Community discussions

MikroTik App
 
aW50ZXJuZXQ
just joined
Topic Author
Posts: 11
Joined: Mon Mar 21, 2022 5:17 pm

Create two simple VLANs with D-Link switch

Fri Apr 01, 2022 8:32 pm

I am a happy beginner who wants to learn more. And now I'm stuck. I have tried to create two VLANs (LAN and Guest) but do not really understand how to start the internet on them. I have cleaned the config from VLAN to now ask for help finding the best way.

I want DHCP or all clients.

Current:
Internet -> ether 1
Computer for configuration -> ether 2 (10.0.0.1)
D-link switch -> ether 3 (10.0.3.1)

My plans:
D-link DSG-1100-08v2
VLAN10 LAN Network -10.0.10.0 -> Internet access
VLAN20 Guest Network - 10.0.20.0 -> internet access


Thanks!
/interface bridge
add name=local
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local name=dhcp1
/interface bridge port
add bridge=local interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=local list=listBridge
/ip address
add address=10.0.0.1/24 interface=local network=10.0.0.0
add address=10.0.3.1/24 interface=ether3 network=10.0.3.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="block everything else" in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24
set api disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Stockholm
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Create two simple VLANs with D-Link switch

Fri Apr 01, 2022 9:15 pm

I am a happy beginner who wants to learn more
Since you want to learn, take a look here viewtopic.php?t=143620
Also there are many Articles in the MikroTIK documentation to read...
Very important, is what device model you have... ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Create two simple VLANs with D-Link switch

Sat Apr 02, 2022 4:18 am

Your best best is a good plan which would entail drawing a network diagrams.
Your explanation is a tad convoluted.
For example why are you ether 2 and 3 on different subnets.......
 
aW50ZXJuZXQ
just joined
Topic Author
Posts: 11
Joined: Mon Mar 21, 2022 5:17 pm

Re: Create two simple VLANs with D-Link switch

Sat Apr 02, 2022 4:46 pm

Your best best is a good plan which would entail drawing a network diagrams.
Your explanation is a tad convoluted.
For example why are you ether 2 and 3 on different subnets.......
Thank you both for taking the time to answer me.

I get the basics to work. So I get internet when I connect the computer to the switch. The switch is set port 8 as tagged and port 2 as vlan10 (untagged). But when I do connect the computer in port 2 on the switch, I still get ip 10.0.0.254 instead of the desired 10.0.10.x. (vlan10)




RB705Gr3
Internet -> ether 1
Ether 3 (10.0.0.1) -> D-Link (10.0.0.1) Tagged

Feel free to point me in the right direction please. :)
add name=local
/interface vlan
add interface=ether2 name=vlan10 use-service-tag=yes vlan-id=10
add interface=ether2 name=vlan20 vlan-id=20
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool1 ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan10 name=dhcp2
/interface bridge port
add bridge=local interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=local list=listBridge
/ip address
add address=10.0.0.1/24 interface=local network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20 network=10.0.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
add address=10.0.10.0/24 gateway=10.0.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="block everything else" in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24
set api disabled=yes
/ip ssh
set strong-crypto=yes
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Create two simple VLANs with D-Link switch

Sun Apr 03, 2022 5:11 am

I get the basics to work. So I get internet when I connect the computer to the switch. The switch is set port 8 as tagged and port 2 as vlan10 (untagged). But when I do connect the computer in port 2 on the switch, I still get ip 10.0.0.254 instead of the desired 10.0.10.x. (vlan10)

RB705Gr3
/interface vlan
add interface=ether2 name=vlan10 use-service-tag=yes vlan-id=10
add interface=ether2 name=vlan20 vlan-id=20
Please explain why you have use-service-tag=yes and what you think it does.

Also, can we assume you had a typo in model, and what you really have is RB750Gr3 ?

What version of firmware are you using? It is significant.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Create two simple VLANs with D-Link switch

Sun Apr 03, 2022 6:20 am

Your best best is a good plan which would entail drawing a network diagrams.
I get the basics to work. So I get internet when I connect the computer to the switch. The switch is set port 8 as tagged and port 2 as vlan10 (untagged). But when I do connect the computer in port 2 on the switch, I still get ip 10.0.0.254 instead of the desired 10.0.10.x. (vlan10)
We still don't see any plans, diagrams, or how the D-Link ports are configured.

My suggestion is if you want to use the vlan-filtering bridge on the hEX, you should be running a recent testing version of RouterOS. I have a hEX S (RB760iGS) running v7.2rc7 and have vlans working.

Also, if you have another working internet router with firewall, I also suggest you connect the hEX "WAN" interface to the "LAN" interface/switch on your current router so your hEX will be protected in case you misconfigure something on the hEX while you are learning. This also gives you a good way to test the "internet facing" firewall on the hEX form a PC connected to the ISP router's LAN subnet, where you could run nmap or even a pen testing distribution like Kali or ParrotOS that have many pen testing tools pre-loaded.

The devices on the hEX vlan 10 and 20 will have double nat, but that is fine for learning, and the extra protection is well worth the downsides of double nat while you are getting things set up. Once you have verified that things are working and secure, then you can connect your hEX directly to the internet.

If you load v7.2rc7 on the RB750Gr3, then you could configure two wired access ports with pvid 10 and two access ports with pvid 20. Get that working first. Then after you know that things are working using the bridge/switch built into the hEX, and that two PCs connected to the two vlan 10 ports can communicate with each other, the rourter port and the internet, and that two PCs connected to the vlan 20 access ports can communicate with each other, the rourter port and the internet, then you can start to play with the local firewall to implement your guest network firewall. One you have that working, then you can take one of your vlan 20 acccess ports, and configure it as a trunk port to the D-Link switch, and then if the D-Link is set up correctly, you can setup access ports for ether 10 or 20, and a trunk link to the access point.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Create two simple VLANs with D-Link switch

Sun Apr 03, 2022 9:52 am

You might want to look at this post that has an RB760iGS config (very similar to the RB750Gr3, but has an SFP port added). It has ether5 configured as trunk and was tested with a down stream switch successfully. Ether1 is WAN, ether2 is "off bridge access port". Ports 3-5 are bridge ports. There are 3 vlans, 10, 15 and 20, plus an access port for vlan 10 on ether3 and and access port for vlan 20 on ether4 . The trunk is sending the 3 vlans tagged to the switch, and blocking non-tagged ethernet from the switch. There are 3 dhcp servers configured.

I can't say much about the firewall in the config, I was concentrating on the bridge setup.

I would concentrate on getting the vlan things working first (behind your existing ISP router) and then after that is working, then work on the firewall. Making the firewall too tight during initial setup can prevent things from working (even if you have the bridge set up correctly, and you and easily spend a lot of time trying to fix problems that don't exist, because the reason it isn't working is because of a firewall issue (and don't forget that windows firewalls can be significant as well, especially when mulitple subnets are involved).

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot], jaclaz and 30 guests