Community discussions

MikroTik App
 
justanoob
just joined
Topic Author
Posts: 5
Joined: Wed May 18, 2022 2:03 pm

Noob starting VLANs on RB2011 and Cisco Switches

Thu Jul 21, 2022 1:58 pm

Hi all,
I am new to RouterOS and Mikrotik. I bought a RB2011UiAS-2HnD-IN (with Atheros8327 and Atheros8227) and used a guide from here (viewtopic.php?t=143620) as my starting point for connecting my RB2011UiAS to the Internet (PPPoE Client) and to a Cisco Catalyst 3750G switch through a trunk port. After many experiments I managed to have 4 working VLANs and interVLAN routing, but I cannot setup correctly the DNS. I can ping for example 8.8.8.8 but cannot ping www.google.com (so no Internet). My configuration for the RB2011UiAS is as follows:
###############################################################################
# Topic:		MyRouter VLAN networks and Routing
# Example:		Mikrotik Router with Cisco Switch
# Web:			https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching
# Router:		RB2011UiAS-2HnD-IN with Atheros8327 and Atheros8227
# RouterOS:		7.2.3
# Date:			30-06-2022
# Notes:		Start with a reset (/system reset-configuration)
###############################################################################

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="My_Router"


#######################################
# VLAN Overview
#######################################

# 52 = BLUE (LAN)
# 54 = YELLOW (CAMERAS)
# 56 = RED (WIFI)
# 99 = PINK (MGMT)


#######################################
# Bridge
#######################################

# create one bridge
/interface bridge
add name=bridge1

#######################################
#
# -- Trunk Ports --
#
#######################################

/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=sfp1 hw=yes

/interface ethernet switch vlan
add ports=sfp1,ether2,switch1-cpu switch=switch1 vlan-id=52
add ports=sfp1,ether2,switch1-cpu switch=switch1 vlan-id=54
add ports=sfp1,ether2,switch1-cpu switch=switch1 vlan-id=56
add ports=sfp1,ether2,ether3,switch1-cpu switch=switch1 vlan-id=99

/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT

# LAN facing Router's IP address on the MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT

/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=leave-as-is
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=99
set sfp1 vlan-mode=secure vlan-header=leave-as-is
set switch1-cpu vlan-mode=secure vlan-header=leave-as-is

#######################################
# IP Addressing & Routing
#######################################

# !!! DNS server, set to cache for LAN (maybe this is not needed)
#/ip dns set allow-remote-requests=yes servers="9.9.9.9"

#PPPoE Scanner allows scanning all active PPPoE servers in the layer2 broadcast domain. Command to run scanner is as follows:
#/interface pppoe-client scan

/interface pppoe-client
add name=pppoe-otenet user=myuser password=mypassword interface=ether1 \
disabled=no add-default-route=yes use-peer-dns=yes
#if you know service name then previous command becomes
#service-name=internet disabled=no add-default-route=yes use-peer-dns=yes

# Ether1 port with IP Address provided by ISP
#/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0

# router's gateway provided by ISP
#/ip route add distance=1 gateway=b.b.b.b


#######################################
# IP Services
#######################################

# Blue VLAN interface creation, IP assignment, no DHCP service
/interface vlan add interface=bridge1 name=VLAN52 vlan-id=52
/ip address add interface=VLAN52 address=192.168.52.254/24

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=VLAN54 vlan-id=54
/ip address add interface=VLAN54 address=192.168.54.1/24
/ip pool add name=VLAN54_POOL ranges=192.168.54.50-192.168.54.254
/ip dhcp-server add address-pool=VLAN54_POOL interface=VLAN54 name=VLAN54_DHCP disabled=no
/ip dhcp-server network add address=192.168.54.0/24 dns-server=192.168.99.1 gateway=192.168.54.1
#or dns-server=9.9.9.9 or ISP provided

# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=VLAN56 vlan-id=56
/ip address add interface=VLAN56 address=192.168.56.1/24
/ip pool add name=VLAN56_POOL ranges=192.168.56.50-192.168.56.254
/ip dhcp-server add address-pool=VLAN56_POOL interface=VLAN56 name=VLAN56_DHCP disabled=no
/ip dhcp-server network add address=192.168.56.0/24 dns-server=192.168.99.1 gateway=192.168.56.1
#or dns-server=9.9.9.9 or ISP provided

# Optional: Create a DHCP instance for MGMT VLAN. Convenience feature for an admin.
# /ip pool add name=MGMT_POOL ranges=192.168.99.10-192.168.99.254
# /ip dhcp-server add address-pool=MGMT_POOL interface=MGMT name=MGMT_DHCP disabled=no
# /ip dhcp-server network add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
#or dns-server=9.9.9.9 or ISP provided

#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=MGMTlist

/interface list member
#add interface=ether1     list=WAN
add interface=pppoe-otenet list=WAN
add interface=MGMT       list=VLAN
add interface=VLAN52     list=VLAN
add interface=VLAN54     list=VLAN
add interface=VLAN56     list=VLAN
add interface=MGMT       list=MGMTlist


##################
# INPUT CHAIN
##################
# VLAN aware firewall. Order is important.
/ip firewall filter

#Allow Estab & Related
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

#Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

#Allow MGMT_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface-list=MGMTlist comment="Allow MGMT_Vlan Full Access"

#Allow list of IPs to access Router
add action=accept chain=input src-address-list=allowed_to_router

#Allow ICMP
add action=accept chain=input protocol=icmp comment="Allow ICMP"

#Drop all else and log them
add chain=input action=drop comment="Drop" log=yes

#Allowed IPs to Router (this is not done previously by allowing MGMTlist, it also needs this)
/ip firewall address-list
add address=192.168.99.2-192.168.99.254 list=allowed_to_router
#add address=192.168.52.1-192.168.52.254 list=allowed_to_router


##################
# FORWARD CHAIN
##################

#Create list of inhibited IPs
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet

# VLAN aware firewall. Order is important.
/ip firewall filter

#Allow Estab & Related
add chain=forward action=fasttrack-connection connection-state=established,related comment=FastTrack
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

#!!!!Allow all VLANs to access the Internet only, NOT each other (maybe this is needed)
#add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid

add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1

add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-otenet log=yes log-prefix=!NAT

add action=jump chain=forward protocol=icmp jump-target=icmp comment="jump to ICMP filters"

add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=pppoe-otenet log=yes log-prefix=!public src-address-list=not_in_internet

#add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" \
#in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.52.0/24


#Drop everything else
add chain=forward action=drop comment="Drop"

#Allow only needed icmp codes in "icmp" chain:
/ip firewall filter
  add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
    comment="echo reply"
  add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
    comment="net unreachable"
  add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
    comment="host unreachable"
  add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
    comment="host unreachable fragmentation required"
  add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
    comment="allow echo request"
  add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
    comment="allow time exceed"
  add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
    comment="allow parameter bad"
  add chain=icmp action=drop comment="deny all other types"


##################
# IPv6 Firewall
##################

/ipv6 firewall address-list
add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
add list=bad_ipv6 address=::1 comment="defconf: lo"
add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"

/ipv6 firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
add chain=input action=drop in-interface=!bridge1 comment="drop everything else not coming from bridge"

add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
add chain=forward action=drop in-interface=!bridge1 comment="drop everything else not coming from bridge"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp1]


#######################################
# MAC Server settings
#######################################

# Ensure visibility and availability only from bridge
#/interface list add name=listBridge
#/interface list member add list=listBridge interface=bridge1
 
#/ip neighbor discovery-settings set discover-interface-list=listBridge
#/tool mac-server mac-winbox set allowed-interface-list=listBridge
#/tool mac-server set allowed-interface-list=listBridge


#######################################
# Turn on VLAN mode
#######################################
#/interface bridge set bridge1 vlan-filtering=yes
# not for RB2011UiAS-2HnD-IN with Atheros8327 and Atheros8227

#######################################
# Routing
#######################################

#/ip route
Any help will be welcome
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Noob starting VLANs on RB2011 and Cisco Switches

Thu Jul 21, 2022 4:20 pm

Post actual configuration ... run /export hide-sensitive file=anynameyouwish, fetch file, open it in text editor and redact any remaining sensitive information (such as serial number, any wireless passwords, public IP addresses) and paste it here.

[edit] what @tdw writes ... you have to either allow remote access to router's DNS service or send DHCP clients some other DNS server address.
Last edited by mkx on Thu Jul 21, 2022 4:24 pm, edited 2 times in total.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Noob starting VLANs on RB2011 and Cisco Switches

Thu Jul 21, 2022 4:21 pm

Likely you do not have /ip dns set allow-remote-requests=yes, without this the Mikrotik will only use any supplied DNS servers to resolve requests from itself and ignore requests from anything else.

Generally it is best to post the actual configuration from the device rather than the script you applied to it, you may have items which change others.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Noob starting VLANs on RB2011 and Cisco Switches

Thu Jul 21, 2022 6:34 pm

Another request for /export config, just hide any public IPs or public gateway IPs.......

A network diagram never hurts to provide additional context
 
justanoob
just joined
Topic Author
Posts: 5
Joined: Wed May 18, 2022 2:03 pm

Re: Noob starting VLANs on RB2011 and Cisco Switches

Sat Jul 23, 2022 10:46 pm

Hi,
As requested I post the actual exported code of the router and the network topology.
# jul/17/2022 11:25:16 by RouterOS 7.2.3
# software id = GU7Q-PWBV
#
# model = RB2011UiAS-2HnD
# serial number = myserial
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface pppoe-client
add add-default-route=yes default-route-distance=5 disabled=no interface=\
    ether1 name=pppoe-otenet use-peer-dns=yes user=myuser
/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
add interface=bridge1 name=VLAN52 vlan-id=52
add interface=bridge1 name=VLAN54 vlan-id=54
add interface=bridge1 name=VLAN56 vlan-id=56
/interface ethernet switch port
set 0 vlan-mode=secure
set 2 vlan-mode=secure
set 3 default-vlan-id=99 vlan-mode=secure
set 11 vlan-mode=secure
/interface list
add name=WAN
add name=VLAN
add name=MGMTlist
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN54_POOL ranges=192.168.54.50-192.168.54.254
add name=VLAN56_POOL ranges=192.168.56.50-192.168.56.254
/ip dhcp-server
add address-pool=VLAN54_POOL interface=VLAN54 name=VLAN54_DHCP
add address-pool=VLAN56_POOL interface=VLAN56 name=VLAN56_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp1
/interface ethernet switch vlan
add independent-learning=yes ports=sfp1,ether2,switch1-cpu switch=switch1 \
    vlan-id=52
add independent-learning=yes ports=sfp1,ether2,switch1-cpu switch=switch1 \
    vlan-id=54
add independent-learning=yes ports=sfp1,ether2,switch1-cpu switch=switch1 \
    vlan-id=56
add independent-learning=yes ports=sfp1,ether2,ether3,switch1-cpu switch=\
    switch1 vlan-id=99
/interface list member
add interface=pppoe-otenet list=WAN
add interface=MGMT list=VLAN
add interface=VLAN52 list=VLAN
add interface=VLAN54 list=VLAN
add interface=VLAN56 list=VLAN
add interface=MGMT list=MGMTlist
/ip address
add address=192.168.99.1/24 interface=MGMT network=192.168.99.0
add address=192.168.52.254/24 interface=VLAN52 network=192.168.52.0
add address=192.168.54.1/24 interface=VLAN54 network=192.168.54.0
add address=192.168.56.1/24 interface=VLAN56 network=192.168.56.0
/ip dhcp-server network
add address=192.168.54.0/24 dns-server=192.168.99.1 gateway=192.168.54.1
add address=192.168.56.0/24 dns-server=192.168.99.1 gateway=192.168.56.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.99.2-192.168.99.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGMT_Vlan Full Access" \
    in-interface-list=MGMTlist
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment=Drop log=yes
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge1
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=pppoe-otenet log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=\
    pppoe-otenet log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=Drop
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "drop everything else not coming from bridge" in-interface=!bridge1
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "drop everything else not coming from bridge" in-interface=!bridge1
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10"
/system identity
set name=MyRouter
Thanks for your help.
You do not have the required permissions to view the files attached to this post.
Last edited by justanoob on Mon Jul 25, 2022 11:17 am, edited 1 time in total.
 
justanoob
just joined
Topic Author
Posts: 5
Joined: Wed May 18, 2022 2:03 pm

Re: Noob starting VLANs on RB2011 and Cisco Switches

Sat Jul 23, 2022 10:54 pm

The previous export is from the router connected to the modem. As you can see that the "/ip dns set allow-remote-requests=yes" was already configured, but the router DNS is not working.

Thanks.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Noob starting VLANs on RB2011 and Cisco Switches

Mon Jul 25, 2022 8:50 pm

It is somewhat unusual to configure DHCP to hand out a DNS server address in a different subnet when the Mikrotik is also the gateway for those subnets, nothing immediately obvious but could be something in the firewall rules.

Does the Mikrotik obtain DNS addresses from the PPPoE client? They should be listed as dynamic-servers in the output of /ip dns print

Does the Mikrotik successfully resolve addresses? e.g. :put [:resolve google.com]
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Noob starting VLANs on RB2011 and Cisco Switches

Mon Jul 25, 2022 11:21 pm

Upgrade to 7.4

(1) No idea what these do as I am a bridge vlan filtering guy and dont dare enter the dark realm of switch port settings......
/interface ethernet switch port
set 0 vlan-mode=secure
set 2 vlan-mode=secure
set 3 default-vlan-id=99 vlan-mode=secure
set 11 vlan-mode=secure


(2) Four VLANS and IP addresses identified but only 2 DHCP servers, 2 DHCP Server Networks and 2 pools, something is wrong in Denmark.............errrr ROTTEN LOL.

(3) Okay you are in switch chip camp so cannot help you with all the errors you have there but this seems off.
Lets try for a coherent message.......

add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGMT_Vlan Full Access" \
in-interface-list=MGMTlist

TO
[add action=accept chain=input comment="Allow Estab, Related, & Untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow MGMT_Vlan Full Access" \
in-interface-list=MGMTlist
add action=accept chain=input comment="Allow VLAN services" in-interface-list=VLAN \
dst-port=53 protocol=tcp
add action=accept chain=input comment="Allow VLAN services" in-interface-list=VLAN \
dst-port=53 protocol=udp
add action=drop chain=input comment="Drop all else"

(4) Forward chain, drop the crap...................
Keep
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=accept chain=forward in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-stat=dstnat
add action=drop chain=forward comment="Drop all else"

If you want to add blocking bogons then consider........ (just make sure not to block your own subnets)
/ip route
add blackhole disabled=no dst-address=10.0.0.0/8
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=192.168.0.0/16
 
justanoob
just joined
Topic Author
Posts: 5
Joined: Wed May 18, 2022 2:03 pm

Re: Noob starting VLANs on RB2011 and Cisco Switches

Tue Jul 26, 2022 2:20 pm

Thank you so much tdw and anav for your help. The problem was in the firewall section, so with anav's firewall everything works now! The Router was able to resolve addresses but a firewall rule was blocking the dns, somehow. The only changes I made except for the firewall was to upgrade to RouterOS 7.4 and to remove the ingress-filtering=yes frame-types=admit-only-vlan-tagged because this only works with vlan-filtering=yes, but these did not change anything, only the firewall rules made the difference. I am uploading the script for my configuration for anyone who wants to work with Routing and VLANs through a SwitchChip using a similar topology like the one I uploaded before.
###############################################################################
# Topic:		Router VLANs through Switch Chip
# Web:			https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching
# RouterOS:		7.4
# Date:			26-07-2022
# Notes:		Start with a reset (/system reset-configuration)
###############################################################################

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="My_Router"

#######################################
# VLAN Overview
#######################################

# 52 = BLUE (LAN)
# 54 = YELLOW (CAMERAS)
# 56 = RED (WIFI)
# 99 = PINK (MGMT)

#######################################
# Bridge
#######################################

# create one bridge
/interface bridge
add name=bridge1

#######################################
#
# -- Switch Chip VLANs --
#
#######################################

/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=sfp1 hw=yes

/interface ethernet switch vlan
add ports=sfp1,ether2,switch1-cpu switch=switch1 vlan-id=52
add ports=sfp1,ether2,switch1-cpu switch=switch1 vlan-id=54
add ports=sfp1,ether2,switch1-cpu switch=switch1 vlan-id=56
add ports=sfp1,ether2,ether3,switch1-cpu switch=switch1 vlan-id=99

/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT

# LAN facing Router's IP address on the MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT

/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=leave-as-is
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=99
set sfp1 vlan-mode=secure vlan-header=leave-as-is
set switch1-cpu vlan-mode=secure vlan-header=leave-as-is
#For Atheros8327, Atheros8227 vlan-header=leave-as-is
#If you put default=vlan-id=XX then Access Port, else Trunk Port

#######################################
# Connect to Internet & Routing
#######################################

# DNS allow remote requests
/ip dns set allow-remote-requests=yes

#Dynamic IP from ISP
#/ip dhcp-client add disabled=no interface=ether1

#PPPoE Client
/interface pppoe-client
add name=pppoe-my user=myuser password=mypassword interface=ether1 \
disabled=no add-default-route=yes use-peer-dns=yes
#PPPoE Scanner allows scanning all active PPPoE servers in the L2 broadcast domain. Command to run scanner:
#/interface pppoe-client scan

# Static IP Address provided by ISP
#/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0
# Router's gateway provided by ISP
#/ip route add distance=1 gateway=b.b.b.b

#######################################
# IP Services
#######################################

# Blue VLAN interface creation, IP assignment, no DHCP service
/interface vlan add interface=bridge1 name=VLAN52 vlan-id=52
/ip address add interface=VLAN52 address=192.168.52.254/24

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=VLAN54 vlan-id=54
/ip address add interface=VLAN54 address=192.168.54.1/24
/ip pool add name=VLAN54_POOL ranges=192.168.54.50-192.168.54.254
/ip dhcp-server add address-pool=VLAN54_POOL interface=VLAN54 name=VLAN54_DHCP disabled=no
/ip dhcp-server network add address=192.168.54.0/24 dns-server=192.168.99.1 gateway=192.168.54.1
#or dns-server=8.8.8.8 or ISP provided

# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=VLAN56 vlan-id=56
/ip address add interface=VLAN56 address=192.168.56.1/24
/ip pool add name=VLAN56_POOL ranges=192.168.56.50-192.168.56.254
/ip dhcp-server add address-pool=VLAN56_POOL interface=VLAN56 name=VLAN56_DHCP disabled=no
/ip dhcp-server network add address=192.168.56.0/24 dns-server=192.168.99.1 gateway=192.168.56.1
#or dns-server=8.8.8.8 or ISP provided

# Optional: Create a DHCP instance for MGMT VLAN. Convenience feature for an admin.
# /ip pool add name=MGMT_POOL ranges=192.168.99.10-192.168.99.254
# /ip dhcp-server add address-pool=MGMT_POOL interface=MGMT name=MGMT_DHCP disabled=no
# /ip dhcp-server network add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
#or dns-server=8.8.8.8 or ISP provided

#######################################
# Firewalling & NAT
# A starting firewall.
# Up to you how to customize it.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=MGMTlist

/interface list member
#add interface=ether1     list=WAN
add interface=pppoe-my	  list=WAN
add interface=MGMT       list=VLAN
add interface=VLAN52     list=VLAN
add interface=VLAN54     list=VLAN
add interface=VLAN56     list=VLAN
add interface=MGMT       list=MGMTlist

##################
# INPUT CHAIN
##################
# VLAN aware firewall. Order is important.
/ip firewall filter

#Allow Estab & Related & Untracked
add action=accept chain=input comment="Allow Estab, Related, & Untracked" \
connection-state=established,related,untracked

#Drop Invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

#Accept ICMP
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

#Allow MGMT_Vlan Full Access
add action=accept chain=input comment="Allow MGMT_Vlan Full Access" \
in-interface-list=MGMTlist

#Allow VLAN services
add action=accept chain=input comment="Allow VLAN services" in-interface-list=VLAN \
dst-port=53 protocol=tcp
add action=accept chain=input comment="Allow VLAN services" in-interface-list=VLAN \
dst-port=53 protocol=udp

#Drop all else and log them
add action=drop chain=input comment="Drop all else" log=yes

##################
# FORWARD CHAIN
##################

# VLAN aware firewall. Order is important.
/ip firewall filter

#Allow Fasttrack
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes

#Allow Estab & Related
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related

#Drop Invalid
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid

#Accept VLAN to WAN
add action=accept chain=forward in-interface-list=VLAN out-interface-list=WAN

#Accept DST NAT
add action=accept chain=forward connection-nat-stat=dstnat

#Drop all else
add action=drop chain=forward comment="Drop all else"


###############################
# IPv6 Firewall Default Config
###############################

/ipv6 firewall address-list
add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
add list=bad_ipv6 address=::1 comment="defconf: lo"
add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"

/ipv6 firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
add chain=input action=drop in-interface=!bridge1 comment="drop everything else not coming from bridge"

add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
add chain=forward action=drop in-interface=!bridge1 comment="drop everything else not coming from bridge"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"

#######################################
# MAC Server settings
#######################################

#/ip neighbor discovery-settings set discover-interface-list=MGMTlist
#/tool mac-server mac-winbox set allowed-interface-list=MGMTlist
#/tool mac-server set allowed-interface-list=MGMTlist

#######################################
# Routing
#######################################

#/ip route
Answers to anav's questions:
(1) sets sfp1, ether2, ether3, switch-cpu to secure mode which according to mikrotik help: "...checks tagged traffic against the VLAN Table for ingress traffic and drops all untagged traffic. Both ingress and egress port must be found in the VLAN Table for the appropriate VLAN ID, otherwise, traffic is dropped..."
(2) I want the PCs in the MGMT and VLAN52 to be manually configured, so no need for DHCP Servers there.
(3) ,(4) The solution to my problem, you are my Hero!!!
(5) /ip route add blackhole... Well, this concept is something I do not know, so if you please give me a link to study it, I would be obliged.
 
justanoob
just joined
Topic Author
Posts: 5
Joined: Wed May 18, 2022 2:03 pm

Re: Noob starting VLANs on RB2011 and Cisco Switches

Tue Jul 26, 2022 2:38 pm

Now that my most serious problem has been solved, I have another one.
I have a hEx PoE lite (RB750UPr2 - Atheros8227) which I am trying to use as a simple Switch with hardware offloading, without using its routing capabilities. I am connecting it to the Trunk port of my RB2011 and I use a similar Switch Chip configuration. They cannot see each other, no matter what I tried. Should I post the RB750UPr2 running config and topology here, or should I start a new topic?

Thanks again for your time.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Noob starting VLANs on RB2011 and Cisco Switches

Tue Jul 26, 2022 2:57 pm

As long as your sending the tagged frames from the router to lets say ether1 of the hex you are golden.

what you have to decide which is your trusted subnet and the hex will get an IP on that subnet.
Now if it is the vlan named MGMT, fine.......

Then the two devices need to be consistent and ensure both have..

/ip neighbor discovery-settings
set discover-interface-list=MGMT


/tool mac-server mac-winbox
set allowed-interface-list=MGMT
+++++++++++++++++++++++++++++++++

Now use this guide the example should work for you.... for the hex! and yes USE BRIDGE VLAN FILTERING ON THIS DEVICE
viewtopic.php?t=182276

Who is online

Users browsing this forum: Kuitz, LAZst, LeoNaXe, mtkvvv and 47 guests