Community discussions

MikroTik App
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Home IoT Vlan setup

Wed Jun 16, 2021 12:57 pm

Hello all - I'm about to embark on a mission to fix (or utterly destroy more like) my home network. I run a Home Assistant instance on a Raspberry Pi with a bunch of WiFi-enabled smart devices. I want to separate them into their own Vlans. I have a mix of Mikrotik and Unifi devices. I've been reading a lot of articles on this forum - special thanks to all contributors to the VLAN explainer.

I'm planning 5 different networks:
1) Untagged (I hope that's the right term): management layer. admin laptop and all ubiquity devices. 192.168.88.0/24
2) vlan_main: Laptops/Phones of my family. Access to the internet and access to other vlans (to discovery/use smart devices). 192.168.10.0/24
3) vlan_iot: Home Assistant, "trust worthy" bridges and devices that need internet access like Wyze Cams. Has internet access and can access the untrusted iot network. 192.168.20.0/24
4) vlan_uiot: Untrusted devices that don't need the internet (sonoff/tuya/etc). possibly allow limited internet access, but cannot access other vlans. 192.168.30.0/24
5) vlan_guest: as the name says it, access for guests to the internet. maybe limited access to some home assistant functionality in vlain_main, not sure yet. 192.168.40.0/24

A few devices on vlan_iot need Ethernet connections. I plan to tag Ether2 as vlan_iot and put all of these behind a 'dumb' switch.

I plan to use my Unifi AC Pro and Unifi AC Lite to provide the WiFi networks for the 4 vlans. They'll be on Ether4&5 with the CloudKey on Ether3. All three will be on the untagged management network. The Unifi WiFi networks will be set up to tag the WiFi network with the allocated vlan tags.

Image
Image

For the Mikrotik set up, I planned to have a bridge with all vlans and Ethernet ports. I also need to add a second vlan_iot vlan on ether2 (same tag as the one provided by the Unifi ACs). Firewall rules to drop all traffic except for allowed connections (vlan_main -> vlan_iot for example). Since I'll be running AdGuard on my HA instance, I'll also need to allow DNS access to port 53 on HA in vlan_iot for all devices within vlan_main/vlan_iot/vlan_uiot.
Before I get too deep into setting up my Mikrotik config, I wanted to sense check my planned setup. Does the above make sense? Comments & advice would be greatly appreciated!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home IoT Vlan setup

Thu Jun 17, 2021 4:15 am

 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: Home IoT Vlan setup

Thu Jun 17, 2021 8:27 am

Yeah that's the post I started with (besides others). Unfortunately, I'm still stuck. My setup seems to be a mix between switch-hybrid+router and AccessPoint. I can get the APs working with a single bridge on the MT with VLAN interfaces (including DHCP for each VLAN) and adding a second vlan interface for vlan20 on ether20 with a separate DHCP with a pool of 192.168.20.100-254 on that interface. I keep getting invalid for DHCP and my devices on ETHER2 can't get an IP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home IoT Vlan setup

Thu Jun 17, 2021 1:56 pm

Without seeing your config cannot be of much help
/export hide-sensitive file=anynameyouwish
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: Home IoT Vlan setup

Sat Jun 19, 2021 1:50 pm

I had tried different versions (it's taken me a while as I installed eve-ng to experiment quicker). I can't quite figure out whether my ports on eth4/5 are trunk or hybrid. I figured that because the UAP needs to be on base-vlan, it should be hybrid (untagged packets on eth4/5 then go onto base-vlan). But I can't quite get the setup to work. Here's my latest configuration:
/system identity set name="home-router"

#######################################
# VLAN Overview
#######################################

# 10 = main
# 20 = iot
# 30 = untrusted
# 40 = guest
# 99 = BASE (MGMT) VLAN

#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

#IOT Vlan20 (on switch)
add bridge=BR1 interface=ether2 pvid=20

#BASE MGMT Vlan99 

add bridge=BR1 interface=ether3 pvid=99
add bridge=BR1 interface=wlan1 pvid=99

#egress behaviour, handled automatically

# L3 switching so Bridge must be a tagged member

/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=30]
set bridge=BR1 tagged=BR1 [find vlan-ids=40]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]

#######################################
#
# -- Trunk Ports --
#
#######################################

#ingress behaviour
/interface bridge port

add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5

#egress behaviour
#/interface bridge vlan

# Purple Trunk. These need IP Services (L3), so add Bridge as member
#add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10
#add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=20
#add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=30
#add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=40
#add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=99

#######################################
#
# -- Hybrid Ports --
# if there's no tag, put on management LAN
#
#######################################

# egress behavior
/interface bridge vlan

set bridge=BR1 tagged=ether4 [find vlan-ids=99]
set bridge=BR1 tagged=ether5 [find vlan-ids=99]

#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.99.1/24 interface=BASE_VLAN

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"


#######################################
# IP Services
#######################################

# VLAN10 interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=VLAN10 vlan-id=10
/ip address add interface=VLAN10 address=192.168.10.1/24
/ip pool add name=POOL_VLAN10 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server add address-pool=POOL_VLAN10 interface=VLAN10 name=DHCP_VLAN10 disabled=no
/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.99.1 gateway=192.168.10.1

# VLAN20 interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=VLAN20 vlan-id=20
/ip address add interface=VLAN20 address=192.168.20.1/24
/ip pool add name=POOL_VLAN20 ranges=192.168.20.2-192.168.10.254
/ip dhcp-server add address-pool=POOL_VLAN20 interface=VLAN20 name=DHCP_VLAN20 disabled=no
/ip dhcp-server network add address=192.168.20.0/24 dns-server=192.168.99.1 gateway=192.168.20.1

# VLAN30 interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=VLAN30 vlan-id=30
/ip address add interface=VLAN30 address=192.168.30.1/24
/ip pool add name=POOL_VLAN30 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server add address-pool=POOL_VLAN30 interface=VLAN30 name=DHCP_VLAN30 disabled=no
/ip dhcp-server network add address=192.168.30.0/24 dns-server=192.168.99.1 gateway=192.168.30.1

# VLAN40 interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=VLAN40 vlan-id=40
/ip address add interface=VLAN40 address=192.168.40.1/24
/ip pool add name=POOL_VLAN40 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server add address-pool=POOL_VLAN40 interface=VLAN40 name=DHCP_VLAN40 disabled=no
/ip dhcp-server network add address=192.168.40.0/24 dns-server=192.168.99.1 gateway=192.168.40.1

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
# /ip pool add name=BASE_POOL ranges=192.168.99.10-192.168.99.254
# /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
# /ip dhcp-server network add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1  list=WAN
add interface=VLAN10  list=VLAN
add interface=VLAN20  list=VLAN
add interface=VLAN30  list=VLAN
add interface=VLAN40  list=VLAN
add interface=BASE_VLAN  list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter

##################
# INPUT CHAIN to ROUTER!
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"

VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"

##################
# FORWARD CHAIN TO ELSEWHERE
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Access Ports: Only allow untagged ingress packets
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]

# Trunk Ports: Only allow ingress packets WITH tags
#NONE 

# Hybrid: Allow ingress packets with or without tags (ingress-filtering ensures only the tags we specified)
set bridge=BR1 ingress-filtering=yes frame-types=admit-all [find interface=ether4]

set bridge=BR1 ingress-filtering=yes frame-types=admit-all [find interface=ether5]



#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Home IoT Vlan setup

Sat Jun 19, 2021 1:52 pm

This is not exported configuration, this might be something you pushed into device which already had some config. So do what @anav asked to do ... execute /export hide-sensitive and post output.
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: Home IoT Vlan setup

Sat Jun 19, 2021 3:27 pm

[admin@MikroTik] /interface bridge port> /export hide-sensitive
# jan/02/1970 00:16:25 by RouterOS 6.47.10
# software id = YL9S-LT57
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6F1207BDC13C
/interface bridge
add admin-mac=64:D1:54:68:1F:61 auto-mac=no comment=defconf name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-681F67 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-681F66 wireless-protocol=802.11
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=VLAN10 vlan-id=10
add interface=BR1 name=VLAN20 vlan-id=20
add interface=BR1 name=VLAN30 vlan-id=30
add interface=BR1 name=VLAN40 vlan-id=40
/interface list
add name=WAN
add name=BASE
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=POOL_VLAN10 ranges=192.168.10.2-192.168.10.254
add name=POOL_VLAN20 ranges=192.168.10.254-192.168.20.2
add name=POOL_VLAN30 ranges=192.168.30.2-192.168.30.254
add name=POOL_VLAN40 ranges=192.168.40.2-192.168.40.254
add name=BASE_POOL ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=POOL_VLAN10 disabled=no interface=VLAN10 name=DHCP_VLAN10
add address-pool=POOL_VLAN20 disabled=no interface=VLAN20 name=DHCP_VLAN20
add address-pool=POOL_VLAN30 disabled=no interface=VLAN30 name=DHCP_VLAN30
add address-pool=POOL_VLAN40 disabled=no interface=VLAN40 name=DHCP_VLAN40
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=99
add bridge=BR1 interface=wlan1 pvid=99
add bridge=BR1 ingress-filtering=yes interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add interface=VLAN30 list=VLAN
add interface=VLAN40 list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.99.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.99.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.99.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.99.1 gateway=192.168.40.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN \
    out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home IoT Vlan setup

Sat Jun 19, 2021 4:41 pm

Heads up if Unifi needs to be fed from a hybrid port from the router because it needs the base vlan untagged.
Then simply allow all frames on the port pvid it to the base vlan (as though it was an ACCESS port).
In the bridge vlan setup just tag the same port with other vlans as if it was a trunk port.

In terms of the config

(1) Suggest no reason that I am aware of that your WAN port should be on the bridge
/interface bridge port
add bridge=BR1 interface=ether1 ??????

(2) Reading your port setup the following conclusions can be made
a. The first line can be removed as in most cases the WAN port need not be part of the bridge.
b, Ether2 is an ACCESS PORT for vlan20,
c. Ether3 is an ACCESS PORT for base vlan (and not hybrid because you only allow untagged frames)
d. WLAN 1 is setup as an access port, you can add both ingress filtering and only untagged frames to this rule like the others.
e. ether 4 and 5 are TRUNK Ports, you can add ingress filtering and allow only tagged frames to these

/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=99
add bridge=BR1 interface=wlan1 pvid=99
add bridge=BR1 ingress-filtering=yes interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5


(3) You forgot to also have the BASE VLAN part of the LAN
/interface list member
add interface=ether1 list=WAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add interface=VLAN30 list=VLAN
add interface=VLAN40 list=VLAN
add interface=BASE_VLAN list=BASE

add interface=BASE_VLAN list=VLAN

(4) I dont know why one would choose one vlan gateway instead of the one directly connected to it for DNS Server gateway ?????
It may be no different at all or very slightly in terms of performance but not sure, and no idea about security aspects......
Since vlans are supposed to be separate I am not sure if that extends to use of another vlans gateway? If it works it works. I wouldnt do it.

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.99.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.99.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.99.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.99.1 gateway=192.168.40.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1

(5) Although not dangerous your input chain firewall rules make little sense........
a. after the first rule:
You should add block invalid packets
and there is no harm to allow ICMP, helps in troubleshooting connectivity in some cases too.
b. the second rule allows all vlan users access to the router, SO WTF W=why, do you setup a base vlan?
Ditch the second rule!!
c. LIke the third rule.
d. After the third rule, replace the 2nd rule with two rules - what users need access to the router for and that is DNS udp &, tcp port 53!!
e. like drop rule at end!!

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop


(6) Forward chain rules are good but too minimalistic.
a. Since not doing any mangling or stuff you can take advantage of better performance so make default fastrack rule as first rule.
b. after the established connected, rule add a drop invalid rule
c. Allow internet rule IS NOW GOOD BECAUSE WE ADDED BASE VLAN TO VLAN LIST ;-)
d. like drop rule.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home IoT Vlan setup

Sat Jun 19, 2021 4:56 pm

(7) THE BIGGEST ISSUE IS THE MISSING BR VLAN FILTERING SETUP????

Based on your bridge port setup ....... However, once we sort our your unifi issues this may change..........
add bridge=BR1 tagged=BR1,ether4,ether5, untagged=ether2 vlan-ids=20
add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10,30,40
add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2,WLAN1 vlan-ids=99
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: Home IoT Vlan setup

Sat Jun 19, 2021 5:23 pm

Hi Anav,

thanks so much for your help. You're right about ETHER1 on WAN - I had a few too many configurations and that one slipped through. Removed it now. I also agree on the firewall rules being too lax, but for now I just want to get the network running so I stuck to the default suggestions from the vlan examples thread. The same is the case for the DNS entries. I'm not sure how it works / what's best, I just stuck to the examples and wanted to resolve that later. Since I will have a pihole in my network I needed to fiddle with that later anyway.

I wasn't quite sure how the tagging you suggest works. Do I add the commands on top of what I already have? I tried that but now have three enties under /interface bridge vlan print:
# Bridge VLAN-IDs Current-Tagged Current-Untagged
0 D BR1 1 BR1
Ether5
1 BR1 20 BR1
ether5
2 BR1 10 BR1
30 ether5
40

is that right? (I'm currently connected via link-local on ether5 from my ubuntu machine, the only way I could still get onto the MT)
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: Home IoT Vlan setup

Sat Jun 19, 2021 5:25 pm

Never mind - I should have checked the return code. The last line wasn't accepted because of WLAN1/wlan1. Fixed it now.
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: Home IoT Vlan setup

Sat Jun 19, 2021 5:30 pm

Hallelujah! That now works! I can successfully get vlan20/vlan99 IPs depending on what port I'm connected to. thanks so much Anav!!

As a next step I'll try to set up the APs now and see if that still works, after that fix the firewall and then try to connect ether1 to my existing router to get internet access (eventually i'll need to replace that with a PPPOE client on ether1)
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: Home IoT Vlan setup

Sat Jun 19, 2021 5:45 pm

APs are working nicely too. Will post tomorrow when I have the rest working
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home IoT Vlan setup

Sat Jun 19, 2021 8:25 pm

kk and resend the config as there may be some small items to address!!
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: Home IoT Vlan setup

Sun Jun 20, 2021 1:12 pm

Too happy too soon. The APs worked because they had been previously provisioned. The cloudkey on vlan99/either3 couldn't communicate with them. I realised that either4 and either5 don't seem to work properly as a Hybrid port. While any messages coming through the wifi networks on the AP were tagged correctly, the AP itself ended up on Pvid=1 (or untagged if there's a difference). And then got filtered. I managed to fix it somewhat by changing
 add bridge=BR1 ingress-filtering=yes interface=ether5 
to
 add bridge=BR1 ingress-filtering=yes interface=ether5 pvid=99 
The AP now got a lease (192.168.99.249) from the DHCP server, but wasn't able to communicate with the rest of the base-vlan (couldn't ping/ssh into it from neither the MT nor cloudkey/laptop on the same vlan).

Here's my previous config (I'm current nursing a sore foot after shooting myself in it with a bad attempt at vlan filtering. Can't get into the router...):
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-681F67 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-681F66 wireless-protocol=802.11
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=VLAN10 vlan-id=10
add interface=BR1 name=VLAN20 vlan-id=20
add interface=BR1 name=VLAN30 vlan-id=30
add interface=BR1 name=VLAN40 vlan-id=40
/interface list
add name=WAN
add name=BASE
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=x \
    wpa2-pre-shared-key=x
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=POOL_VLAN10 ranges=192.168.10.2-192.168.10.254
add name=POOL_VLAN20 ranges=192.168.10.254-192.168.20.2
add name=POOL_VLAN30 ranges=192.168.30.2-192.168.30.254
add name=POOL_VLAN40 ranges=192.168.40.2-192.168.40.254
add name=BASE_POOL ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=POOL_VLAN10 disabled=no interface=VLAN10 name=DHCP_VLAN10
add address-pool=POOL_VLAN20 disabled=no interface=VLAN20 name=DHCP_VLAN20
add address-pool=POOL_VLAN30 disabled=no interface=VLAN30 name=DHCP_VLAN30
add address-pool=POOL_VLAN40 disabled=no interface=VLAN40 name=DHCP_VLAN40
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=99
add bridge=BR1 interface=wlan1 pvid=99
add bridge=BR1 ingress-filtering=yes interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2 vlan-ids=20
add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10,30,40
add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2,wlan1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add interface=VLAN30 list=VLAN
add interface=VLAN40 list=VLAN
add interface=BASE_VLAN list=BASE
add interface=BASE_VLAN list=VLAN
/ip address
add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
/ip dhcp-server lease
add address=192.168.99.252 client-id=xx mac-address=\
    xx server=BASE_DHCP
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.99.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.99.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.99.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.99.1 gateway=192.168.40.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=\
    established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN \
    protocol=icmp
add action=accept chain=input comment=\
    "Allow Router Access from Admin Laptop on Main VLAN" in-interface=VLAN20 \
    src-mac-address=xx
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: Home IoT Vlan setup

Sun Jun 20, 2021 2:07 pm

I managed to get back onto the router. If I connect to ether4/5 I can get a DHCP lease but there's no route even to 192.168.99.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home IoT Vlan setup

Sun Jun 20, 2021 3:29 pm

Now if you want ether4 and ether5 to be hybrid ports I have provided all the direction you need already.
They need to not have frame type restrictions and they in the bridge port settings to have the PVID of the untagged vlan you need carried over that port.

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=99
add bridge=BR1 interface=wlan1 pvid=99 frame-types=admit-only-untagged-and-priority-tagged\
ingress-filtering=yes

add bridge=BR1 ingress-filtering=yes interface=ether4 PVID=???
add bridge=BR1 ingress-filtering=yes interface=ether5 PVID=???

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2 vlan-ids=20
add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10,30,4
0
add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2,wlan1 vlan-ids=99

change to
'add bridge=BR1 tagged=BR1 untagged=ether2,wlan1,ether4,ether5 vlan-ids=99
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home IoT Vlan setup

Sun Jun 20, 2021 3:48 pm

In terms of being locked out of the router, I often reserve a single port, off the bridge, with just an IP address and then if something happens on the bridge, I go to that port with my laptop and login setting my laptop IP to be in the typical subnet of that IP address and enter via winbox.
Just include that port as part of your BASE interface member list.

I am not sure why you created another rule for your PC to access the router.
I thought you were using the base vlan as the management vlan and not accessing the router from a different vlan??
Note winbox access is predicated on interface-list as well (tools mac server winbox mac server etc......)
So if you have that set to base, coming from a different vlan will not permit access..
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: Home IoT Vlan setup

Sun Jun 20, 2021 4:00 pm

That did the trick, many thanks. Whenever I think I got it, my understanding of the details just slips through my fingers... I need to spend a bit more time with 'add bridge=BR1 tagged=BR1 untagged=ether2,wlan1,ether4,ether5 vlan-ids=99' in particular. I need a beer first. that'll help...

About the firewall rules - I'm still testing and slowly migrating the network over, so for now convenience wins out. I actually fully removed in_interface now to allow my laptop to connect to the MT from everywhere (I have connected the MT via ETHER1 to my current-soon-to-be-replaced router so at least my new network has internet access). Now I can - for now - keep connected to my old WIFI without having to switch to the mgmt network. And while I later on would prefer your approach of a dedicated port, I'm unfortunately all out of ports that I can dedicate. I guess I could put all the Unifi stuff on a separate switch, but I need to cram everything into a single 4U cabinet in the hallway (and just 1 multiplug) so I rather not add more devices.

Next stop - AP placement in the house. After that I'll start experimenting with the VLANs and Google Home/ other smart devices. Looking at other forum entries, mDNS might be "fun". I'm also going to try to use my home assistant Raspberry for AdGuard(PiHole-ish). I saw you and a few others have in the past played with it. I'll probably try the option of having the Pi upstream of my MT and set the MT as the DNS for each VLAN plus force all DNS requests to the MT.

I'll post another topic when that's vaguely working.
 
Peixeiro
just joined
Posts: 1
Joined: Thu Aug 10, 2023 4:25 pm

Re: Home IoT Vlan setup

Thu Aug 10, 2023 4:35 pm

Hi robotpandarocket,

After some research I found this topic and the network diagram you defined is the closest to what I want.
I'm exactly at the same point, using Home Assistant and having devices that need internet, others that don't, ghest network, ...

Could you share the complete configuration of your setup ( /export hide-sensitive ) ?

I will have some differences, I will use a Mikrotik RB2011, 2 ubiquiti AC Pro and as I have 10 network ports I will not use a switch.

Thanks.

Who is online

Users browsing this forum: BinaryTB, Google [Bot], GoogleOther [Bot], rplant and 70 guests