Community discussions

MikroTik App
 
meazz1
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue Nov 28, 2017 9:44 pm
Location: Auburn, GA

HexS - Need help with setup an IoT VLAN

Tue Jun 01, 2021 1:21 am

I just bought a HexS and trying to accomplished this.
What I'm trying to do is setup a VLAN and have one dedicated trunk port to go to my unifi switch.
Also, i'm trying to get a port for VLAN only, vlan devices should not have access to lan resource but lan can should have access to vlan.
Here's what I would like to accomplish.
eth1=wan
eath2=lan
eth3=lan
port4=vlan
port5=trunk/tagged port to unifi switch (lan & vlan).

I have attached my config.
Pls take a look, Let me know if the config and firewall looks to be ok.
# may/31/2021 13:39:26 by RouterOS 6.48.3
# software id = 5MZ7-RL5B
#
# model = RB760iGS
# serial number = E1F30D1CB7FB
/interface bridge
add admin-mac=64:D1:54:82:B5:90 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.200
add name=dhcp_pool1 ranges=10.0.20.10-10.0.20.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=VLAN20 name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=20
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=ether2 network=\
    192.168.4.0
add address=10.0.20.1/24 interface=VLAN20 network=10.0.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=8.8.8.8,8.8.4.4 domain=clubamgg.com \
    gateway=10.0.20.1 netmask=24
add address=192.168.4.0/24 dns-server=192.168.4.2,192.168.4.9 domain=\
    clubamgg.com gateway=192.168.4.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=192.168.4.2,192.168.4.9
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.20.10-10.0.20.200 list=VLAN20
add address=192.168.4.1-192.168.4.200 list=Trusted
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-address-list=VLAN20 src-address-list=\
    Trusted
add action=drop chain=forward dst-address-list=Trusted src-address-list=\
    VLAN20
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Any help or link to any resources would be appreciated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: HexS - Need help with setup an IoT VLAN

Tue Jun 01, 2021 4:10 pm

Your config gets confusing as you want to mix and match items.
Suggest
a. read this vlan reference.
viewtopic.php?f=23&t=143620

b. use vlans for all lan subnets, no need to have a non-vlan subnet.

Who is online

Users browsing this forum: aoravent, loloski, Lumpy and 91 guests