Need help with VLAN setup

teisen · Wed Jan 05, 2022 9:40 pm

Hello, I am new to MikroTik and am trying to setup my RB5009 following viewtopic.php?t=143620&sid=00d6456d9713 ... 5ff57794a8
Currently i only have this device, later i want to add a managed switch to the trunk ports. So i was trying multiple times to apply Router-Switch-AP (all in one) but removed the wifi settings and added a ethernet port for the management. Problem is that when i apply the setup in the terminal (after Removing the default configuration) I am not able to connect to the router anymore, not even via mac address. I imagine there might be something missing with the eth2 vlan port that prevents me the access the configuration to see what is happening.
Connections:
eth1 WAN
eth2 RED - MGMT PC connected here
eth3 BLUE
eth4 GREEN
eth5 TRUNK
eth6 TRUNK
eth7 TRUNK
eth8 TRUNK

I reset the router with the reset button. It starts up with defualt config. I log in with WInbox and remove Configuration and set admin password. Then i paste the below script in:

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="RouterSwitchAP"


#######################################
# VLAN Overview
#######################################

# 1 = BASE (MGMT) VLAN  RED
# 10 = BLUE
# 20 = GREEN



#######################################
# WIFI Setup
#
# Example wireless settings only. Do
# NOT use in production!
#######################################

# Blue SSID
#/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
#/interface wireless set [ find default-name=wlan1 ] ssid=BLUE frequency=auto mode=ap-bridge disabled=no

# Green SSID
#/interface wireless security-profiles add name=guest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
#/interface wireless add name=wlan2 ssid=GREEN master-interface=wlan1 security-profile=guest disabled=no

# Optional: BASE SSID, admin level access to Winbox the device. Use a local ethernet port if preferred.
#/interface wireless security-profiles add name=Base authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
#/interface wireless add name=wlan3 ssid=BASE master-interface=wlan1 security-profile=Base disabled=no


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# BASE_VLAN
add bridge=BR1 interface=ether2 pvid=1

# Blue VLAN
add bridge=BR1 interface=ether3 pvid=10

# Green VLAN
add bridge=BR1 interface=ether4 pvid=20


# egress behavior, handled automatically

# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=1]


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=1
/ip address add address=192.168.88.1/24 interface=BASE_VLAN

# set ether1 to be dhcp-client for WAN connection
/ip dhcp-client add comment=defconf interface=ether1

## I am skipping the below and USE DHCP Client
# DNS server, set to cache for LAN
#/ip dns set allow-remote-requests=yes servers="9.9.9.9"
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

# Yellow WAN facing port with IP Address provided by ISP
#/ip address add interface=ether1 address=192.168.1.196/24 network=192.168.1.0

# router's gateway provided by ISP
#/ip route add distance=1 gateway=192.168.1.1


#######################################
# IP Services
#######################################

# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24
/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=20
/ip address add interface=GREEN_VLAN address=10.0.20.1/24
/ip pool add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1     list=WAN
add interface=BASE_VLAN  list=VLAN
add interface=BLUE_VLAN  list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN  list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"

##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
#set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
#set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
#set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]


#######################################
# MAC Server settings
#######################################

/system clock
set time-zone-name=America/New_York
/system routerboard settings
set cpu-frequency=auto

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

I do not see any errors in the Terminal.
On the MGMT PC i do a cmd with ipconfig /release. I do not receive a new IP and am not able to connect to the RB5009 anymore. Only way to reconnect is to use the rest button to reload the default config.

Really appreciate the help.

UPDATE: I just changed how I upload the config by typing in the console (Is this the correct way?):
/system reset-configuration no-defaults=yes
/import verbose=yes file-name=MyCustomConfig.rsc

With this i was able to still be connected with Winbox after the upload and was able to export the applied config:

# jan/06/2022 12:06:14 by RouterOS 7.1.1
# software id = C5MD-RX8K
#
# model = RB5009UG+S+

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=1
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.88.1/24 interface=BASE_VLAN network=192.168.88.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterSwitchAP
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=VLAN
/tool mac-server mac-winbox
set allowed-interface-list=VLAN

When i unplugged and replugged the network cable i lost connection and was not able to connect again, tried dhcp and static IP

Toby

teisen · Thu Jan 06, 2022 7:52 pm

I just changed how I upload the config by typing in the console (Is this the correct way?):
/system reset-configuration no-defaults=yes
/import verbose=yes file-name=MyCustomConfig.rsc

Sob · Thu Jan 06, 2022 7:55 pm

You're missing "/interface bridge vlan" config.

anav · Thu Jan 06, 2022 7:57 pm

Tis your lucky day, I have spent much time, in your shoes, walking the mile so to speak and thus produced this article, to help me and others when configuring the bridge.
The best way I have found is do it OFF the bridge.

viewtopic.php?t=181718

teisen · Thu Jan 06, 2022 8:31 pm

Tis your lucky day, I have spent much time, in your shoes, walking the mile so to speak and thus produced this article, to help me and others when configuring the bridge.
The best way I have found is do it OFF the bridge.

viewtopic.php?t=181718

Thanks anav, will investigate this!

teisen · Thu Jan 06, 2022 8:33 pm

You're missing "/interface bridge vlan" config.

Sob, that was a good find. I am not sure why but the commands from the script were not accepted.
So this time i uploaded the script and then went in Bridge->VLANs in the UI and manually added them. When i now expor the config it has the entries
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=1

Maybe it's complaining because i reused the VLAN-id 1.

Thanks!

Sob · Thu Jan 06, 2022 8:48 pm

Those commands expect some already existing entries. Maybe you trimmed some example config a bit too much?

As for VLAN 1, safe and lazy way is to avoid it. Or you can find the nice post from user "sindy", who explained the mysteries of VLAN 1. Problem is that he has just too many posts.

teisen · Thu Jan 06, 2022 9:01 pm

Ok, would you recommend me to switch the mgmt network from 1 to 99 ?

anav · Thu Jan 06, 2022 9:22 pm

The article noted at the top DOES NOT USE VLAN1, so not sure why you decided to step into the sheite by using it.

To answer your question, vlan99 as a BASE vlan is really more a business entity where an IT admin wants to control all smart managed devices separately from all other subnets.
In the homeowner scenario, one typically uses the VLAN that the admin resides ON as this is usually a TRUSTED ENOUGH VLAN, doesnt have guests or IOT devices etc.......
Furthermore you can make a source address list for only the admins devices, PC, laptop, smartphone ipad, etc, to narrow down who on the trusted VLAN can access the router.

So in short DO NOT use vlan1, and you can use another trusted vlan vice vlan99 to ACT as your BASE interface list entry.!!

(If you had a router with empty ports right by your desktop PC, then it would be easy to change ethernet cords into vlan 99 port each time you wanted to configure the router, but you can see how this can get tedious.........)
Much better if you have a spare router port is to create an OFF bridge port with which you can access the router for config purposes even if the bridge config is screwed up.
viewtopic.php?t=181718

Need help with VLAN setup [SOLVED]

Need help with VLAN setup

Re: Need help with VLAN setup

Re: Need help with VLAN setup [SOLVED]

Re: Need help with VLAN setup

Re: Need help with VLAN setup

Re: Need help with VLAN setup

Re: Need help with VLAN setup

Re: Need help with VLAN setup

Re: Need help with VLAN setup

Who is online