Community discussions

MikroTik App
 
dervu
just joined
Topic Author
Posts: 8
Joined: Fri May 31, 2019 3:35 pm

WAN VLAN tagging

Tue Jun 11, 2019 10:11 am

I need to configure my hAP ac2 router for VLAN tagging on WAN port.
Can anyone explain me what is the simplest way to do it?
Do I need to just add VLAN interface and set it to eth1, add address for VLAN?
Do I need to make NAT rules set only to vlan1 or both eth1 and vlan1?
Do I need to change bridge that connects all LAN/WiFI with WAN from eth1 to vlan1?
Same about other firewall rules, do they need adjusting?

For now I have normal connection through second router, set to static address. Just need to be sure I have everything ok before switching to bridge mode on second router.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: WAN VLAN tagging

Tue Jun 11, 2019 10:54 am

Do I need to just add VLAN interface and set it to eth1, add address for VLAN?
It depends on how ISP delivers internet. If it's straight IP (with static IP address or DHCP served), then the way you wrote should work. If ISP delivers internet in some other way, you'll have to adapt (e.g. if you have to use PPPoE, then PPPoE client should run on the VLAN interface).
Do I need to make NAT rules set only to vlan1 or both eth1 and vlan1?
Same about other firewall rules, do they need adjusting?
If your router is running a recent default configuration, then the only change you have to do is to add the vlan interface to WAN interface list (in /interface list member). And possibly remove ether1 from the said interface list (and don't add it anywhere else). Everything you mention is by default working with menitoned interface list.
Do I need to change bridge that connects all LAN/WiFI with WAN from eth1 to vlan1?
Changing WAN from ether1 to vlan interface doesn't change a single bit about how LAN should be treated. So don't change LAN config unless you really know it should be done (basing on questions you posted you don't know that).
 
dervu
just joined
Topic Author
Posts: 8
Joined: Fri May 31, 2019 3:35 pm

Re: WAN VLAN tagging

Tue Jun 11, 2019 1:04 pm

It works. Added VLAN interface and set it to eth1, then added vlan1 as WAN to Interface List, disabled ether1 on that list. Added address in Addresses as vlan1 and disabled ether1 there too.
 
flapviv
just joined
Posts: 7
Joined: Wed Oct 13, 2021 7:50 am

Re: WAN VLAN tagging

Sat Nov 20, 2021 1:15 am

It works. Added VLAN interface and set it to eth1, then added vlan1 as WAN to Interface List, disabled ether1 on that list. Added address in Addresses as vlan1 and disabled ether1 there too.
Thank you for this post!
 
Lus08
just joined
Posts: 8
Joined: Sun Apr 30, 2023 12:29 am

Re: WAN VLAN tagging

Sun Apr 30, 2023 12:46 am

It works. Added VLAN interface and set it to eth1, then added vlan1 as WAN to Interface List, disabled ether1 on that list. Added address in Addresses as vlan1 and disabled ether1 there too.

Hi There I'm not too familiar with this type of configuration but I'm trying to do this on my router, as the provided router from ISP is not very good. I'm not certain I'm understanding all the steps, can you let me know if this is correct and clarify on step 4 below?

1. ON INTERFACE LIST --> INTERFACE TAB --> VLAN TAB --> Add VLAN and set it to eth1 port
2. ON INTERFACE LIST --> INTERFACE TAB --> Add VLAN as vlan1
3. ON INTERFAACE LIST --> INTERFACE TAB --> Disable eth1 port
4. Not clear on "Added address as vlan1 and disabled ether1 there too",
- What address needs to be added here?
- Where can the addresses be added?
- ether1 is already disabled from step 3, how to disable ether1 again?
Last edited by Lus08 on Sun Apr 30, 2023 12:47 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN VLAN tagging

Mon May 01, 2023 3:44 am

What is missing is the type of WAN connection.
Is it ppppoe or is it just that the provider delivers internet over a certain vlan??
 
Lus08
just joined
Posts: 8
Joined: Sun Apr 30, 2023 12:29 am

Re: WAN VLAN tagging

Mon May 01, 2023 11:47 pm

What is missing is the type of WAN connection.
Is it ppppoe or is it just that the provider delivers internet over a certain vlan??

Hi anav,
The WAN connection is on eth1 port, set on step "1".
PPPoE is also set up, and interfaces with vlan1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN VLAN tagging

Tue May 02, 2023 1:32 am

I find it very hard to believe the pppoe from your provider comes in on vlan1.
It sounds like you have a regular pppoe connection you want to assign it a vlan?

What do you actually have, not what you think you need etc...
 
Lus08
just joined
Posts: 8
Joined: Sun Apr 30, 2023 12:29 am

Re: WAN VLAN tagging

Tue May 02, 2023 6:03 pm

I find it very hard to believe the pppoe from your provider comes in on vlan1.
It sounds like you have a regular pppoe connection you want to assign it a vlan?

What do you actually have, not what you think you need etc...

Hi anav, It is possible that I am mistaken, these are the initial instructions received from the provider.

It is possible to connect your own router directly with the ONT (modem) if it supports VLAN tagging on its Internet/WAN port. Unfortunately, this significantly reduces the list of routers that support this configuration.

In order to communicate with our authentication server, the router must be connected to the ONT from its Internet/WAN port.

It must also be configured accordingly, more precisely at the Internet/WAN level:

> Tag mode: Tagged
> VLAN : 40
> Configuration method : PPPoE
> Username : user@ispdomain.net
> Password : **********
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN VLAN tagging

Wed May 03, 2023 1:40 am

Exactly, 40, NOT 1 LOL

Standard setup......................
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 \
name=ppp0e-out1 use-peer-dns=yes user=user@ispdomain.net


WITH VLAN
/ip interface vlan
add name= vlanWAN interface=ether1 vlan-id=40
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=vlanWAn \
name=pppoe-0ut1 use-peer-dns=yes user=user@ispdomain.net


/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: WAN VLAN tagging

Wed May 03, 2023 5:12 pm

For otherwise default setup this is wrong:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1

It should be:
/interface list members
add name=WAN interface=pppoe-out1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN VLAN tagging

Fri May 05, 2023 12:28 am

Well to be clear,
There are different possibliities.

In any case YES,
the interface list members for WANS should include pppoe-out1

As for the source nat rule it could be either the one I showed
OR the standard
add action=masquerade chain=srcnat out-interface-list=WAN
 
Lus08
just joined
Posts: 8
Joined: Sun Apr 30, 2023 12:29 am

Re: WAN VLAN tagging

Fri May 05, 2023 1:42 am


WITH VLAN
/ip interface vlan
add name= vlanWAN interface=ether1 vlan-id=40
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=vlanWAn \
name=pppoe-0ut1 use-peer-dns=yes user=user@ispdomain.net


/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1

Thank you for the help, the VLAN was actually set to 40, but it was not named as such and linked to ethernet1 (wan).
There was another config that was incorrect, but resolved now.
Thank you again for your help
 
Lus08
just joined
Posts: 8
Joined: Sun Apr 30, 2023 12:29 am

Re: WAN VLAN tagging

Fri May 05, 2023 1:49 am

For otherwise default setup this is wrong:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1

It should be:
/interface list members
add name=WAN interface=pppoe-out1

I could not get this to work, is "members" supposed to be a command name?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN VLAN tagging

Fri May 05, 2023 4:20 am

Post your config /export file=anynameyouwish ( minus router serial number, public WANIP info and any long address lists )
 
Lus08
just joined
Posts: 8
Joined: Sun Apr 30, 2023 12:29 am

Re: WAN VLAN tagging

Fri May 05, 2023 7:21 pm

Post your config /export file=anynameyouwish ( minus router serial number, public WANIP info and any long address lists )

Sure, here it is:

# by RouterOS 6.49.1
#
/interface bridge
add admin-mac=########### auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mtu=1484 name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=canada disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=HOMEWIFI wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=canada disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=HOMEWIFI wireless-protocol=\
    802.11
add disabled=no mac-address= master-interface=wlan2 name=\
    wlan5 ssid=HOMEWIFI_Guests
add disabled=no mac-address= master-interface=wlan1 name=\
    wlan6 ssid=HOMEWIFI_Guests
/interface vlan
add interface=ether1-wan name=vlanWAN vlan-id=40
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=vlanWAN \
    name=pppoe-out1 password=PWD##### use-peer-dns=yes user=\
    USER@ISP
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=WIFIPSK# \
    wpa2-pre-shared-key=WIFIPSK#
add name=profile supplicant-identity=MikroTik wpa-pre-shared-key=WIFIPSK# \
    wpa2-pre-shared-key=WIFIPSK#
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.40.2-192.168.41.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no name=dhcp1
/interface bridge filter
add action=drop chain=forward in-interface=wlan5
add action=drop chain=forward out-interface=wlan5
add action=drop chain=forward in-interface=wlan6
add action=drop chain=forward out-interface=wlan6
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-lan
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan5
add bridge=bridge interface=wlan6
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.40.1/23 network=192.168.40.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1-wan
/ip dhcp-server network
add address=192.168.40.0/23 dns-server=192.168.88.1 gateway=192.168.40.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=masquerade chain=srcnat out-interface=pppoe-out1
/system clock
set time-zone-name=America/Toronto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN VLAN tagging

Fri May 05, 2023 9:43 pm

(1) FROM
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN


TOO
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
add interface=pppoe-out1 list=WAN


(2) /ip dhcp-client
add comment=defconf disabled=no interface=ether1-wan

disable or remove!!
 
Lus08
just joined
Posts: 8
Joined: Sun Apr 30, 2023 12:29 am

Re: WAN VLAN tagging

Sat May 06, 2023 2:57 am

(1) FROM
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN


TOO
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
add interface=pppoe-out1 list=WAN


(2) /ip dhcp-client
add comment=defconf disabled=no interface=ether1-wan

disable or remove!!

Trying to do this with the config file but getting an error:
Couldn't restore configuration - file not found (6)"
 
darknight898989
just joined
Posts: 2
Joined: Sat May 06, 2023 1:13 am

Re: WAN VLAN tagging

Sat May 06, 2023 9:21 am

Hello, have the same problem here, tried to disable also the dhcp client but to no result. can someone help? Lus08 what was the other thing in your config that was wrong?
 
Lus08
just joined
Posts: 8
Joined: Sun Apr 30, 2023 12:29 am

Re: WAN VLAN tagging

Tue May 09, 2023 9:30 pm

Hello, have the same problem here, tried to disable also the dhcp client but to no result. can someone help? Lus08 what was the other thing in your config that was wrong?

Hi there, If you follow anav's instructions (below) it should work, do not disable eth1 port though.

Standard setup......................
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 \
name=ppp0e-out1 use-peer-dns=yes user=user@ispdomain.net


WITH VLAN
/ip interface vlan
add name= vlanWAN interface=ether1 vlan-id=40
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=vlanWAn \
name=pppoe-0ut1 use-peer-dns=yes user=user@ispdomain.net


/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1

Who is online

Users browsing this forum: JBrinkZA and 41 guests