Community discussions

MikroTik App
 
randel
just joined
Topic Author
Posts: 11
Joined: Sat Nov 16, 2019 10:48 pm

Bind Webfig and ssh to a vlan

Sun Sep 19, 2021 11:22 pm

Hi there,
with a lot help of two users here I got my wifi connected to my vlans.
Now I want to bring the management-services of my MikroTik in a VLAN.

Backgroud:
- Mikrotik is only wifi-AP (DNS, DHCP, etc are served by a separate opnsense-installation)
- Mikrotik is conntected with one ethernet-port (ether2) with a Trunk.
- vlan90 should be the management-vlan.
- PVID is defaulted to 1 (and should not be used after migration)

I don't find out how to bring webfig and ssh where I want...
What I tried:
- Adding a vlan-interface to the bridge with vlan-tag 90
- adding ether2 as tagged device for vlan90 to the bridge
- setting a correponding ip to the vlan (10.10.90.99)

But I can't even ping the ip set.

I could not find a way to set the listening interface/ip for the services www, ssh...

Searching the web and especially the Manual brought no help.

Here is my /export:
# sep/19/2021 22:20:41 by RouterOS 6.48.4
# software id = P3XP-NN1L
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 673706DFA5C2
/interface bridge
add admin-mac=6C:3B:6B:12:03:89 auto-mac=no fast-forward=no name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=Wandhydrant station-roaming=enabled vlan-id=10 vlan-mode=\
    use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=germany default-forwarding=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Wandhydrant station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan60 vlan-id=60
add interface=bridge name=vlan90 vlan-id=90
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Profil_Gast supplicant-identity=MikroTik
/interface wireless
add default-forwarding=no disabled=no mac-address=6E:3B:6B:12:03:8F \
    master-interface=wlan1 name=GuestWLAN security-profile=Profil_Gast ssid=\
    Forrest vlan-id=60 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=\
    disabled
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=vlan10
add bridge=bridge interface=GuestWLAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=ether2-master,wlan1 vlan-ids=10
add bridge=bridge tagged=GuestWLAN,ether2-master vlan-ids=60
add bridge=bridge tagged=ether2-master vlan-ids=90
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add list=discover
add list=discover
add list=discover
add interface=bridge list=mac-winbox
add interface=wlan2 list=mactel
add interface=ether2-master list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
add interface=ether1
add interface=bridge list=LAN
/ip address
add address=192.168.2.99/16 interface=ether2-master network=192.168.0.0
add address=10.10.90.99 interface=bridge network=10.10.90.99
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.26
/ip dns static
add address=192.168.2.99 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip route
add distance=1 gateway=192.168.2.1
/ip service
set www-ssl disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Sched_WLAN_aus on-event=WLAN_Aus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2017 start-time=23:00:00
add interval=1d name=Sched_WLAN_an on-event=WLAN_An policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/24/2017 start-time=06:00:00
/system script
add dont-require-permissions=no name=WLAN_Aus owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=yes;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=yes;"
add dont-require-permissions=no name=WLAN_An owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=no;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=no;"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox[code]

 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Bind Webfig and ssh to a vlan

Mon Sep 20, 2021 2:55 am

The services bind to 0.0.0.0 - meaning any IP address locally on the device (sans IP's in different VRF - which is annoying but totally separate issue)

Your problem here appears to be two-fold - in the current export you've provided, you only have 2 IP addresses:
/ip address
add address=192.168.2.99/16 interface=ether2-master network=192.168.0.0
add address=10.10.90.99 interface=bridge network=10.10.90.99
So all services will be listening on those IPs (and yikes, a /16 broadcast domain is not good)

then you have:
/ip firewall filter
add action=drop chain=input in-interface-list=!LAN
This says drop any packets to the input chain (which would cover management services) if the interface is not in the interface-list LAN
/interface list member
add interface=ether2-master list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
add interface=bridge list=LAN
So to access management on a new interface (VLAN on a bridge for instance)
  • Create VLAN interface
  • Add VLAN interface to LAN list
  • Add IP to VLAN interface
  • Connect a client to VLAN
  • Access Mikrotik Router

There are multiple other ways to do it, such as reconfiguring the firewall rules or your interface hierarchy but the steps above are probably the quickest solution to what you already have configured.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bind Webfig and ssh to a vlan

Mon Sep 20, 2021 8:14 am

  • vlan90 is not a member of interface list LAN, so chain input of /ip firewall filter drops incoming traffic from it
  • on the row of /interface bridge vlan for vlan-ids=90, bridge is not on the tagged list, so frames tagged with VID 90 are not allowed to egress through the virtual port of the virtual switch (have a look here for details).
 
randel
just joined
Topic Author
Posts: 11
Joined: Sat Nov 16, 2019 10:48 pm

Re: Bind Webfig and ssh to a vlan

Mon Sep 20, 2021 8:32 am

Yeah! It's working :)
What was missing at last was the vlan-Interface in the lan-list (so the firewall blocked it).
Thanks a lot!

I just did it without connecting the vlan90-interface to the bridge. It is working, but is it the right way? As there is no other interface connected to the vlan I thought a bridge would not be necessary, but it might be the "wrong way". If that's the way I'd try to change it like @sindy said.

Thanks!
# sep/20/2021 07:48:57 by RouterOS 6.48.4
# software id = P3XP-NN1L
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 673706DFA5C2
/interface bridge
add admin-mac=6C:3B:6B:12:03:89 auto-mac=no fast-forward=no name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=Wandhydrant station-roaming=enabled vlan-id=10 vlan-mode=\
    use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=germany default-forwarding=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Wandhydrant station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan60 vlan-id=60
add interface=ether2-master name=vlan90 vlan-id=90
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Profil_Gast supplicant-identity=MikroTik
/interface wireless
add default-forwarding=no disabled=no mac-address=6E:3B:6B:12:03:8F \
    master-interface=wlan1 name=GuestWLAN security-profile=Profil_Gast ssid=\
    Forrest vlan-id=60 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=\
    disabled
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=ether2-master
add bridge=bridge hw=no interface=sfp1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=GuestWLAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=ether2-master,wlan1 vlan-ids=10
add bridge=bridge tagged=GuestWLAN,ether2-master vlan-ids=60
add bridge=bridge tagged=ether2-master,vlan90 vlan-ids=90
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=bridge list=mac-winbox
add interface=wlan2 list=mactel
add interface=ether2-master list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
add interface=ether1
add interface=bridge list=LAN
add interface=vlan90 list=LAN
/ip address
add address=10.10.90.99/24 interface=vlan90 network=10.10.90.0
/ip dns
set allow-remote-requests=yes servers=192.168.2.26
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip route
add distance=1 gateway=10.10.90.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Sched_WLAN_aus on-event=WLAN_Aus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2017 start-time=23:00:00
add interval=1d name=Sched_WLAN_an on-event=WLAN_An policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/24/2017 start-time=06:00:00
/system script
add dont-require-permissions=no name=WLAN_Aus owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=yes;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=yes;"
add dont-require-permissions=no name=WLAN_An owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=no;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=no;"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
edit: cleand the config a little
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bind Webfig and ssh to a vlan

Mon Sep 20, 2021 9:09 am

The documentation explicitly prohibits attaching an /interface vlan to an underlying interface which is also a member port of a bridge. There are a few other similar cases where RouterOS accepts such an incorrect setting and it even works most of the time, but some weird effects occur in some packet flow scenarios.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bind Webfig and ssh to a vlan

Mon Sep 20, 2021 9:10 am

As mentioned in your other thread, your L2 (bridge and VLAN) setup is wrong. While it might work for you, it's bound to create problems sooner or later. So it's up to you to either invest some time to study ROS (yes, learning curve is very steep from beginning) and do it right (we'll help you learning it) or you can leave things as they are and pray nothing goes wrong.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bind Webfig and ssh to a vlan

Mon Sep 20, 2021 2:59 pm

This is a really good guide to vlans
viewtopic.php?f=23&t=143620
 
randel
just joined
Topic Author
Posts: 11
Joined: Sat Nov 16, 2019 10:48 pm

Re: Bind Webfig and ssh to a vlan

Mon Sep 20, 2021 9:15 pm

Hey, I hope i got it now :)

I used the examples of the linked thread. I did not understand that the bridge itself can be part of the vlan-tagging. I really hope this is it :)
# sep/20/2021 20:12:35 by RouterOS 6.48.4
# software id = P3XP-NN1L
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 673706DFA5C2
/interface bridge
add admin-mac=6C:3B:6B:12:03:89 auto-mac=no fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=Wandhydrant station-roaming=enabled vlan-id=10 vlan-mode=\
    use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=germany default-forwarding=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Wandhydrant station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan60 vlan-id=60
add interface=bridge name=vlan90 vlan-id=90
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Profil_Gast supplicant-identity=MikroTik
/interface wireless
add default-forwarding=no disabled=no mac-address=6E:3B:6B:12:03:8F \
    master-interface=wlan1 name=GuestWLAN security-profile=Profil_Gast ssid=\
    Forrest vlan-id=60 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=\
    disabled
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=ether2-master
add bridge=bridge hw=no interface=sfp1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=GuestWLAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=ether2-master,wlan1 vlan-ids=10
add bridge=bridge tagged=GuestWLAN,ether2-master vlan-ids=60
add bridge=bridge tagged=bridge,ether2-master vlan-ids=90
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=bridge list=mac-winbox
add interface=wlan2 list=mactel
add interface=ether2-master list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
add interface=ether1
add interface=bridge list=LAN
add interface=vlan90 list=LAN
/ip address
add address=10.10.90.99/24 interface=vlan90 network=10.10.90.0
/ip dns
set allow-remote-requests=yes servers=192.168.2.26
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip route
add distance=1 gateway=10.10.90.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Sched_WLAN_aus on-event=WLAN_Aus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2017 start-time=23:00:00
add interval=1d name=Sched_WLAN_an on-event=WLAN_An policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/24/2017 start-time=06:00:00
/system script
add dont-require-permissions=no name=WLAN_Aus owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=yes;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=yes;"
add dont-require-permissions=no name=WLAN_An owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=no;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=no;"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bind Webfig and ssh to a vlan

Mon Sep 20, 2021 9:36 pm

I did not understand that the bridge itself can be part of the vlan-tagging.
The "bridge" object in RouterOS actually consists of three distinct components, as I've explained in the topic I've linked in my previous post. So here, the "bridge itself" you mention is actually the virtual port of the virtual switch.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Bind Webfig and ssh to a vlan

Mon Sep 20, 2021 10:19 pm

Don't use the ethernet interface, but the Bridge instead
add interface=BRIDGE name=vlan90 vlan-id=90
Set as tagged member the Bridge as well NOT the vlan90
add bridge=bridge tagged=BRIDGE,ether2-master vlan-ids=90
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bind Webfig and ssh to a vlan

Mon Sep 20, 2021 10:44 pm

I provided the full config on this thread to manage your hapac.......
viewtopic.php?f=7&t=178666#p880991

It also addresses the mess you made on your config post above and simplifies it down to what is required.
That gets you winbox access very easily.

If you want to access the hapac from an external WANIP, then I suggest you vpn into the main router
and then use winbox to access the hapac ( also can come in from smartphone via vpn and MT app).
wireguard works well here........

Not clear what ssh or winconfig are for??
 
randel
just joined
Topic Author
Posts: 11
Joined: Sat Nov 16, 2019 10:48 pm

Re: Bind Webfig and ssh to a vlan

Tue Sep 21, 2021 8:56 am

Oh wow... thanks a lot! That is great. I'll try to implement it this evening.

Who is online

Users browsing this forum: BinaryTB, Bing [Bot] and 71 guests