So I've just gotten the Microtik RB4011iGS+RM, and I'm planning on setting up or home network into VLANs, so that My work computer, my wife's work computer, and our personal devices are on 1 vlan, or kids' devices are on another vlan, and our smart home stuff is on a third vlan. I also want our network printer and NAS to be accessible for all vlans (not sure if they need their own vlan).
I have a netgear gs108t (managed) switch, a gs308e(v1), two TP-Link TL-SG105, a nighthawk x4s, Linksys ea4500, and two old wrt54gs routers.
I plan on using the gs108t to support a physical location that will have the NAS, printer, and at least one device from each vlan. The other dumb switches can be used anywhere i need more wired ports, and i can use the other routers as simple access points. The RB4011iGS+RM will do all of the routing, subnetting, nat, and DHCP. It'll be the only thing connected to my ISPs modem, vida cat6.
Can someone essentially "hold my hand" through configuring the RB4011iGS+RM? I know it's much simpler than most configurations, and I've tried to do my own self-teaching. The RB4011iGS+RM and gs108t are Christmas presents, so the setup won't occur for a few weeks, which is why I'm getting ready now.

First thing is to read this article.....
viewtopic.php?t=143620

I saw that after posting my question, and I've been reading and re-reading it. It answered so many questions I had, as well as clarified things I've read elsewhere. I think I follow it, but have a few questions, if you don't mind.
1. I think that pcunite's first post outlines the basics, and the subsequent ones outline different parts of a VLAN-ned network or different ways of configuring it. ...right?
2. I'm unclear on "trunk ports". Is it just an access port that is setup to recognize and use different VLANs, all on the same physical port?
- if #2 is "yes", then is there a problem with a cat5e trunk port carrying traffic for 3 different VLANs? Will it bottleneck bandwidth?

Ultimately, it's a home network that I'm setting up, so the only thing that's doing a lot of internal traffic is my NAS/Plex server (I have a QNAP NAS running my Plex server and library).
I was planning on using the Mikrotik as my main router (connected to ISP modem for WAN), DHCP server, NAT, etc... I was going to run 4 cat5e cables across the room using ports 2, 3, 4, and 5 (for VLANs 20, 30, 40, and 50; respectively). On those 3 runs, #2 (20) will go to a dumb switch which will link the NAS/Plex & printer. #3 (30), #4 (40), and #5 (50) will go to the GS108T ports 1, 2, and 3 which is VLAN-aware, so I can setup the remaining ports as access ports to VLANs 30, 40 or 50.

I was going to run another 2 cat5e cables to a different room to put those devices on VLAN 20 and one device (my desktop) as the admin PC. I figured I could use any of the other routers (nighthawk, linksys) as simple access points at the end of any of these runs. That way, each access point would have it's own SSID to let devices connect to that specific VLAN.

Does #2 above mean that I'd only need 1 cat5e cable for the one segment as a "trunk", and 1 other as another "trunk"? I also get lost with the use of the term "bridge" as I don't seem to understand it's distinction from an access point, router, or switch. I understood a bridge to be a reverse access point or router, but I'm not really clear. @pcunite's section on "Public VLAN, Printer & Server" seems to be what I need for providing access to the printer & NAS (inter-VLAN routing), but I don't understand "all trunk ports are on one bridge" Does that just mean that b/c the router is configured for all of its ports to be trunks (#2 above is a YES) - it can have a rule to allow inter-VLAN traffic ONLY to the printer and/or NAS?

@pcunite's section "Access Point" confuses me, because I assumed that whatever cat5e came into the access point must ONLY carry one VLAN's traffic - therefore all of its LAN ports must be the same VLAN (I'm assuming all of my consumer routers that I'll be using as access points are NOT VLAN-aware). I also assumed that it could only broadcast an SSID for a singular VLAN, for wireless connection. Which is why I'm planning on having 4 separate runs across the room to support wired connections to different VLANs and/or APs that are broadcasting their own SSID for that VLAN.

In general, vlans are a good idea when you want to carry multiple subnet on a single port.
This often happens because we run out of ports quickly.
If you had 4 subnets only and a five port router (one for WAN) and you only needed four ports and each port was different, clearly no need for vlans.

However you want to pass a number of subnets on one port to a smart switch and thus ONE bridge with multiple vlans is a plausible idea.
Correct on Trunk Ports, which carry many vlans and Access Ports which carry one vlan and they basically untag the frames on the way to the dumb device and tag the frames coming from the dumb device.

There are instance for hybrid ports where you can send one vlan as untagged and any number of tagged vlans, but that is rare and dependent upon what device you are talking to.
I mostly use smart APs, so that I can assign multiple vlans and thus multiple SSIDs from one access point.

Dont be too confused about the bridge, when using with many vlans just think of it as a container for the vlans, (clearly it does a lot, but its all behind the scenes). a place/medium to describe the vlan behaviour.

In short.
- identify all the vlans ( create them with interface being the bridge)
- assign vlan parameters ( IP address, IP pool, dhcp server, dhcp server network)
- assign bridge ports settings (ingress filtering on all, trunk/wlan ports (only vlan tagged frames), access ports get PVID= and only untagged priority frames)
- assign bridge vlan settings { the only tricky part, give it a try and then post your export config}
- add each vlan to LAN interface member
- enable bridge vlan filtering checkbox

All this time simply leave firewall rules to default, they can be dealt with later..

I also know nothing about subnetting, and while I thought that with subnetting I could do this with the number of ports I have, I couldn't be certain to allow the inter-subnet (is that a term?) routing for the printer and NAS. That's a must for me; that any device on two of the networks be able to communicate with the NAS and printer, but not be able to see each other.
This picture is my first attempt at mapping out my plans, with the devices I have. I've already started second guessing it, as I think I'm not taking advantage of the "trunks" like I could. I also realized that I want a separate network/subnet/VLAN for my smart home stuff (google, nest, alexa, etc...). I'd rather keep that stuff off the other networks, and it does NOT need access to the NAS or printer.
If I'm understanding correctly, I don't need the separate Admin/Mgmt network, and can put the smart home stuff on that additional network.

Step-by-Step Guide



Step 0: Secure your Router
-> Password for "admin"
-> Firewall
-> limit sevices
-> ect...


Step 1: Create Bridge
Step 2: Create VLAN-Interfaces

Step 3: Assign IP-Addresses
Step 4: Create DHCP-Servers

Step 5: Allow DNS-Request
Step 6: Interface-List WAN
Step 7: NAT

Step 8: Assign Interfaces to bridge
---- Warining ----
Because of the Switch-CHIP
I decided to divert from your Drawing....
Ether5 (in your drawing) is now Ether6 is an Access-Port for "Mgmt"
Ether2 (in your Drawing) is now Ether7 (vlan 10, 30 and 40)
ether 8 is a Hybrid-Ports (all VLAN) for your Switches
ether 9 is hybrid-Port (vlan 20, 30 and 40)
Ether10 is Access-Port for "personal"
---- Warining ----

Step 9: Create VLAN-Filtering List

Step 10 : TEST

You can Now TEST the Switch

Before I would advise on any setup, I would decide on either
a. having a dedicated admin/managment vlan OR
b. simply use a trusted network like homenetwork or personal for example.
Typically it could be the one the ADMIN is on most of the time.

Note that all smart devices (and by that I mean those that can read vlans like smart switches and APs that can use vlans) should get an IP address from this vlan!

As for the noise in the above post, there is no need for any hybrid ports on the RB4011.

As for the admin/managment port (not used), what are your intentions for that.
If not required suggest using that for access to the router independent of the bridge for the case (everyone has done it more than once) screwed something up on the config aka the bridge setup and have trouble accessing the router. If this is something that you wish to explore let me know.

Sorry Anav...
I somehow skipped your #4 post while scrolling...


Didn`t want to make things more complicated ! =)

Hi @anav,
The idea of the admin/managment port was to do (a), as you said. A dedicated port for admin of the router. Everything on personal, as I've laid it out would be trusted, but if I'm understanding you, i could have one port that will always work to admin the router (in case i screw something up). That sounds like a good plan, and since I'll have more ports than i need (i didn't realize about the trunk port capability), I'll have a port to spare for that. Essentially, it'll only get used (with a laptop), if something goes wrong.
Also, you said "all smart devices should get an IP address from this vlan". So does that mean i should proceed in putting them on the "personal" network? This vlan would be my work computer, my desktop, my wife's work computer, and our cell phones. All of our kids' devices would be separate (my oldest daughter has a habit of clicking links in emails...). Frankly, i want to protect my smart devices and work computer from the kids, but I'm unsure if i should keep the smart stuff separate from my work stuff too. I don't want to have to switch SSIDs to manage my Google home devices.

Smart plan Dave,
Make as many vlans as you think are necessary to separate users from each other.
The nice thing is that you can still have shared devices, lets say a printer on one vlans but you need it accessible from other vlans.
Concur, use personal vlan as the management vlan.
That means all trunks to smart devices will also carry the personal vlan.

For the spare port where you want emergency type access in case something funky goes on in the bridge.......

Take a spare port port lets say ether6.
Rename it to ether6-emerg
Remove ether6-emerg from the bridge
Give ether6-emerg an IP address of lets say 192.168.5.2 with network 192.168.5.0
The intent is to connect to ether6-emerg with your laptop and simply set an ipv4 address on the laptop of 192.168.5.5 gateway 192.168.5.1 and netmask 255.255.255.0

A few more steps.
still need an interface list called control
add list members
add interface=vlan(personal) list=control
add interface=ether6-emerg list=control

Then ensure this rule.......
/tool mac-server mac-winbox
set allowed-interface-list=control

Depending upon your INPUT CHAIN Rules.......
You should add an allow rule after the default rules.
add chain=input action=accept in-interface-list=control
+
Rule to allow LAN users access to port 53 (DNS) TCP
Rule to allow LAN users access to port 53 (DNS) UDP
+
LAST RULE (block all other wan to router and lan to router traffic)
add chain=input action=drop

Thank you! I don't suppose you'd mind explaining what each line is doing? Totally fine if it's too big of an ask. I know you've helped me so much already, and this info is amazing. If nothing else; do I need mac-winbox? I will be accessing from a browser, and have a non-Windows household. I'm solely Linux, with a spattering of Mac (my kids).

Hi Dave, you got me there, linux is a peanuts character is all I know.

Learning is a good thing, How bout starting with the default firewall rules as a starting place
and some minor alterations.........

ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 {disable if not required}
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow internet traffic outbound" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \ {disable if not required}
connection-state=new in-interface-list=WAN
add action=drop chain=forward

Copy those rules to a post below and put a line separator and then attempt to explain what each line is doing.
If you dont know leave it blank...... We can go from there...........

That sounds fantastic! Thank you. I'll do my own research, and give my best attempt at explaining. Thank you, so much! I love to learn. I'll work on this tomorrow.

Sorry for the delay...

ip firewall filter
// Begin seeing firewall rules

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
// Rule to allow through the firewall, incoming traffic, from established connections (known MACs)

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
// Rule to disallow traffic from invalid connections (don't really understand what's invalid)

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
// Rule to allow traffic using the ICMP protocols (i understand this to be communications between networking devices, do they can "talk")

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 {disable if not required}
// Rule to allow loopback traffic. Not sure if this is needed. I know it allows localhost on host devices, but not sure why a router would need it)

add action=accept chain=input in-interface-list=LAN
add action=drop chain=input
// Rule to allow local traffic (if it's locally connected, it's presumed safe)

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
// Not sure... Allow quicker pass through firewall, if it's known?

add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
// Seems the same as previous...

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
Same?

add action=accept chain=forward comment="Allow internet traffic outbound" in-interface-list=LAN out-interface-list=WAN
Rule to allow outbound traffic to the internet from internal devices

add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \ {disable if not required}
connection-state=new in-interface-list=WAN
add action=drop chain=forward
// Rule to allow port forwarding, if necessary. I think my NAS does this, but from what I've read, is unnecessary.

I know that i need to secure everything, so firewall is important. My big question though is how to properly use webfig to setup my VLANs, to restrict some, but allow others internally. Otherwise, i think default firewall and NAT settings are fine for me. But, i also know that I'm learning, and can't fast forward

First thing to note is that I have included updated instructions for the use of one port [ether5?] (for emergency access to the router) that is OFF the bridge and thus if you screw up the bridge at all during a configuration, you can easily access the router via the dedicated emergency port or rather just configure from the dedicated port as you see fit. The ones I gave you earlier were not quite right.
viewtopic.php?t=181718

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember input chain is TO the router. So for example ICMP is to allow the router itself to be pinged by ICMP protocol which turns out to be quite a useful testing tool for the admin in a variety of scenarios.

The capsman rule here is if you intend to run capsman functionality to control all your MT access points. Its another layer of complexity that should be avoided by the new user until they understand how to control wifi without out (plus its really only of value if you have more than 3 access points). Remove or disable it.

Correct the LAN users need access to the router for router services, commonly this IS ONLY dns service but sometimes NTP and sometimes Upnp etc.........
WIth this in mind lets go to a change to make in the router firewall rules.

We are going to change the one allow LAN list rule to:
a. only allow the interface the admin uses most of the time FULL access tot he router (for config purposes).
b. everyone else only needs DNS services

add action=accept chain=input in-interface=vlan20 (or whatever name the personal one is)
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp

If your personal vlan was not the one you use all the time and it was the family one, then you
would use the family vlan but also src-address-list=authorized to narrow down to only devices you use (desktop,laptop,smartphone,ipad etc.....)

+++++++++++++++++++++++++++++++
Forward chain
yes fastrack allows the router to take shortcuts when moving traffic around so it speeds things up.
If you use functionality of MANGLING, one usually disables fastrack, and there are a few other instances where that may occur.

Yup, invalid traffic, traffic that is deemed not correct assuming in format, is dropped....

Yup port forwarding to a server, normally used if you have external access to a device such as an FTP server or NAS etc...

So we come to the next gate. You are well setup for traffic on the forward chain but because of the drop all rule you stop all traffic between vlans.

SO now you want all to access shared resources.
add action=accept chain=forward in-interface-list=LAN out-interface-=vlan10 (or whatever the name is).

Now, lets say you didnt have a dedicated subnet for shared resources and you had them on your personal vlan.
add action=accept chain=forward in-interface-list=LAN out-interface=vlan20 dst-address list=shared-devices

where shared devices is a firewall address list
add ip=ip of printer list=shared-devices
add ip=ip of scanner list=shared devices
etc...

In this way the rule states for all traffic coming from all LANs headed to the personal vlan ALLOW traffic headed for the specific IPs on that vlan.

Hopefully you get the idea!!!

So...
I'm kind of lost. I don't suppose you'd be able to tell me what i should do, using the webfig gui?

I'm new to networking, so I'm still unclear what exactly im doing with everything.

From what I'm gathering, i need to create bridges to allow traffic between vlans (where necessary). I need to create the vlans themselves (in interfaces, bridge, switch?...).
I'm not sure if the router itself should have a different (wider) subnet mask than the vlans (to include them as a subset?...)

I am also getting hung up on the concept that every instruction i find talks about separate switches to handle the vlans. And then i realized that the RB4011 has two switches in it, and that might be the concept...

Well I would not be too fussed about the different chipsets in the RB4011 for now. If performance is noticeably affected one could then start looking at that layer of configuration.
However, to get started, tackle the problem is smaller chewable bites.

Did you read the article noted several times. That should provide some stimulation.
I recently added this one that may also be of assistance........
viewtopic.php?t=182373

Sorry I am webfig gui challenged.

Step One - Understand the default config
Step Two - Modify the firewall rules and NAT so you understand them.
Step Three - Consider making an OFF bridge port for access during configuration
Step Four - start putting two vlans on your network, the trusted subnet and one other.
Step Five - complete the vlan config for those two and then turn vlan filtering on.
Step Six - Add the other vlans.
Step Seven - modify firewall rules accordingly
Step Eight - add any other functionality desired (port forwarding etc..)

At any point stop and ask for help. Use Safe Mode.

Starting to understand...

So if i create the vlans on my router, then mark the pretty that has cable running to my managed switch, and i want that cable to carry traffic for multiple vlans: i set it up as tagged. This ensures inbound traffic from the switch to the router - the router expects to be tagged.

Then, i setup matching vlans on the switch. Mark the switch port that goes to the router as tagged. All other ports should be untagged, since the devices sending traffic into the switch, are properly expected to not be tagged.

From this managed switch, i could connect dumb access points, and cat5e cabled computers.

Correct? Then, i just need to figure out the intervlan routing to the NAS and printer...

Yup sounds about right.
You can connect as many devices as their are ports available...........

as for the shared devices,
lets say you have

vlan10 - regular home use
vlan20 - for wifi guests
vlan30 - IOT devices
Vlan40 - media devices including NAS

Remember they are ALL part of the LAN interface.
Now do you have specific GROUPINGS within the vlans.

ex.
a. which ones are allowed internet ?? VLAN10,20,30 but not 40
b. Which one is allowed to access router for config // vlan 10
c. which ones are allowed to access shared devices, printer and nas, vlans 10,20

RULE OF THUMB, more than one interface needs access, make an access list.

Interface list
add name=WAN
add name=LAN
add name=Manage
add name=SHARED
add name=INTERNET

Interface list members
add interface=eth1 list=WAN
add interface=vlan10name list=LAN
add interface=vlan20name list=LAN
add interface=vlan30name list=LAN
add interface=vlan40name list=LAN
add interface=vlan10name list=Manage
add interface=vlan10name list=SHARED
add interface=vlan20name list=SHARED
add interface=VLAN10 list=INTERNET
add interface=VLAN20 list=INTERNET
add interface=VLAN30 list=INTERNET

Construct the rules accordingly
in-interface-list=INTERNET out-interface=WAN
in-interface-list=SHARED out-interface=vlan40 ( here you have options, do you want them to access all of the vlan or just the specific devices).

Firewall address list
add IP=NAS_IP list=SDdevices
add IP=printer_ip list=SDevices
so rule could be
in-interface-list=SHARED out-interface=vlan40 dst-address-list=SDevices

Starting to understand...

Dave,

If this is your first exposure to networking on a non-consumer router, and you are starting to understand, good job!

Do you have the RB4011 as your internet router now? Or are you still using your nighthawk x4s as your internet router? That would have been my recommendation, as it would allow you to play with the configuration of the RB4011 (which would be using the x4s as its "WAN" connection) while still allowing the rest of the family to have uninterrupted internet access while you are learning. Part of leaning is making mistakes, and figuring out how to fix the created problems. Understanding networking fundamentals is really helpful when you need to troubleshoot.

For getting some well presented networking information, I recommend Ed Harmoush's https://www.practicalnetworking.net/ind ... -internet/ which has a youtube series to go with it. His goal is to explain things so you understand, which comes in very handy when things don't work the first time.

I just recently got a my first exposure to RouterOS, and its a bit like a ZachTronics game. I have a hEX S RB760iGS which is very similar hardware to the Ubiquiti ER-X, but very different in the way it is configured. I first upgraded it to v7.1 so I could get Hardware assist on the bridge vlan filtering with the hEX S. Then I started with the default configuration, so it would be in a working state similar to a consumer router. I connected the hEX S WAN (ether1) to my ER-X's LAN, so the hEX S got its "WAN" ip configuration from the ER-X's dhcp server. Note I didn't replace my ER-X, since I have a lot of learning to do, and want to learn in a "lab environment", without the fear of affecting the home's internet access.

After doing this, I connected a PC to one of the bridge ports (ether2), and verified I could connect to the hEX with Winbox and also connect to the internet. After making a backup, I was ready to start playing.

I removed ether5 from the bridge, added an ip address, and dhcp server, but I was still locked out from ether5, even though I was able to get an ip address from the dhcp server. The problem was that I hadn't added ether5-LAN1 to the LAN interface list, and the default firewall blocks all input to the router if it is not coming from the LAN interface list. After I added ether5-LAN1 to the LAN interface list, I was able to log in from the "emergency access port", and now I am ready to start playing with adding vlans to the bridge.

BTW in your post #17 viewtopic.php?p=902255&hilit=remove+por ... ss#p902241, you stated:

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
// Rule to allow through the firewall, incoming traffic, from established connections (known MACs)

Established connections don't have any direct connection with "known MACs". The RouterOS firewall is based on linux iptables, at least it looks very similar. And established is just a term for a state of a connection. For a tcp connection, establish is the state after the 3 way handshake has occured. The firewall is "stateful", which allows you to connect to the internet, and receive data back that is a response to your request, while blocking new connection attempts from the internet. Much more detailed and better explanations are easy to find with a google search for