Community discussions

MikroTik App
 
jithinsarath
just joined
Topic Author
Posts: 5
Joined: Fri Jun 04, 2021 10:34 pm
Location: Kerala, India

Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Sun Jun 06, 2021 9:10 pm

I spent the weekend trying to complete a project I wasn't able to get to in ages. I wanted to segment my home network into four, and also server all of that through my Ubiquiti Unifi APs. I also have a TPLink Smart Switch between the router and APs. Here is a high level view of my n/w
home_nw_view.jpg
While I know basics of networking due to my work, I am in no way an expert. But I do know how to google and read docs. I read the almanac thread viewtopic.php?f=23&t=143620 at least five times before things started making sense. I tried thrice and it broke everything. Turns out that the configuration was complicated due to TPLink and Ubiquiti present in the mix.

The UniFi access point (AP) tags packets when they go out from WLAN to wire. When tagged traffic comes in from the wire, it will untag it and forward it to WLAN.
So the packets arrive at the switch as tagged. This was my first clue :) ports 1 (to router), 2 & 3 (to APs) needed to be trunks.

On the switch, if you're connecting a device that recognizes VLANS (VoIP device etc.), that port should be marked tagged, if not, untagged.

Ubiquiti
Define Networks in Unifi Controller, mapping each VLAN to a network
unifi_networks.jpg
Define SSID in Unifi Controller and tie it to the VLANs created above (Ignore the subnets in this pic, they are of no significant, VLAN is most imp. Unifi has a single page config 🤷‍♂️)
unifi_wireless_config.jpg
Set each APs Management VLAN to BASE
unifi_mgt_config.jpg
TP Link
Enable 802.1Q VLAN (this is disabled by default). Enable, refresh and move to next step
Map ports based on the network diagram
tplink.jpg
Set IP of the switch to an available one in the BASE VLAN (after this you will lose connectivity to switch until you complete steps below)

Mikrotik
Reset configuration
Connect PC to eth5 (I leveraged the default config to avoid being kicked out by misconfiguration)
Do all config (export below)

As you progress making the mikrotik changes, you should be able to see addresses showing up in ARP. I hope this helps someone and I'd be glad to answer how I can

If someone could take a look at the firewall piece, I'd be grateful :D

# jun/06/2021 23:01:11 by RouterOS 6.48.3
# model = RB750Gr3

/interface bridge add name=BR1 protocol-mode=none vlan-filtering=yes
/interface bridge add admin-mac=74:4D:28:A5:82:29 auto-mac=no name=br0

/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=40
/interface vlan add interface=BR1 name=BLUE_HOME_VLAN vlan-id=10
/interface vlan add interface=BR1 name=GREEN_WORK_VLAN vlan-id=20
/interface vlan add interface=BR1 name=RED_IOT_VLAN vlan-id=30

/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=VLAN
/interface list add name=BASE
/interface list add name=INSIDE_NETWORK
/interface list add name=IOT
/interface list add name=HOME
/interface list add name=WORK

/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik

/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=BLUE_HOME_POOL ranges=192.168.10.2-192.168.10.254
/ip pool add name=GREEN_WORK_POOL ranges=192.168.20.2-192.168.20.254
/ip pool add name=RED_IOT_POOL ranges=192.168.30.2-192.168.30.254
/ip pool add name=BASE_POOL ranges=10.40.40.10-10.40.40.254

/ip dhcp-server add address-pool=default-dhcp disabled=no interface=br0 name=defconf
/ip dhcp-server add address-pool=BLUE_HOME_POOL disabled=no interface=BLUE_HOME_VLAN name=BLUE_DHCP
/ip dhcp-server add address-pool=GREEN_WORK_POOL disabled=no interface=GREEN_WORK_VLAN name=GREEN_DHCP
/ip dhcp-server add address-pool=RED_IOT_POOL disabled=no interface=RED_IOT_VLAN name=RED_DHCP
/ip dhcp-server add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP

/interface bridge port add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
/interface bridge port add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
/interface bridge port add bridge=br0 comment=defconf interface=ether5

/ip neighbor discovery-settings set discover-interface-list=BASE

/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=10
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=20
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=30
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=40

/interface list member add interface=br0 list=LAN
/interface list member add interface=ether1 list=WAN
/interface list member add interface=ether2 list=WAN
/interface list member add interface=BASE_VLAN list=VLAN
/interface list member add interface=BLUE_HOME_VLAN list=VLAN
/interface list member add interface=GREEN_WORK_VLAN list=VLAN
/interface list member add interface=RED_IOT_VLAN list=VLAN
/interface list member add interface=BASE_VLAN list=BASE
/interface list member add interface=GREEN_WORK_VLAN list=WORK
/interface list member add interface=BLUE_HOME_VLAN list=HOME
/interface list member add interface=RED_IOT_VLAN list=IOT
/interface list member add interface=BASE_VLAN list=INSIDE_NETWORK
/interface list member add interface=BLUE_HOME_VLAN list=INSIDE_NETWORK
/interface list member add interface=GREEN_WORK_VLAN list=INSIDE_NETWORK
/interface list member add interface=RED_IOT_VLAN list=INSIDE_NETWORK
/interface list member add interface=br0 list=INSIDE_NETWORK

/ip address add address=192.168.88.1/24 comment=defconf interface=br0 network=192.168.88.0
/ip address add address=10.40.40.1/24 interface=BASE_VLAN network=10.40.40.0
/ip address add address=192.168.10.1/24 interface=BLUE_HOME_VLAN network=192.168.10.0
/ip address add address=192.168.20.1/24 interface=GREEN_WORK_VLAN network=192.168.20.0
/ip address add address=192.168.30.1/24 interface=RED_IOT_VLAN network=192.168.30.0

/ip dhcp-client add comment=defconf disabled=no interface=ether1
/ip dhcp-client add disabled=no interface=ether2

/ip dhcp-server network add address=10.40.40.0/24 gateway=10.40.40.1
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1
/ip dhcp-server network add address=192.168.20.0/24 gateway=192.168.20.1
/ip dhcp-server network add address=192.168.30.0/24 gateway=192.168.30.1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns static add address=192.168.88.1 comment=defconf name=router.lan

# The idea here was to allow everyone access to WAN, Restrict IOT to WAN, WORK to WAN, stop everyone except BASE from connecting to WORK.
# In near future, I'd like to setup a PiHole and allow traffic from all INSIDE_NETWORK to that IP on UDP:53

/ip firewall filter add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="Allow Established/Related/Untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="Allow ICMP" protocol=icmp
/ip firewall filter add action=fasttrack-connection chain=input connection-state=established,related
/ip firewall filter add action=accept chain=input connection-state=established,related
/ip firewall filter add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
/ip firewall filter add action=drop chain=input comment="Drop everything else"

/ip firewall filter add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="Allow ICMP" protocol=icmp
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related
/ip firewall filter add action=accept chain=forward connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="allow connections from everything inside to WAN" in-interface-list=INSIDE_NETWORK out-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="drop connections from IOT to anywhere else" in-interface-list=IOT
/ip firewall filter add action=drop chain=forward comment="drop connections from WORK to anywhere else" in-interface-list=WORK
/ip firewall filter add action=drop chain=forward comment="drop connections from HOME to work" in-interface-list=HOME out-interface-list=WORK
/ip firewall filter add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="drop everything else"

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

#Dual WAN failover, eth0 is primary ISP.
/ip route add check-gateway=ping distance=1 gateway=10.20.30.1
/ip route add check-gateway=ping distance=1 gateway=8.8.8.8
/ip route add distance=2 gateway=10.20.31.1
/ip route add check-gateway=ping distance=2 gateway=8.8.4.4
/ip route add distance=1 dst-address=8.8.4.4/32 gateway=10.20.31.1 scope=10
/ip route add distance=1 dst-address=8.8.8.8/32 gateway=10.20.30.1 scope=10

/system clock set time-zone-name=Asia/Kolkata
/tool mac-server set allowed-interface-list=INSIDE_NETWORK
/tool mac-server mac-winbox set allowed-interface-list=INSIDE_NETWORK
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 07, 2021 1:56 pm

I have something similar except not UNIFI products.
The key is to have a trusted LAN or a managment LAN, and in either case all your smart devices get assigned an IP address from that vlan.

TPLINK is straightfoward.
Vlan1 is the default vlan for every interface and is only removed if the PVID of the TPLINK Port needs to be set to something different (aka untagged to a dumb device).
The rest of the ports are trunk ports and can carry multiple vlans.

HEX, is straightforward.
Vlan1 is the default vlan for the bridge where you have ports 3,4. I like that you have port 5 off the bridge, so that you can access the hex in case the bridge goes nuts........


The tricky part in the config is that the UNIFI are weird beasts at least some models expect the managment vlan to come to it UNTAGGED and the rest of the VLANS tagged.
For example if you use a home trusted vlan for managment it needs to reach the unifi untagged (it can still be used for wifi (assigned to a wlan) along with the other tagged vlans.

In your case going to assume vlan40 is your base vlan.
THe one thing you need is access in the forward chain rule from my PC to all vlans for example. Will look at that once i look at your config.

So as stated now it becomes well how the effff, do I to hybrid vlans on the TPLINK, I can do it on the hex but TPLINK doenst explain it.
Will check out my jetstream in this regard. My guess is that you will simply have to set the pVID of the port to the uNIFI as base vlan, and simply tag all other vlans as trunk to it.
The unifi should then get an IP from the base vlan.

PS Nice helpful diagram
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 07, 2021 2:04 pm

Config comments:

(1) get rid of two bridges ONLY NEED ONE!!
all you need to do is assign the subnet to ether5, no need of bridge and same for address.
Remove from Bridge setup!!!

(2) Since ether ports 3,4 are identical change this
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=10
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=20
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=30
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=40


TO this
/interface bridge vlan add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=10,20,30,40


(3) I think you have overcomplicated your interface list setup, unless I am missing something you only need WAN, LAN, BASE but will see when I get to firewall rules :-)

/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=BASE

/interface list member add interface=ether5 list=LAN
/interface list member add interface=ether1 list=WAN
/interface list member add interface=ether2 list=WAN
/interface list member add interface=BASE_VLAN list=LAN
/interface list member add interface=BLUE_HOME_VLAN list=LAN
/interface list member add interface=GREEN_WORK_VLAN list=LAN
/interface list member add interface=RED_IOT_VLAN list=LAN
/interface list member add interface=BASE_VLAN list=BASE
/interface list memeber add interface=ether5 list=BASE


(4) As for firewall rules quite easy to get what you need...... ( note the changes, as some things were not in the right order or were extra or duplicates)

/ip firewall filter {input chain}
add action=accept chain=input comment="Allow Established/Related/Untracked connections" connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface-list=BASE_VLAN source-address-list=????
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop everything else"

/ip firewall filter {forward chain}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=forward comment="allow connections from everything inside to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow BASE to Work" in-interface-list=BASE out-interface=GrREEN_WORK_VLAN
add action=drop chain=forward comment="drop everything else"

The source address on your input chain is optional to further limit access to the router by IP addresses.
add a firewall address list, give it a name and add your desktop PC, laptop, ipad, smartphone static IPs to the list................ but not necessary.
 
jithinsarath
just joined
Topic Author
Posts: 5
Joined: Fri Jun 04, 2021 10:34 pm
Location: Kerala, India

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 07, 2021 11:23 pm

Thank you, @anav. almost all of your observations are spot on.

Right now, my hEX, TP-Link and Unifi combination is working. Unifi needed everything to be tagged, including the management VLAN and then it worked fine.
TP-LINK as VLAN1 as default on all ports and the tagged / untagged combination as I had in my screenshot earlier. Now that I read your comment, I wasn't getting IP on a dumb device I plugged in on one of the access ports on the switch, and I think I will need to change the pVID of that port to match the expected VLAN ID.

Your firewall suggestions are neat - would you care to point out where was I wrong in ordering them logically?

I went overboard with the interface lists thinking of how I want to expand in the future. I have a few devices in the n/w that I need access from WORK and some that I need to restrict etc. But nevertheless, I think it can be simpler than what I have now. 😊 I am now building a device map of the network and then make a firewall rule table (something that I am used to at work 🤷‍♂️)
That should help me define the firewall rules better.

I eventually want to pull the PPPoE from the GPONs to hEX, right now the ISP IPs are set at the GPONs I am behind multiple class C networks. One ISP is straightforward, other not so much. Need more tinkering there! I will make the changes in a few days and post back - work has started and it drains me by the end of the day...
 
jithinsarath
just joined
Topic Author
Posts: 5
Joined: Fri Jun 04, 2021 10:34 pm
Location: Kerala, India

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Sun Jun 20, 2021 11:02 pm

I got around to doing the clean-up and everything looks neat - except the PiHole I have (BASE, IP 10.40.40.9). I can't figure out why would this drop based on the rules I have 🤦‍♂️🤦‍♂️🤦‍♂️
/interface bridge add name=br1 protocol-mode=none vlan-filtering=yes

/interface vlan add interface=br1 name=base_vlan vlan-id=40
/interface vlan add interface=br1 name=home_vlan vlan-id=10
/interface vlan add interface=br1 name=iot_vlan vlan-id=30
/interface vlan add interface=br1 name=work_vlan vlan-id=20

/interface list add name=WAN
/interface list add name=LAN
/interface list add name=BASE

/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile set [ find default=yes ] html-directory=hotspot

/ip pool add name=default_pool ranges=192.168.88.200-192.168.88.254
/ip pool add name=home_pool ranges=192.168.10.2-192.168.10.75
/ip pool add name=work_pool ranges=192.168.20.2-192.168.20.30
/ip pool add name=iot_pool ranges=192.168.30.2-192.168.30.50
/ip pool add name=base_pool ranges=10.40.40.10-10.40.40.50

/ip dhcp-server add address-pool=default_pool disabled=no interface=ether5 name=default
/ip dhcp-server add address-pool=home_pool disabled=no interface=home_vlan name=home_dhcp
/ip dhcp-server add address-pool=work_pool disabled=no interface=work_vlan name=work_dhcp
/ip dhcp-server add address-pool=iot_pool disabled=no interface=iot_vlan name=iot_dhcp
/ip dhcp-server add address-pool=base_pool disabled=no interface=base_vlan name=base_dhcp

/interface bridge port add bridge=br1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
/interface bridge port add bridge=br1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4

/ip neighbor discovery-settings set discover-interface-list=BASE

/interface bridge vlan add bridge=br1 tagged=br1,ether3,ether4 vlan-ids=10,20,30,40

/interface list member add interface=ether1 list=WAN
/interface list member add interface=ether2 list=WAN
/interface list member add interface=ether5 list=LAN
/interface list member add interface=ether5 list=BASE
/interface list member add interface=base_vlan list=LAN
/interface list member add interface=home_vlan list=LAN
/interface list member add interface=work_vlan list=LAN
/interface list member add interface=iot_vlan list=LAN
/interface list member add interface=base_vlan list=BASE

/ip address add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
/ip address add address=10.40.40.1/24 interface=base_vlan network=10.40.40.0
/ip address add address=192.168.10.1/24 interface=home_vlan network=192.168.10.0
/ip address add address=192.168.20.1/24 interface=work_vlan network=192.168.20.0
/ip address add address=192.168.30.1/24 interface=iot_vlan network=192.168.30.0

/ip dhcp-client add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-client add disabled=no interface=ether2 use-peer-dns=no

/ip dhcp-server network add address=10.40.40.0/24 dns-server=8.8.4.4 gateway=10.40.40.1
/ip dhcp-server network add address=192.168.10.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.10.1
/ip dhcp-server network add address=192.168.20.0/24 dns-server=10.40.40.9 gateway=192.168.20.1
/ip dhcp-server network add address=192.168.30.0/24 dns-server=8.8.8.8,1.1.1.1,8.8.4.4 gateway=192.168.30.1
/ip dhcp-server network add address=192.168.88.0/24 dns-server=8.8.8.8,1.1.1.1,8.8.4.4 gateway=192.168.88.1

/ip dns set servers=8.8.8.8,8.8.4.4,1.1.1.1

/ip firewall filter add action=accept chain=input comment="allow established/related/untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="drop invalid connections" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="allow icmp" protocol=icmp
/ip firewall filter add action=accept chain=input comment="allow base_vlan full access" in-interface=base_vlan
/ip firewall filter add action=accept chain=input comment="allow LAN dns queries - tcp" connection-state=new dst-address=10.40.40.9 dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="allow LAN dns queries - udp" connection-state=new dst-address=10.40.40.9 dst-port=53 in-interface-list=LAN protocol=udp
/ip firewall filter add action=drop chain=input comment="drop everything else"
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="allow connections from everything inside to WAN" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="allow BASE to work" in-interface-list=BASE out-interface=work_vlan
/ip firewall filter add action=drop chain=forward comment="drop everything else"
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes

/system clock set time-zone-name=Asia/Kolkata
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 12:55 pm

So the sticking point is your DNS configuration, which is not correct but I am not conversant enough in DNS with pi-hole, or the requirements to give pointers. Hoping others can!!

(1) /ip dhcp-server network add address=192.168.20.0/24 dns-server=10.40.40.9 gateway=192.168.20.1
and
(2) /ip firewall filter add action=accept chain=input comment="allow LAN dns queries - tcp" connection-state=new dst-address=10.40.40.9 dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="allow LAN dns queries - udp" connection-state=new dst-address=10.40.40.9 dst-port=53 in-interface-list=LAN protocol=udp

I guess the question is that you need to more clearly state your requirements in terms of your pi-hole server.
Did you want all LAN users to get their DNS from that device?
What are your expectations?
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 3:50 pm

You might wanna get rid of that TL-SG108E in the near future.
As all TP-Link "Easy Smart Switches" have a major flaw: you can't specify the management VLAN. The management interface is reachable from ANY VLAN, and the IP you've set is also reachable from ANY VLAN.
You can test with the utility provided by TP-Link "Easy Smart Configuration Utility", which finds and reveals the IP of the switch from ANY VLAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 4:42 pm

You might wanna get rid of that TL-SG108E in the near future.
As all TP-Link "Easy Smart Switches" have a major flaw: you can't specify the management VLAN. The management interface is reachable from ANY VLAN, and the IP you've set is also reachable from ANY VLAN.
You can test with the utility provided by TP-Link "Easy Smart Configuration Utility", which finds and reveals the IP of the switch from ANY VLAN.
Can you provide a link to what you are stating please.

I certainly have not experienced the above but then again have not gone looking for those specifics.
Will test later today.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 5:04 pm

Sure, here's the link: viewtopic.php?f=2&t=175848#p863639
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 5:45 pm

Hey Zved, sorry to point this out but you mistakenly linked to this thread.
Source of information please, and you dont qualify LOL.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 7:24 pm

Wasn't a mistake, obviously. You can do your own tests if you own one of those switches, or search the internet for more info.
 
jithinsarath
just joined
Topic Author
Posts: 5
Joined: Fri Jun 04, 2021 10:34 pm
Location: Kerala, India

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 8:26 pm

You might wanna get rid of that TL-SG108E in the near future.
As all TP-Link "Easy Smart Switches" have a major flaw: you can't specify the management VLAN. The management interface is reachable from ANY VLAN, and the IP you've set is also reachable from ANY VLAN.
You can test with the utility provided by TP-Link "Easy Smart Configuration Utility", which finds and reveals the IP of the switch from ANY VLAN.
I was able to find the device using the "Easy Smart Configuration Utility" from one of my restricted VLANs, so what you say does have merit. However, my pings and portqueries failed, so I am assuming this is is some sort of a stealth channel they've setup? My residence situation is fluid rn, so I will make investments as this evolves. Open to suggestions for a cheap, reliable managed switch that does proper VLANs.
 
jithinsarath
just joined
Topic Author
Posts: 5
Joined: Fri Jun 04, 2021 10:34 pm
Location: Kerala, India

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 8:30 pm

I guess the question is that you need to more clearly state your requirements in terms of your pi-hole server.
Did you want all LAN users to get their DNS from that device?
What are your expectations?
I should have explained better. The Pi-Hole is supposed to be where all devices in the network irrespective of VLANs get their DNS from. It is configured to do recursive DNS via unbound and is a lifesaver as a DNS sinkhole. I started off with just the WORK VLAN to experiment. Based on how I read the rules, the below two rules should make this a possibility. However, it doesn't and DNS fails. There must be something simple that I am not focusing on 🤷‍♂️

/ip firewall filter add action=accept chain=input comment="allow LAN dns queries - tcp" connection-state=new dst-address=10.40.40.9 dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="allow LAN dns queries - udp" connection-state=new dst-address=10.40.40.9 dst-port=53 in-interface-list=LAN protocol=udp
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 8:45 pm

Regarding the switch:
Well you can't ping/reach it, unless you set an IP from that subnet on your laptop/computer while you're on any of the VLANs.
Another bug would be if you have the switch set to DHCP instead of static, the switches DHCP Client would run on random VLANs .....
A cheap alternative in the price range of TL-SG108E is DGS-1100-08V2 which also has a quirk that it forces you to set a PVID on all ports but atleast you can choose the management VLAN, and that works for me.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 10:38 pm

Zneva, basically it boils down to
If you cant produce a credible source, then your post is not useful.
So please produce some proof.

I did my own tests, the Switch is not accessible from a different vlan period and that was a vlan that is on the switch!!
I typed in the URL and even have assigned it a port that needs to be utilized and NADA, no access from another vlan.
Its a stand alone switch and no cloud associations etc...........
The switch has an IP address on the management vlan which is setup on the mikrotik.
The mikrotik rules forbid vlan to vlan traffic except for the admins PC.

What app are you talking about.............. If your talking the omada app, same thing zilcho, no contact possible.
What further testing should I do??
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 11:19 pm

@anav, I won't google for you. https://bfy.tw/R9Ez
Can you choose a management VLAN on TL-SG108E ? No, you can't. The management interface "binds" to ALL VLANs.
Take jithinsarath's example here, with access ports 4,5,6,7,8 to VLANs 10,20,30,40, you plug your PC into any of them, run the (seriously, I've stated the utility name pretty clear) EASY SMART CONFIGURATION UTILITY https://www.tp-link.com/en/support/down ... on_Utility for your version, it'll find the switch from ANY of those ports, it will show you the current IP of the switch, and if you set an IP on your PC from that subnet YOU WILL REACH IT FROM ANY OF THOSE PORTS.
This isn't rocket science, dear anav. Do some tests, add vodka, enjoy.
Also you didn't mention what switch do you have. Only the "Easy Smart" switches suffer from this.
So what model/version do you have?
Also you should know better how a subnet works, because what you've said here: "The mikrotik rules forbid vlan to vlan traffic except for the admins PC." has no sense here, since you don't even reach the MikroTik in the example above, it can't do any filtering, you can just as well unplug the switch from the MikroTik.
Cheers!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 11:39 pm

T1500G-10MPS 2.0
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Mon Jun 21, 2021 11:48 pm

So you don't even own the switch that we're talking about, it's not even from the "Easy Smart" series.
Your switch is from the "Smart Managed" series: https://www.tp-link.com/us/business-net ... rt-switch/
We're talking about a switch from the "Easy Smart" series: https://www.tp-link.com/us/business-net ... rt-switch/ a switch that @jithinsarath HAS.
Pay attention next time. Wasted time explaining it for you JUST BECAUSE YOU DON'T EVEN HAVE THE DAMN SWITCH.
There's your proof: you can't read.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home VLAN Design (Mikrotik, TPLink, Ubiquiti) - My Experience and some firewall advice sought

Tue Jun 22, 2021 3:50 am

Lucky for me, not so much for the OP.

Who is online

Users browsing this forum: ccrsxx, Google [Bot], johnson73, Qalderu, rplant and 84 guests