Basically I want to isolate an AP for guest/unsafe, from the rest of the network. Currently the router is using a PPP connection on WAN and performing NAT(the traffic is going to a switch via eth2). I have a managed switch where I will configure 2 VLANs(one for the safe network and one for the unsafe/guest AP).
Do you have any ideas on how should I proceed with altering the existing configuration?
Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
You do not have the required permissions to view the files attached to this post.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Are the access points SMART access points that can read vlans?
If not each access point will only be able to provide service for one subnet.
On bridge, two vlans, trunk port to switch, access ports from switch to two access points..
If not each access point will only be able to provide service for one subnet.
On bridge, two vlans, trunk port to switch, access ports from switch to two access points..
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
The AP cannot read VLANs, but I have a dedicated AP for unsafe wifi.
I only created 2 VLANs in the router(safe network, unsafe network), but I don't know how to continue.
I was hoping that I could mark somehow the packets with a VLAN tag based on their subnet in the Firewall section, but it seems that this "shortcut" isn't possible.
I only created 2 VLANs in the router(safe network, unsafe network), but I don't know how to continue.
I was hoping that I could mark somehow the packets with a VLAN tag based on their subnet in the Firewall section, but it seems that this "shortcut" isn't possible.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Please read through Item C. here - viewtopic.php?t=182373
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
There are 4 links on that section:
1. viewtopic.php?t=143620 - talks about various scenarios, neither of them being my case. They are showing vlan splitting per multiple ports on the same router(i'll be using 1 port for multiple vlans instead)
2. viewtopic.php?f=2&t=173692 - discusses the concept of mikrotik bridge
3. https://help.mikrotik.com/docs/display/ ... +Switching - all the possible options for bridging and switching settings
4. https://help.mikrotik.com/docs/display/ ... VLAN+Table - bridge VLAN table.
The problem is that I only have basic CCNA1 knowledge, I don't have network architecture design skills and I also don't know how to organize the steps to not screw up the connectivity with the router.
It will take months for me to learn VLANs in general, VLANs on mikrotik routers and how to design the solution and figure out the steps needed.
Btw, I only have a simple masquerading rule on the router.
1. viewtopic.php?t=143620 - talks about various scenarios, neither of them being my case. They are showing vlan splitting per multiple ports on the same router(i'll be using 1 port for multiple vlans instead)
2. viewtopic.php?f=2&t=173692 - discusses the concept of mikrotik bridge
3. https://help.mikrotik.com/docs/display/ ... +Switching - all the possible options for bridging and switching settings
4. https://help.mikrotik.com/docs/display/ ... VLAN+Table - bridge VLAN table.
The problem is that I only have basic CCNA1 knowledge, I don't have network architecture design skills and I also don't know how to organize the steps to not screw up the connectivity with the router.
It will take months for me to learn VLANs in general, VLANs on mikrotik routers and how to design the solution and figure out the steps needed.
Btw, I only have a simple masquerading rule on the router.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
The only certification of our friendly @anav is the one noted in his forum signature. And didn't take him months to get a grip on things. OK, perhaps it took more than that and sometimes he still struggles 
.
The point is that this forum is about sharing knowledge, not about spoon feeding or free consultancy services. And it's not that hard, you're mentioning CCNA and if you can get that without knowledge as basic as VLAN fundamentals, then my regard of CC certs just dropped to underground.
.The point is that this forum is about sharing knowledge, not about spoon feeding or free consultancy services. And it's not that hard, you're mentioning CCNA and if you can get that without knowledge as basic as VLAN fundamentals, then my regard of CC certs just dropped to underground.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Max, then follow the guidance on assistance, because communication in IT, is key!!! Learn how to articulate requirements and the rest will follow!
viewtopic.php?t=182373
Click on the link entitled - HAVING ISSUES AND NEED HELP READ THIS FIRST
viewtopic.php?t=182373
Click on the link entitled - HAVING ISSUES AND NEED HELP READ THIS FIRST
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
The setup you are asking for is very basic.
Create bridge.
Assign vlans to the bridge ( one vlan for every subnet you have on the router).
Give vlans ip pool, dhcpserver, dhcpservernetwork, ip address
assign /interface bridge ports
assign /interface bridge vlans
ensure firewall rules are okay for your needs
ensure ip routes are okay for your needs
turn on bridge vlan filtering
basically done.........
Create bridge.
Assign vlans to the bridge ( one vlan for every subnet you have on the router).
Give vlans ip pool, dhcpserver, dhcpservernetwork, ip address
assign /interface bridge ports
assign /interface bridge vlans
ensure firewall rules are okay for your needs
ensure ip routes are okay for your needs
turn on bridge vlan filtering
basically done.........
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
This is what I put on the switch:
And on the router:
Which menus do I have to access for this step?
"Give vlans ip pool, dhcpserver, dhcpservernetwork, ip address"
"Give vlans ip pool, dhcpserver, dhcpservernetwork, ip address"
You do not have the required permissions to view the files attached to this post.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
I will help with the switch settings by directing you to another thread where I did the very same thing, or at least close!!
As for the pictures they are great as a starter but also need
/export hide-sensitive file=anynameyouwish
Just be sure to put in xx.xxx.xx for any ISP public IPs or gateway IPs that may show, normally they do not.
As for the pictures they are great as a starter but also need
/export hide-sensitive file=anynameyouwish
Just be sure to put in xx.xxx.xx for any ISP public IPs or gateway IPs that may show, normally they do not.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
The switch setup IS WRONG!!
DO NOT USE PORT BASED VLANS, you want 802.1Q VLANS
When you do.................................
VLAN1 is the default vlan or native vlan and is out of the box assigned to every port (untagged).
For trunk ports that are carrying vlans, the native or default vlan stays put as is!
For access ports that get untagged traffic from dumb devices, tag the traffic heading to the router and out the internet and then untag the return traffic before hitting the dumb device Replace vlan1 with THE PVID of the untagged vlan that is supposed to go through that port.
Look at the pictures I display here......
viewtopic.php?p=926394#p926394
DO NOT USE PORT BASED VLANS, you want 802.1Q VLANS
When you do.................................
VLAN1 is the default vlan or native vlan and is out of the box assigned to every port (untagged).
For trunk ports that are carrying vlans, the native or default vlan stays put as is!
For access ports that get untagged traffic from dumb devices, tag the traffic heading to the router and out the internet and then untag the return traffic before hitting the dumb device Replace vlan1 with THE PVID of the untagged vlan that is supposed to go through that port.
Look at the pictures I display here......
viewtopic.php?p=926394#p926394
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
I will change the switch config from port-based to 802.1Q.
This is my config:
This is my config:
Code: Select all
# apr/16/2022 21:39:51 by RouterOS 6.45.9
/interface bridge
add fast-forward=no name=bridge1
add name=bridge_vlans
/interface ethernet
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mru=1492 max-mtu=\
1492 name=pppoe-out1 use-peer-dns=yes user=xxxxxxxx
/interface list
add exclude=dynamic name=discover
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" supplicant-identity=MikroTik \
unicast-ciphers=""
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=10.223.44.2-10.223.44.254
add name=dhcp_pool2 ranges=10.223.45.2-10.223.45.6
add name=openvpnpool1 ranges=172.25.10.1-172.25.10.2
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
interface=ether2 lease-time=3d name=dhcp1
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no \
interface=ether3 lease-time=3d name=dhcp2
/ppp profile
add local-address=dhcp_pool1 name=openvpnprofile remote-address=dhcp_pool1
/routing bgp instance
set default disabled=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=500
/ip firewall connection tracking
set tcp-syn-received-timeout=1m tcp-syn-sent-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge_vlans vlan-ids=2
add bridge=bridge_vlans vlan-ids=3
/interface list member
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=discover
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=openvpnprofile \
enabled=yes port=60501 require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile=\
default-encryption
/ip address
add address=10.223.44.1/24 interface=ether2 network=10.223.44.0
add address=10.223.45.1/26 interface=ether3 network=10.223.45.0
/ip dhcp-server lease
add address=10.223.44.2 mac-address=..
add address=10.223.44.5 lease-time=4d3h mac-address=..
/ip dhcp-server network
add address=10.223.44.0/24 gateway=10.223.44.1
add address=10.223.45.0/26 gateway=10.223.45.1
/ip dns
set max-udp-packet-size=512 servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=10.223.44.0/24 disabled=yes list=ether2lan
add address=10.223.45.0/26 disabled=yes list=ether3lan
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=add-src-to-address-list address-list="ping checkers" \
address-list-timeout=2w chain=input comment="Ping checkers" icmp-options=\
8:0-255 protocol=icmp
add action=drop chain=input comment="dropping Ping checkers" icmp-options=\
0:0-255 protocol=icmp src-address-list="ping checkers"
add action=add-src-to-address-list address-list=winbox_login_attempt \
address-list-timeout=none-dynamic chain=input dst-port=8291 in-interface=\
pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=ssh_attempt \
address-list-timeout=none-dynamic chain=input dst-port=60001 \
in-interface=pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=http_attempt \
address-list-timeout=none-dynamic chain=input dst-port=80 in-interface=\
pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=https_attempt \
address-list-timeout=none-dynamic chain=input dst-port=443 in-interface=\
pppoe-out1 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log-prefix=drop_invalid
add action=drop chain=input comment="defconf: drop WAN ICMP" \
in-interface-list=WAN protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=not_lan
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=drop_invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.223.44.0/24 to-addresses=\
0.0.0.0
add action=masquerade chain=srcnat src-address=10.223.45.0/26
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=pppoe-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=443
set api disabled=yes
set winbox address=10.0.0.0/8
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes always-allow-password-login=yes forwarding-enabled=\
both
/ppp secret
add disabled=yes name=openvpnuser profile=openvpnprofile service=ovpn
/system logging
set 1 action=disk
set 3 action=disk
add topics=info
add topics=pppoe
add disabled=yes prefix=pppoe topics=debugRe: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Hi Max, Normally I recommend only ONE bridge!
Observations:
(1) I do not see any vlans defined??
they need to be assigned with parent interface of the bridge,
then they each need, IP pool, IP address, IP dhcp-server, IP dhcp-server-network settings!!
(okay I see pools etc......)
(2) Get rid of list discover its not required and does nothing for you.
(3) Similarly get rid of any interface list members to discover.
All you need is vlan2 to LAN, vlan3 to LAN and ether1 to WAN.
(4) IP addresses are set to ports, need to be set to vlan2 and vlan3 as interfaces..
(5) Need /interface bridge ports and /interface bridge vlans
The /interface bridge vlans looks more like you were trying to create/identify vlans which needs to be done in the interface menu.
/interface bridge ports -->Here you want to identify if the port is going to be a trunk port or an access port (need pvid for access port).
/interface bridge vlans --> Here you want to identify the tagging and untagging of ports
(6) Source nat ----> I dont understand what you are trying to do and would stick to the standard rule until you can describe the requirement and the appropriate config rule can be put in place.........
(7) WHy so wide open ??? set winbox address=10.0.0.0/8
(8) Recommend you stick with default rules and not add all the extra garbage........
viewtopic.php?t=180838
Observations:
(1) I do not see any vlans defined??
they need to be assigned with parent interface of the bridge,
then they each need, IP pool, IP address, IP dhcp-server, IP dhcp-server-network settings!!
(okay I see pools etc......)
(2) Get rid of list discover its not required and does nothing for you.
(3) Similarly get rid of any interface list members to discover.
All you need is vlan2 to LAN, vlan3 to LAN and ether1 to WAN.
(4) IP addresses are set to ports, need to be set to vlan2 and vlan3 as interfaces..
(5) Need /interface bridge ports and /interface bridge vlans
The /interface bridge vlans looks more like you were trying to create/identify vlans which needs to be done in the interface menu.
/interface bridge ports -->Here you want to identify if the port is going to be a trunk port or an access port (need pvid for access port).
/interface bridge vlans --> Here you want to identify the tagging and untagging of ports
(6) Source nat ----> I dont understand what you are trying to do and would stick to the standard rule until you can describe the requirement and the appropriate config rule can be put in place.........
(7) WHy so wide open ??? set winbox address=10.0.0.0/8
(8) Recommend you stick with default rules and not add all the extra garbage........
viewtopic.php?t=180838
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Thank you for your post, but it's too complex for me.
Have no idea how to do most of those steps, and I'm 95% sure I'll end up losing connection to the router at some point by a wrong order of operations mistake.
I regret buying the switch, the sdcard and the camera. Now I have to sell them.
LE: this is already like this, so I don't know what's the problem:
Have no idea how to do most of those steps, and I'm 95% sure I'll end up losing connection to the router at some point by a wrong order of operations mistake.
I regret buying the switch, the sdcard and the camera. Now I have to sell them.
LE: this is already like this, so I don't know what's the problem:
You do not have the required permissions to view the files attached to this post.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
As @anav (*) pointed out, currently you don't have any VLANs. If you need only one cable between router and switch and everything else should be connected to switch, then you don't need to bother with bridges at all (you currently have two, both empty and useless), simply add VLANs like this (where etherX is where switch is connected to):
Then you'll have tagged VLANs 2 and 3 on etherX and new interfaces vlan2 and vlan3 for them. Give them IP addresses, DHCP server, etc. Currently you have them on ether2 and ether3, so move them (if you want to use those subnets for VLANs). To not lock yourself out, connect to router using one, move the other, then see it you can connect to that, and only then move the first one.
If you want VLANs spread over more than one router's ports, that would require bridge, which is used to configure on which ports you want VLANs and their forms (tagged/untagged). My favourite example is one in manual, which I find simple and easy to understand (but not everyone feels the same).
--
(*) He's helpful, but so far we didn't manage to train him to recognize important stuff from unimportant, sorry about that.
Code: Select all
/interface vlan
add interface=etherX name=vlan2 vlan-id=2
add interface=etherX name=vlan3 vlan-id=3If you want VLANs spread over more than one router's ports, that would require bridge, which is used to configure on which ports you want VLANs and their forms (tagged/untagged). My favourite example is one in manual, which I find simple and easy to understand (but not everyone feels the same).
--
(*) He's helpful, but so far we didn't manage to train him to recognize important stuff from unimportant, sorry about that.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
I found this: http://mikrotikroutersetup.blogspot.com ... -dhcp.html
+ what you guys wrote, I might have a chance this evening to make it work. Fingers crossed.
I saw that I tried to implement what you told me 2 years ago here:
viewtopic.php?p=804121#p804091
(6) Source NAT, I'm giving internet to the computers on eth2 and the ones on eth3. I wanted to keep them in separate subnets.
+ what you guys wrote, I might have a chance this evening to make it work. Fingers crossed.
@anav, what do you consider to be garbage?(6) Source nat ----> I dont understand what you are trying to do and would stick to the standard rule until you can describe the requirement and the appropriate config rule can be put in place.........
(7) WHy so wide open ??? set winbox address=10.0.0.0/8
(8) Recommend you stick with default rules and not add all the extra garbage........
viewtopic.php?t=180838
I saw that I tried to implement what you told me 2 years ago here:
viewtopic.php?p=804121#p804091
(6) Source NAT, I'm giving internet to the computers on eth2 and the ones on eth3. I wanted to keep them in separate subnets.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Hi Max, I was referring to all the port scanning stuff.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Code: Select all
/interface vlan
add interface=ether2 name=vlan2 vlan-id=2
add interface=ether2 name=vlan3 vlan-id=3
/ip address
add address=10.223.44.1/24 interface=vlan2
add address=10.255.1.1/24 interface=vlan3
/ip pool add name=vlan2 ranges=10.223.44.1-10.223.44.254
/ip pool add name=vlan3 ranges=10.255.1.1-10.255.1.254
/ Ip dhcp-server enable 0
/ Ip dhcp-server add interface = LOCAL address-pool = vlan2
/ Ip dhcp-server add interface = LOCAL address-pool = vlan3
/ i don't understand why i have to specify dns-server here, i already have a dns specified in the dns menu
/ Ip dhcp-server network add address = 10.223.44.0/24 gateway = 10.223.44.1 dns-server = ?.?.?.? comment=”vlan2”
/ Ip dhcp-server network add address = 10.255.1.0/24 gateway = 10.255.1.1 dns-server = ?.?.?.? comment=”vlan3”
/ip firewall nat
add chain=srcnat action=masquerade src-address=10.223.44.0/24 out-interface=WAN
add chain=srcnat action=masquerade src-address=10.255.1.0/24 out-interface=WAN
I don't understand why I have to specify the DNS in the dhcp-server command, though.
It still feels sketchy to copy-paste these in the terminal.
I don't want to risk taking the router out, reseting it, connecting to it directly with a laptop, reuploading the last working config, etc. That's another 1 hour lost in anger.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
yeah lets walk before running concur!
The question I have is how many subnets do you need.
Thus far for sure we have two as you are attempting to capture with vlan2 and vlan3
Is there another local LAN?
On a previous config you have two bridge as well, and we only need one.
The question I have is how many subnets do you need.
Thus far for sure we have two as you are attempting to capture with vlan2 and vlan3
Is there another local LAN?
On a previous config you have two bridge as well, and we only need one.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
If you want VLANs spread over more than one router's ports, that would require bridge, which is used to configure on which ports you want VLANs and their forms (tagged/untagged). My favourite example is one in manual, which I find simple and easy to understand (but not everyone feels the same).
That example is for trunkless inter-vlan routering. I think this (old) and this (new) are more like the example in this thread, with a trunk link.
There's an updated version of the intervlan routing with bridge document referenced by @Sob here with some changes: It specifies allowed frame types, which is good practice. The update /interface bridge vlan section does not explicitly show the untagged ports, which has the same effect, but I think is possibly more confusing, because it relies on implicit behavior. I like to explicitly specify all involved bridge-ports related to a vlan in this section, if for no other reason than if you search the config, you can see the vlan member ports in the line. But all I have configured is hEX S, and that is port limited. On a CRS with many ports, that could be unwieldy (perhaps there is a way to create a "port group" that could be treated equally, but if that feature exists, I am not aware of it. It would be nice to be able to specify a list of bridge-port and give it a name, similar to /interface list for firewalls, but that could be referenced where a list of ports would be accepted. That would make configuring a CRS with many ports configured as access ports for the same vlan easier to configure/understand. Perhaps there is a way to do it using scripts, but I haven't gotten that far, and for port limited devices like the hEX S, it wouldn't make much difference.
These are the differences (the red is what is different)
Old:
Add bridge ports and specify pvid for VLAN access ports to assign their untagged traffic to the intended VLAN:
/interface bridge port
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400
Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example bridge1 interface is the VLAN trunk that will send traffic further to do InterVLAN routing:
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=bridge1 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-ids=400
New:
Add bridge ports and specify pvid for VLAN access ports to assign their untagged traffic to the intended VLAN. Use frame-types setting to accept only untagged packets.
/interface bridge port
add bridge=bridge1 interface=ether6 pvid=200 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether7 pvid=300 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether8 pvid=400 frame-types=admit-only-untagged-and-priority-tagged
Add Bridge VLAN entries and specify tagged ports in them. In this example bridge1 interface is the VLAN trunk that will send traffic further to do InterVLAN routing. Bridge ports with frame-types set to admit-only-untagged-and-priority-tagged will be automatically added as untagged ports for the pvid VLAN.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=200
add bridge=bridge1 tagged=bridge1 vlan-ids=300
add bridge=bridge1 tagged=bridge1 vlan-ids=400
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
There is another subnet: 10.223.45.0/26 on ether3 port, but that one you can ignore it completely, it will be there, it doesn't need any vlan, it's isolated, I just disabled the drop packets rules (between subnets) at some point and forgot to re-enable them back.yeah lets walk before running concur!
The question I have is how many subnets do you need.
Thus far for sure we have two as you are attempting to capture with vlan2 and vlan3
Is there another local LAN?
On a previous config you have two bridge as well, and we only need one.
So, in conclusion I only need 2 subnets for now, vlan2 and vlan3.
If I'll ever need another vlan in the future, I'll be able to extend the steps one more time, once I go through them one time successfully.
I've deleted those bridges since they were unused.
You do not have the required permissions to view the files attached to this post.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
@Max2: DNS in "/ip dns" is what router itself uses. DNS in "/ip dhcp-server network" is what clients get. The latter can be either router's address, if you want clients to use its DNS cache, or any other external server.
And if you want to be sure that you don't break anything, then definitely don't paste commands you're not 100% sure about. Go slow, be clever, use the separate ether3 to reconfigure the rest (use whatever you're most comfortable with, CLI, GUI, it's up to you), and you should be safe. Ok, it's still possible to lock yourself out, but at least the change for it is lower than if you'd do it being connected to one of those reconfigured subnets.
And if you want to be sure that you don't break anything, then definitely don't paste commands you're not 100% sure about. Go slow, be clever, use the separate ether3 to reconfigure the rest (use whatever you're most comfortable with, CLI, GUI, it's up to you), and you should be safe. Ok, it's still possible to lock yourself out, but at least the change for it is lower than if you'd do it being connected to one of those reconfigured subnets.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
I don't know why it doesn't allow me to select Untagged for the ports that don't go to the router in VLANs that I'm trying to create: VLAN 2 and VLAN 3.
I understood that I had to put tagged for port 1, and Untagged for the rest of the ports that are part of the VLAN and Not Member the for the ones that shouldn't be in that VLAN.
So, for VLAN 2: port 1 should be tagged, ports 2-7 should be untagged, port 8 should be not member.
For VLAN 3: port 1 should be tagged, port 8 should be untagged, ports 2-7 should be not member.
But it doesn't allow me to put the ports in untagged and I don't know why.
I understood that I had to put tagged for port 1, and Untagged for the rest of the ports that are part of the VLAN and Not Member the for the ones that shouldn't be in that VLAN.
So, for VLAN 2: port 1 should be tagged, ports 2-7 should be untagged, port 8 should be not member.
For VLAN 3: port 1 should be tagged, port 8 should be untagged, ports 2-7 should be not member.
But it doesn't allow me to put the ports in untagged and I don't know why.
You do not have the required permissions to view the files attached to this post.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
When using vlans on a link between two devices, both devices should agree on what is to be carried on the trunk. And especially what the untagged vlan is, because there is no indication in the ethernet frame itself when it is untagged.
I think you are using port 1 on the switch to carry 3 vlans, 1, 2 and 3. And 1 isn't being used (except as the default for the untagged vlan).
Your switch doesn't appear to be a MikroTik, if it is a D-Link DGS-1100-08V2, this probably isn't the best place to be asking about how to configure it. Doesn't D-Link have a forum?
Some switches will allow you to configure more than a single vlan as untagged on a port, but that is not recommended unless you know what you are doing. The only time I have ever seen that done was when "asymmetric vlans" were being used to "isolate" untagged access switch-ports from other switch-ports in the same subnet. And that isn't the case here, so your switch is probably not allowing you to have more than one vlan untagged on a specific switch-port, and that is normal. So select vlan 1, and select "not member" for all ports except port 1 (some switches won't allow you to remove vlan 1 from all ports). Then you will be able to select one of the other vlans as untagged on ports 2-8.
You don't ever specify, so I will assume all the devices you will be connecting to the switch are not vlan-aware, i.e. just standard ethernet. If that is the case, then each device will be a member of exactly one vlan, and the vlan they belong to will be determined by the setting on the switch-port (by specifying the PVID).
I think this is what you want.
port 1 trunk port to MikroTik ether2 untagged for vlan 1, tagged for vlan 2, tagged for vlan 3
ports 2-7 access port for vlan 2, untagged for vlan 2, not member of vlan 1 or vlan 3
port 8 access port for vlan 3, untagged for vlan 3, not member of vlan 1 or vlan 2
PVID settings: See page 26 of https://support.dlink.com/resource/PROD ... .00_WW.pdf
port 1 : PVID 1
ports 2-7 ; PVID 2
port 8 : PVID 3
This is the extent of the spoon feeding I will be providing.
I think you are using port 1 on the switch to carry 3 vlans, 1, 2 and 3. And 1 isn't being used (except as the default for the untagged vlan).
Your switch doesn't appear to be a MikroTik, if it is a D-Link DGS-1100-08V2, this probably isn't the best place to be asking about how to configure it. Doesn't D-Link have a forum?
Some switches will allow you to configure more than a single vlan as untagged on a port, but that is not recommended unless you know what you are doing. The only time I have ever seen that done was when "asymmetric vlans" were being used to "isolate" untagged access switch-ports from other switch-ports in the same subnet. And that isn't the case here, so your switch is probably not allowing you to have more than one vlan untagged on a specific switch-port, and that is normal. So select vlan 1, and select "not member" for all ports except port 1 (some switches won't allow you to remove vlan 1 from all ports). Then you will be able to select one of the other vlans as untagged on ports 2-8.
You don't ever specify, so I will assume all the devices you will be connecting to the switch are not vlan-aware, i.e. just standard ethernet. If that is the case, then each device will be a member of exactly one vlan, and the vlan they belong to will be determined by the setting on the switch-port (by specifying the PVID).
I think this is what you want.
port 1 trunk port to MikroTik ether2 untagged for vlan 1, tagged for vlan 2, tagged for vlan 3
ports 2-7 access port for vlan 2, untagged for vlan 2, not member of vlan 1 or vlan 3
port 8 access port for vlan 3, untagged for vlan 3, not member of vlan 1 or vlan 2
PVID settings: See page 26 of https://support.dlink.com/resource/PROD ... .00_WW.pdf
port 1 : PVID 1
ports 2-7 ; PVID 2
port 8 : PVID 3
This is the extent of the spoon feeding I will be providing.
You do not have the required permissions to view the files attached to this post.
Last edited by Buckeye on Sat Apr 30, 2022 1:29 am, edited 4 times in total.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Nothing wrong with DLINK switches if configured properly, same goes with the MT.
If the OP, or in this cast the PERP being guilty of using vlan1 for data vice leaving it alone as a background native vlan just doing its thing, is gonna have problems.
So first things first, lets assume we stick with vlans 200,300, and 400.
Going from etherX (trunk port on MT router) to Dlink switch.
EtherX (at MT)
>>>>>>>>>>>>>
Now we have to figure out what is the trusted subnet, lets say it vlan200...........
At DLINK switch.
Lets assume ether1 is from the MT, ether2 is going to a dumb AP for vlan 200, ether3 is going to a dumb AP for vlan 300 and ether4,5 are going to dumb computers on the trusted network, ether6.7 are going to dumb wired media devices vlan400. and ether8 is going to another smart switch but only carrying vlan trusted and medial vlan400
First off, the switch needs an IP address on the trusted VLAN 200.
THere should be ipv4 LAN settings somewhere on that switch!!
................... ........................
(1) ALL ports come default untagged with native VLAN1
(2) Trunk ports should have a native untagged vlan1 and this should be left alone. All trunk ports should be tagged with all the vlans required.
(3) Access ports to dumb device should have PVID assigned to the port which removes the default untagged vlan1, and the port should be untagged for the new VLANID
Based on the above facts, your DLINK should look something like
................
If the OP, or in this cast the PERP being guilty of using vlan1 for data vice leaving it alone as a background native vlan just doing its thing, is gonna have problems.
So first things first, lets assume we stick with vlans 200,300, and 400.
Going from etherX (trunk port on MT router) to Dlink switch.
EtherX (at MT)
>>>>>>>>>>>>>
Code: Select all
/interface bridge ports
bridge=bridge interface=etherX ingress-filtering=yes frame-types=admit-only-vlan-tagged
/interface bridge vlans
bridge=bridge tagged=bridge,etherX vlan-ids=200,300,400 { if 200,300,400 have no other assignment, otherwise as applicable }
bridge=bridge tagged=bridge,etherX, unknown untagged=unknown vlan-ids=200
bridge=bridge tagged=bridge,etherX,unknown untagged=unknown vlan-ids=300
bridge=bridge tagged=bridge,etherX,unkown untagged=unknown vlan-ids=400 At DLINK switch.
Lets assume ether1 is from the MT, ether2 is going to a dumb AP for vlan 200, ether3 is going to a dumb AP for vlan 300 and ether4,5 are going to dumb computers on the trusted network, ether6.7 are going to dumb wired media devices vlan400. and ether8 is going to another smart switch but only carrying vlan trusted and medial vlan400
First off, the switch needs an IP address on the trusted VLAN 200.
THere should be ipv4 LAN settings somewhere on that switch!!
................... ........................
(1) ALL ports come default untagged with native VLAN1
(2) Trunk ports should have a native untagged vlan1 and this should be left alone. All trunk ports should be tagged with all the vlans required.
(3) Access ports to dumb device should have PVID assigned to the port which removes the default untagged vlan1, and the port should be untagged for the new VLANID
Based on the above facts, your DLINK should look something like
................
You do not have the required permissions to view the files attached to this post.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Head over to Ed Harmoush's Practical Networking site https://www.practicalnetworking.net Ed has recently started a Networking Fundamentals course and he is putting the first module (with multiple videos) on Youtube. It's a good intro with very little assumptions about previous knowledge, and even if you think you already know this stuff, if you watch it, and give it your utmost attention, you will probably get a deeper understanding than you currently have. Ed has some of the best explained info about vlans Virtual Local Area Networks (VLANs) See the challenge quiz if you think you understand vlans. Ed also have a video covering the same info VLANs – the simplest explanation Here's an index to the vlan pages on PracticalNetworking And here's a good starting point for Networking topics in general (don't be put off by the CCNA, this is pretty generic info that you need to know, and explained in an easy to understand way. CCNA IndexThe problem is that I only have basic CCNA1 knowledge, I don't have network architecture design skills and I also don't know how to organize the steps to not screw up the connectivity with the router.
It will take months for me to learn VLANs in general, VLANs on mikrotik routers and how to design the solution and figure out the steps needed.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
@anav Why restart from scratch?Nothing wrong with DLINK switches if configured properly, same goes with the MT.
If the OP, or in this cast the PERP being guilty of using vlan1 for data vice leaving it alone as a background native vlan just doing its thing, is gonna have problems.
So first things first, lets assume we stick with vlans 200,300, and 400.
Going from etherX (trunk port on MT router) to Dlink switch.
This was his question:
He obviously has a connection to the switch, otherwise we wouldn't see his pictures of the D-Link web interface.I don't know why it doesn't allow me to select Untagged for the ports that don't go to the router in VLANs that I'm trying to create: VLAN 2 and VLAN 3.
I understood that I had to put tagged for port 1, and Untagged for the rest of the ports that are part of the VLAN and Not Member the for the ones that shouldn't be in that VLAN.
So, for VLAN 2: port 1 should be tagged, ports 2-7 should be untagged, port 8 should be not member.
For VLAN 3: port 1 should be tagged, port 8 should be untagged, ports 2-7 should be not member.
But it doesn't allow me to put the ports in untagged and I don't know why.
I haven't used a D-Link smart switch, but I can read manuals, and I have used Netgear and TP-Link "smart switches" that are probably similar.
Asking him to move ports being used for the access points, and introducing new vlans is just going to be more confusing for someone that is just learning vlans, and is already frustrated to the point of making the comment "I regret buying the switch, the sdcard and the camera. Now I have to sell them." in post #14
Last edited by Buckeye on Tue May 03, 2022 12:31 am, edited 1 time in total.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Hahaha I just used the numbers as an example of what it would look like on the hex and the switch. For comparative purposes.
I figure the OP is smart enough to use his brain and figure out what he should do to his settings with whatever numbers he chooses.
But he can compare to the examples so that he assigns oranges to oranges (his numbers) to match the pattern of my apples to apples (my example numbers).
The example covers trunk ports and access ports (and not hybrid ports).
I also made enough examples for some different configurations to illustrate the setup methodology
The important thing is to not use VLAN1 for data and to leave it as the default vlan on the MT device.
I figure the OP is smart enough to use his brain and figure out what he should do to his settings with whatever numbers he chooses.
But he can compare to the examples so that he assigns oranges to oranges (his numbers) to match the pattern of my apples to apples (my example numbers).
The example covers trunk ports and access ports (and not hybrid ports).
I also made enough examples for some different configurations to illustrate the setup methodology
The important thing is to not use VLAN1 for data and to leave it as the default vlan on the MT device.
Last edited by anav on Sat Apr 30, 2022 3:53 am, edited 1 time in total.
Re: Mikrotik router - how to configure NAT and 2 VLANs on one eth port?
Buckeye and anav, thank you very much for your explanations.
I realize now my mistake with the default configured VLAN, I'll try to fix it first thing tomorrow.
I realize now my mistake with the default configured VLAN, I'll try to fix it first thing tomorrow.