 am

Guys,

Thank you, appreciate everyone's help and I've still a LOT to learn about Mtk's!!

@mkx - very thorough explanation, and I'd read you mentioned split personality for the bridge before but didn't quite know what you meant.

@mducharme - so you're suggesting:

Old way
/interface bridge port

# Port 2 - Unused - No DHCP setup for default VLAN1
# Port 3 - Access on VLAN10 - Corporate
# Port 4 - Access on VLAN99 - Mgmt
# Port 5 - Trunk port, leave default PVID which is 1 (implicit)

add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=99
add bridge=bridge1 interface=ether5

#
# egress behaviour
#
/interface bridge vlan

# Port 2 - Unused
# Port 3 - Untagged (access) on VLAN10 - Corporate
# Port 4 - Untagged (access) on VLAN99 - Mgmt
# Port 5 - Tagged (trunk) carrying VLAN10, 20, 30, 50 & 99

add bridge=bridge1 untagged=ether3 tagged=bridge1,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=50
add bridge=bridge1 untagged=ether4 tagged=bridge1,ether5 vlan-ids=99



Better way for access ports is to only set via /interface bridge port
/interface bridge port

# Port 2 - Unused - No DHCP setup for default VLAN1
# Port 3 - Access on VLAN10 - Corporate
# Port 4 - Access on VLAN99 - Mgmt
# Port 5 - Trunk port, leave default PVID which is 1 (implicit)

add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=99
add bridge=bridge1 interface=ether5

#
# egress behaviour
#
/interface bridge vlan

# Port 2 - Unused
# Port 3 - Untagged (access) on VLAN10 - Corporate
# Port 4 - Untagged (access) on VLAN99 - Mgmt
# Port 5 - Tagged (trunk) carrying VLAN10, 20, 30, 50 & 99

add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=50
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=99

I had picked up the untagged= in regards to setting the egress VLAN for access ports when reading the various posts/tutorials hence why I'd explicitly defined.

I'm sure I'll be around to ask more Mtk NOOB questions.

Thanks all!
 
sid5632
Member
Member
Posts: 375
Joined: Fri Feb 17, 2017 6:05 pm

Re: VLANs setup (the new way)

Sat Jan 11, 2020 6:33 pm

I would actually discourage setting "untagged=etherx" for any /interface bridge vlan - leave it unset, and set the correct PVID for the etherx port in /interface bridge port and that etherx port will also be added dynamically as an untagged port for that /interface bridge vlan without you needing to set it manually.

This helps to prevent errors if you ever want to change what VLAN the port is untagged for, so that you can change it in a single place instead of two.
I whole-heartedly agree with this, as I found and did exactly the same a few weeks ago.
 
mducharme
Trainer
Trainer
Posts: 890
Joined: Tue Jul 19, 2016 6:45 pm

Re: VLANs setup (the new way)

Mon Jan 13, 2020 8:50 pm

@mducharme - so you're suggesting:
<removed>
I had picked up the untagged= in regards to setting the egress VLAN for access ports when reading the various posts/tutorials hence why I'd explicitly defined.
Yes, the new config is exactly what I am suggesting. IMO, the only place you would want to set untagged is if you want a port to be untagged on multiple VLANs simultaneously, which only works on egress. So (making up some vlans here) if you have port ether4 and PVID is set to 4, you can set untagged=ether4 on VLAN 5 and then whatever is connected to ether4 will receive frames from both VLAN 4 and VLAN 5 untagged, but any untagged frames that the device sends out will end up getting tagged VLAN4 because of the PVID setting. This is the only time that it is justified to set untagged= manually.
Last edited by mducharme on Tue Jan 14, 2020 6:53 am, edited 1 time in total.
 
ikiji
just joined
Topic Author
Posts: 12
Joined: Tue Aug 13, 2019 9:59 pm

Re: VLANs setup (the new way)

Mon Jan 13, 2020 10:30 pm

Many thanks

Who is online

Users browsing this forum: No registered users and 76 guests