Community discussions

MikroTik App
 
mcfloyd
just joined
Topic Author
Posts: 1
Joined: Fri Mar 04, 2022 9:32 pm

Setting interfaces as vlan and bridge filtering

Sat Mar 12, 2022 10:30 pm

I can't seem to get this right. I am trying to set up 3 segmented networks by vlan: home, public, iot, which then connects to trunk and out to the internet.
I have 2 UniFi AP's which are working by tagging vlan traffic, and then in the MikroTik the vlans have ingress-filters.

Setting the vlan tags on a physical port is what I can't figure out. The port client will not set the vlan tag, I would like the port to set it and then have bridge filters set up. When I set bridge filters though, my AP clients lose access. Setting the vlan'd port on the bridge does not give my port client DHCP either.

OK here's my config, please let me know if anything else doesn't look right (ignore the bridge nat for now though, going to setup firewall rules later).
# model = RB3011UiAS
# serial number = XXXXX
/interface bridge
add name=home_bridge
add name=iot_bridge
add name=public_bridge
add admin-mac=XXXXX auto-mac=no name=trunk_bridge
/interface ethernet
set [ find default-name=ether10 ] poe-out=off
/interface vlan
add interface=ether1 name=vlan_home_ether1 vlan-id=2
add interface=ether2 name=vlan_home_ether2 vlan-id=2
add interface=ether3 name=vlan_home_ether3 vlan-id=2
add interface=ether4 name=vlan_home_ether4 vlan-id=2
add interface=ether6 name=vlan_home_ether6 vlan-id=2
add interface=ether7 name=vlan_home_ether7 vlan-id=2
add interface=ether6 name=vlan_iot_ether6 vlan-id=4
add interface=ether7 name=vlan_iot_ether7 vlan-id=4
add interface=ether8 name=vlan_iot_ether8 vlan-id=4
add interface=ether9 name=vlan_iot_ether9 vlan-id=4
add interface=ether10 name=vlan_iot_ether10 vlan-id=4
add interface=ether6 name=vlan_public_ether6 vlan-id=3
add interface=ether7 name=vlan_public_ether7 vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=trunk_dchp_pool ranges=192.168.88.10-192.168.88.254
add name=iot_dhcp_pool ranges=192.168.87.2-192.168.87.254
add name=public_dhcp_pool ranges=192.168.86.2-192.168.86.254
add name=home_dhcp_pool ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=trunk_dchp_pool disabled=no interface=trunk_bridge name=trunk_dhcp
add address-pool=iot_dhcp_pool disabled=no interface=iot_bridge name=iot_dhcp
add address-pool=public_dhcp_pool disabled=no interface=public_bridge name=public_dhcp
add address-pool=home_dhcp_pool disabled=no interface=home_bridge name=home_dhcp
/interface bridge nat
add action=passthrough chain=srcnat out-bridge=trunk_bridge
add action=passthrough chain=dstnat in-bridge=iot_bridge
add action=passthrough chain=dstnat in-bridge=home_bridge
add action=passthrough chain=dstnat in-bridge=public_bridge
/interface bridge port
add bridge=trunk_bridge interface=ether2
add bridge=trunk_bridge interface=ether3
add bridge=trunk_bridge interface=ether4
add bridge=trunk_bridge interface=ether5
add bridge=trunk_bridge interface=ether6
add bridge=trunk_bridge interface=ether7
add bridge=trunk_bridge disabled=yes interface=ether8
add bridge=trunk_bridge disabled=yes interface=ether9
add bridge=trunk_bridge disabled=yes interface=ether10
add bridge=trunk_bridge interface=ether1
add bridge=home_bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan_home_ether6 pvid=2
add bridge=home_bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan_home_ether7 pvid=2
add bridge=iot_bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan_iot_ether6 pvid=4
add bridge=iot_bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan_iot_ether7 pvid=4
add bridge=public_bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan_public_ether6 pvid=3
add bridge=public_bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan_public_ether7 pvid=3
add bridge=iot_bridge interface=vlan_iot_ether8 pvid=4
add bridge=iot_bridge interface=vlan_iot_ether9 pvid=4
add bridge=iot_bridge interface=vlan_iot_ether10 pvid=4
add bridge=home_bridge interface=vlan_home_ether1 pvid=2
add bridge=home_bridge interface=vlan_home_ether2 pvid=2
add bridge=home_bridge interface=vlan_home_ether3 pvid=2
add bridge=home_bridge interface=vlan_home_ether4 pvid=2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=home_bridge tagged=vlan_home_ether6,vlan_home_ether7,vlan_home_ether1,vlan_home_ether2,vlan_home_ether3,vlan_home_ether4 vlan-ids=2
add bridge=iot_bridge tagged=vlan_iot_ether6,vlan_iot_ether7,vlan_iot_ether8,vlan_iot_ether9,vlan_iot_ether10 vlan-ids=4
add bridge=public_bridge tagged=vlan_public_ether6,vlan_public_ether7 vlan-ids=3
/interface list member
add interface=trunk_bridge list=LAN
add interface=sfp1 list=WAN
add interface=iot_bridge list=LAN
add interface=public_bridge list=LAN
add interface=home_bridge list=LAN
/ip address
add address=192.168.88.1/24 interface=trunk_bridge network=192.168.88.0
add address=192.168.1.1/24 interface=home_bridge network=192.168.1.0
add address=192.168.87.1/24 interface=iot_bridge network=192.168.87.0
add address=192.168.86.1/24 interface=public_bridge network=192.168.86.0
/ip dhcp-client
add interface=ether1
add !dhcp-options disabled=no interface=sfp1
/ip dhcp-server lease
add address=192.168.1.2 client-id=XXXXX mac-address=XXXXX server=home_dhcp
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.86.0/24 gateway=192.168.86.1
add address=192.168.87.0/24 gateway=192.168.87.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=trunk_dns
add address=192.168.87.1 name=iot_dns
add address=192.168.1.1 name=home_dns
add address=192.168.86.1 name=public_dns
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Who is online

Users browsing this forum: No registered users and 16 guests