Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

VLAN Help

Post Reply
 
mlabs
just joined
Topic Author
Posts: 7
Joined: Fri Mar 21, 2025 10:56 pm

VLAN Help

Sat Mar 22, 2025 6:54 pm

I have a RB5009UPr+S+, and 3 Omada APs (controlled by an Omada Controller running in docker that will be running in MAIN_VLAN)


I'm trying to set up the following VLANs:


VLANS
  • CAM_VLAN - no internet access, no access to other VLANs
  • IOT_VLAN - full internet, no access to other VLANs
  • MEDIA _VLAN - full internet, limited access to other VLANs (one specific IP in VLAN04 and relevant ports)
  • MAIN_VLAN - full internet, full access to other VLANs

ROUTER PORTS
  • Port 1 - WAN
  • Port 2 - MAIN_VLAN
  • Port 3 - MAIN_VLAN
  • Port 4 - AP : MAIN_VLAN/IOT_VLAN
  • Port 5 - AP : MAIN_VLAN/IOT_VLAN
  • Port 6 - AP : MAIN_VLAN/IOT_VLAN
  • Port 7 - MEDIA _VLAN
  • Port 8 - CAM_VLAN

The APs will have 2 SSIDs (one for MAIN_VLAN, one for IOT_VLAN). I'll also set up VLAN tagging.

This is what I've got so far. I haven't tested it yet, because I currently have a working, but suboptimal config, and I'm afraid of completely killing my network. I do know that I am missing things.
Code: Select all
/interface bridge
add name=bridge1

/interface vlan
add interface=bridge1 name=cam_vlan vlan-id=10
add interface=bridge1 name=iot_vlan vlan-id=20
add interface=bridge1 name=media_vlan vlan-id=30
add interface=bridge1 name=main_vlan vlan-id=40

/ip address
add address=192.168.1.1/24 interface=cam_vlan network=192.168.1.0
add address=192.168.2.1/24 interface=iot_vlan network=192.168.2.0
add address=192.168.3.1/24 interface=media_vlan network=192.168.3.0
add address=192.168.4.1/24 interface=main_vlan network=192.168.4.0

/ip pool
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.199
add name=dhcp_pool2 ranges=192.168.2.100-192.168.2.199
add name=dhcp_pool3 ranges=192.168.3.100-192.168.3.199
add name=dhcp_pool4 ranges=192.168.4.100-192.168.4.199

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=cam_vlan name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=iot_vlan name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=media_vlan name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=main_vlan name=dhcp4

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=1.1.1.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=1.1.1.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=1.1.1.1 gateway=192.168.4.1

/ip dns
set allow-remote-requests=yes

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8

/interface bridge
set bridge1 vlan-filtering=yes

/ip firewall filter
add action=drop chain=forward in-interface=cam_vlan out-interface=WAN
add action=accept chain=forward in-interface=media_vlan dst-address=192.168.04.17 dst-port=1900 protocol=udp
add action=accept chain=forward in-interface=media_vlan dst-address=192.168.04.17 dst-port=8096 protocol=tcp
add action=accept chain=forward in-interface=media_vlan dst-address=192.168.04.17 dst-port=8920 protocol=tcp

/ip dhcp-client
add disabled=no interface=ether1
Thank you in advance!
Top
 
tdw
Forum Guru
Forum Guru
Posts: 2118
Joined: Sat May 05, 2018 11:55 am

Re: VLAN Help

Sat Mar 22, 2025 9:21 pm

Currently you have no pvid= settings for the ports in /interface bridge port so they all will default to having untagged ingress traffic assigned to VLAN ID 1. Also no /interface bridge vlan so no egress of tagged traffic, see https://help.mikrotik.com/docs/spaces/R ... eVLANtable. You haven't indicated if the ports with more than one VLAN are trunk (all VLANs tagged), or hybrid (one VLAN untagged, remainder tagged).

Unless the Mikrotik is behind some other device, so not exposed directly to the internet, you need a good set of firewall rules.

A good reference for VLAN setup is viewtopic.php?t=143620, along with the bridge VLAN filtering examples in the documentation. An /interface bridge entry effectively creates a managed switch within the Mikrotik, along with a bridge-to-CPU port so traffic between services provided by the Mikrotik and the bridge ports - see viewtopic.php?t=173692 for more detail.
Top
 
mlabs
just joined
Topic Author
Posts: 7
Joined: Fri Mar 21, 2025 10:56 pm

Re: VLAN Help

Sun Mar 23, 2025 12:02 am

I've updated my script a bit. I still feel I'm missing something, especially when it comes to bridge vlan tagging, and firewall.
Code: Select all
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=no

/interface bridge port
//add bridge=BR1 interface=ether1 -- WAN port (do I even need this here?)
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
add bridge=BR1 interface=ether6
add bridge=BR1 interface=ether7
add bridge=BR1 interface=ether8

/interface bridge vlan
add bridge=BR1 tagged=ether8 vlan-ids=10
add bridge=BR1 tagged=ether4,ether5,ether6 vlan-ids=20
add bridge=BR1 tagged=ether7 vlan-ids=30
add bridge=BR1 tagged=ether2,ether3,ether4,ether5,ether6 vlan-ids=40

/interface vlan
add interface=BR1 name=CAM_VLAN vlan-id=10
add interface=BR1 name=IOT_VLAN vlan-id=20
add interface=BR1 name=MEDIA_VLAN vlan-id=30
add interface=BR1 name=MAIN_VLAN vlan-id=40

/ip address
add address=192.168.1.1/24 interface=CAM_VLAN
add address=192.168.2.1/24 interface=IOT_VLAN
add address=192.168.3.1/24 interface=MEDIA_VLAN
add address=192.168.4.1/24 interface=MAIN_VLAN

/ip pool
add name=CAM_POOL ranges=192.168.1.2-192.168.1.254
add name=IOT_POOL ranges=192.168.2.2-192.168.2. 254
add name=MEDIA_POOL ranges=192.168.3.2-192.168.3. 254
add name=MAIN_POOL ranges=192.168.4.2-192.168.4. 254

/ip dhcp-server
add address-pool=CAM_POOL disabled=no interface=CAM_VLAN name=CAM_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
add address-pool=MEDIA_POOL disabled=no interface=MEDIA_VLAN name=MEDIA_DHCP
add address-pool=MAIN_POOL disabled=no interface=MAIN_VLAN name=MAIN_DHCP

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=1.1.1.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=1.1.1.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=1.1.1.1 gateway=192.168.4.1

/ip dns
set allow-remote-requests=yes

/interface bridge
set BR1 vlan-filtering=yes

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=CAM_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=MEDIA_VLAN list=VLAN
add interface=MAIN_VLAN list=VLAN
add interface=MAIN_VLAN list=MAIN

# VLAN aware firewall. Order is important.
/ip firewall filter

add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow MAIN_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=MAIN_VLAN comment="Allow Main_Vlan Full Access"

# Disallow the CAM_VLAN from having Internet access:
add chain=forward action=drop in-interface=CAM_VLAN out-interface-list=WAN comment="Drop CAM from Internet"

# Allow the MEDIA_VLAN to access server on MAIN_VLAN:
add chain=forward action=accept in-interface=MEDIA_VLAN dst-address=192.168.04.17 dst-port=1900 protocol=udp comment="Allow access to Server on MAIN_VLAN"
add chain=forward action=accept in-interface=MEDIA_VLAN dst-address=192.168.04.17 dst-port=8096 protocol=tcp comment="Allow access to Server on MAIN_VLAN"
add chain=forward action=accept in-interface=MEDIA_VLAN dst-address=192.168.04.17 dst-port=8920 protocol=tcp comment="Allow access to Server on MAIN_VLAN"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

# Allow MAIN_VLAN to access all VLANS
add chain=forward action=accept connection-state=new in-interface-list=MAIN out-interface-list=VLAN comment="MAIN access all VLANS"

add chain=input action=drop comment="Drop"

/ip dhcp-client
add disabled=no interface=ether1

/interface bridge set BR1 vlan-filtering=yes
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 3024
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: VLAN Help

Sun Mar 23, 2025 12:12 am

Code: Select all
/interface bridge port
//add bridge=BR1 interface=ether1 -- WAN port (do I even need this here?)
Nope, if you want it to work as router
Code: Select all
/interface bridge vlan
Per vlan you should have the bridge tagged as well

Your firewall is far from complete. Start from default, then add rules as required.
Code: Select all
/ip dhcp-client
add disabled=no interface=ether1
Either set your WAN IP manually (if fixed) otherwise enable DHCP client.
Top
 
mlabs
just joined
Topic Author
Posts: 7
Joined: Fri Mar 21, 2025 10:56 pm

Re: VLAN Help

Sun Mar 23, 2025 12:59 am

Per vlan you should have the bridge tagged as well
I'm a bit confused on that part as I'm not quite sure what you mean. More direction would be greatly appreciated.

Your firewall is far from complete. Start from default, then add rules as required.
I am adding the below block before the firewall rules in my previous config attempt:
Code: Select all
add action=accept chain=input comment="accept established, related" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept for established,related" connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1

Either set your WAN IP manually (if fixed) otherwise enable DHCP client.
My ISP uses DHCP, so I thought I was enabling the client with that line.


I appreciate all of the help!
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13711
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN Help

Sun Mar 23, 2025 10:03 am

Per vlan you should have the bridge tagged as well
I'm a bit confused on that part as I'm not quite sure what you mean. More direction would be greatly appreciated.

In ROS bridge has multiple (more or less distinct) functions, one is CPU-facing bridge port and you have to configure it properly to allow ROS to interact with VLANs which are passing bridge switch-like function. VLAN membership of CPU-facing bridge port is done the same way as for other bridge ports.

More about different bridge functions: viewtopic.php?t=173692
Top
 
mlabs
just joined
Topic Author
Posts: 7
Joined: Fri Mar 21, 2025 10:56 pm

Re: VLAN Help

Sun Mar 23, 2025 7:32 pm

Okay, more updates.
Code: Select all
/interface bridge
add name=BR1 admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no fast-forward=no priority=0x8000 vlan-filtering=no

/interface bridge port
add bridge=BR1 interface=ether2 frame-types=admit-only-untagged-and-priority-tagged pvid=40
add bridge=BR1 interface=ether3 frame-types=admit-only-untagged-and-priority-tagged pvid=40
add bridge=BR1 interface=ether4 frame-types=admit-only-vlan-tagged 
add bridge=BR1 interface=ether5 frame-types=admit-only-vlan-tagged 
add bridge=BR1 interface=ether6 frame-types=admit-only-vlan-tagged 
add bridge=BR1 interface=ether7 frame-types=admit-only-untagged-and-priority-tagged pvid=30
add bridge=BR1 interface=ether8 frame-types=admit-only-untagged-and-priority-tagged pvid=10

/interface bridge vlan
add bridge=BR1 vlan-ids=10 tagged=BR1,ether8
add bridge=BR1 vlan-ids=20 tagged=BR1,ether4,ether5,ether6
add bridge=BR1 vlan-ids=30 tagged=BR1,ether7
add bridge=BR1 vlan-ids=40 tagged=BR1,ether4,ether5,ether6,ether2,ether3

/interface vlan
add interface=BR1 name=CAM_VLAN vlan-id=10
add interface=BR1 name=IOT_VLAN vlan-id=20
add interface=BR1 name=MEDIA_VLAN vlan-id=30
add interface=BR1 name=MAIN_VLAN vlan-id=40
once again, ether1 is the WAN port.
all other ports go to unmanaged switches, except 4,5,6 which go to Omada APs. I will have the APs tag based on SSID.

Once again, I really appreciate the help. I feel like I'm getting closer to understanding, but maybe not...
Top
 
tdw
Forum Guru
Forum Guru
Posts: 2118
Joined: Sat May 05, 2018 11:55 am

Re: VLAN Help

Sun Mar 23, 2025 10:41 pm

Almost. The /interface bridge vlan entries should not include tagged= membership for the untagged VLAN on the ports:
/interface bridge vlan
add bridge=BR1 vlan-ids=10 tagged=BR1,ether8
add bridge=BR1 vlan-ids=20 tagged=BR1,ether4,ether5,ether6
add bridge=BR1 vlan-ids=30 tagged=BR1,ether7
add bridge=BR1 vlan-ids=40 tagged=BR1,ether4,ether5,ether6,ether2,ether3

You can include untagged= membership, however if not explicitly present it will be added dynamically using the pvid= specified in the /interface bridge port entries. Some people prefer setting both, it will cause connectivity issues if you then forget to change both when moving a port to have a different untagged VLAN.
Top
 
mlabs
just joined
Topic Author
Posts: 7
Joined: Fri Mar 21, 2025 10:56 pm

Re: VLAN Help

Sun Mar 23, 2025 10:51 pm

Awesome!

Okay, just as a sanity check, here's my final (lol) config, with the suggested changes.
Code: Select all
/interface bridge
add name=BR1 admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no fast-forward=no priority=0x8000 vlan-filtering=no

/interface bridge port
add bridge=BR1 interface=ether2 frame-types=admit-only-untagged-and-priority-tagged pvid=40
add bridge=BR1 interface=ether3 frame-types=admit-only-untagged-and-priority-tagged pvid=40
add bridge=BR1 interface=ether4 frame-types=admit-only-vlan-tagged 
add bridge=BR1 interface=ether5 frame-types=admit-only-vlan-tagged 
add bridge=BR1 interface=ether6 frame-types=admit-only-vlan-tagged 
add bridge=BR1 interface=ether7 frame-types=admit-only-untagged-and-priority-tagged pvid=30
add bridge=BR1 interface=ether8 frame-types=admit-only-untagged-and-priority-tagged pvid=10

/interface bridge vlan
add bridge=BR1 vlan-ids=10 tagged=BR1
add bridge=BR1 vlan-ids=20 tagged=BR1,ether4,ether5,ether6
add bridge=BR1 vlan-ids=30 tagged=BR1
add bridge=BR1 vlan-ids=40 tagged=BR1,ether4,ether5,ether6

/interface vlan
add interface=BR1 name=CAM_VLAN vlan-id=10
add interface=BR1 name=IOT_VLAN vlan-id=20
add interface=BR1 name=MEDIA_VLAN vlan-id=30
add interface=BR1 name=MAIN_VLAN vlan-id=40

/ip address
add address=192.168.1.1/24 interface=CAM_VLAN
add address=192.168.2.1/24 interface=IOT_VLAN
add address=192.168.3.1/24 interface=MEDIA_VLAN
add address=192.168.4.1/24 interface=MAIN_VLAN

/ip pool
add name=CAM_POOL ranges=192.168.1.2-192.168.1.254
add name=IOT_POOL ranges=192.168.2.2-192.168.2. 254
add name=MEDIA_POOL ranges=192.168.3.2-192.168.3. 254
add name=MAIN_POOL ranges=192.168.4.2-192.168.4. 254

/ip dhcp-server
add address-pool=CAM_POOL disabled=no interface=CAM_VLAN name=CAM_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
add address-pool=MEDIA_POOL disabled=no interface=MEDIA_VLAN name=MEDIA_DHCP
add address-pool=MAIN_POOL disabled=no interface=MAIN_VLAN name=MAIN_DHCP

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=1.1.1.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=1.1.1.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=1.1.1.1 gateway=192.168.4.1

/ip dns
set allow-remote-requests=yes

/interface bridge
set BR1 vlan-filtering=yes frame-types=admit-only-vlan-tagged

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=CAM_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=MEDIA_VLAN list=VLAN
add interface=MAIN_VLAN list=VLAN
add interface=MAIN_VLAN list=MAIN

# VLAN aware firewall. Order is important.
/ip firewall filter

add action=accept chain=input comment="accept established, related" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept for established,related" connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1

# Allow MAIN_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=MAIN_VLAN comment="Allow Main_Vlan Full Access"

# Disallow the CAM_VLAN from having Internet access:
add chain=forward action=drop in-interface=CAM_VLAN out-interface-list=WAN comment="Drop CAM from Internet"

# Allow the MEDIA_VLAN to access server on MAIN_VLAN:
add chain=forward action=accept in-interface=MEDIA_VLAN dst-address=192.168.04.17 dst-port=1900 protocol=udp comment="Allow access to Server on MAIN_VLAN"
add chain=forward action=accept in-interface=MEDIA_VLAN dst-address=192.168.04.17 dst-port=8096 protocol=tcp comment="Allow access to Server on MAIN_VLAN"
add chain=forward action=accept in-interface=MEDIA_VLAN dst-address=192.168.04.17 dst-port=8920 protocol=tcp comment="Allow access to Server on MAIN_VLAN"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

# Allow MAIN_VLAN to access all VLANS
add chain=forward action=accept connection-state=new in-interface-list=MAIN out-interface-list=VLAN comment="MAIN access all VLANS"

add chain=input action=drop comment="Drop"

/ipv6 settings
set disable-ipv6=yes

/ipv6 firewall raw
add chain=prerouting action=drop
add chain=output action=drop

/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop
add chain=output action=drop

/ip dhcp-client
add disabled=no interface=ether1

/interface bridge set BR1 vlan-filtering=yes
Am I missing anything? Would you suggest anything?
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 3024
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: VLAN Help

Mon Mar 24, 2025 9:36 am

My suggestions:

Don't open ports to the router, except VPN (Wireguard?).
End both input and forward chain with "block everything else". Then you only have to think about what you want to allow. Only disadvantage is that you could block yourself from the router. A way to avoid is by leaving one "maangement" port out of the bridge.
By using public DNS you miss the posibility of running the advantages of running an internal DNS server.
Top
 
mlabs
just joined
Topic Author
Posts: 7
Joined: Fri Mar 21, 2025 10:56 pm

Re: VLAN Help

Mon Mar 24, 2025 4:36 pm

Don't open ports to the router, except VPN (Wireguard?).

Wouldn't this block all the ports?

Code: Select all
add action=drop chain=input comment="block everything else" in-interface=ether1

Though that did make me look again, and I'm going to take out these rules

Code: Select all
add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 protocol=tcp

End both input and forward chain with "block everything else". Then you only have to think about what you want to allow. Only disadvantage is that you could block yourself from the router.

So basically, adding these two lines at the end of the firewall section?

Code: Select all
add chain=input action=drop comment="Drop"
add chain=forward action=drop comment="Drop"

I'm not worried about access to the router outside my network. I'm too paranoid to leave that open (for now).

By using public DNS you miss the posibility of running the advantages of running an internal DNS server.

I put the external DNS on all VLANs for now, but I actually have internal DNS IPs that I will use on MAIN_VLAN and MEDIA_VLAN.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13711
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN Help

Mon Mar 24, 2025 6:04 pm

Though that did make me look again, and I'm going to take out these rules

Blocking the whole of ICMP can cause troubles (like breaking PMTUD) ... ICMP is much more than "echo request" and "echo reply". And blocking "echo request" is "security through obscurity", it doesn't really add to security.
So basically an explicit "allow protocol=icmp" before the ultimate "drop all" would be in order.
Top
 
mlabs
just joined
Topic Author
Posts: 7
Joined: Fri Mar 21, 2025 10:56 pm

Re: VLAN Help

Mon Mar 24, 2025 6:17 pm

Got it. So I'll leave the ICMP line in, remove the others.

I guess I'll factory reset my router and try the new config after work today. Wish me luck!
Top
Post Reply
  4. RouterOS
  5. Beginner Basics