Community discussions

MikroTik App
 
brusuillis
just joined
Topic Author
Posts: 11
Joined: Tue Jul 19, 2022 8:11 pm

RB2011, 2 VLANs & VPN

Wed Jul 27, 2022 12:03 am

Good evening,
I have already followed some wikis and been able to move my first steps in RouterOS, but the hard is putting everything together, so I kindly ask for help...

The target is to use my RB2011UiAS-2HnD-IN to drive an home network in this way:
- ether1 is WAN
- ether2 + ether3 + wlan1 on VLAN1 with 192.168.3.0/24
- ether4 + ether5 + sfp1 on VLAN2 with 192.168.103.0/24

opt: ether6 to ether10 can be on VLAN1 or disabled

Both VLAN with their dhcp server, can browse WWW, must be separated between each other, with exception that I want to manage (single clients from VLAN2 can access defined ports on servers on VLAN1).
A basic firewall setup should be enough.
Last, I want to reach VLAN1 clients from remote through VPN tunnel (using nomad clients, not PTP)

Thanks in advance
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 168
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: RB2011, 2 VLANs & VPN

Wed Jul 27, 2022 10:48 pm

Do you want to get a ready-made configuration for the router? Without doing any work yourself?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB2011, 2 VLANs & VPN

Wed Jul 27, 2022 11:08 pm

Do you want to get a ready-made configuration for the router? Without doing any work yourself?
Fully agree.
What's the fun in there ?
And how would one learn not trying, failing, getting up again, seeing the light, understanding and applying knowledge ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB2011, 2 VLANs & VPN

Wed Jul 27, 2022 11:12 pm

 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB2011, 2 VLANs & VPN

Thu Jul 28, 2022 12:10 am

Oh ? You're not listed ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB2011, 2 VLANs & VPN

Thu Jul 28, 2022 12:26 am

Be part of a commoner structure, nah not elite enough! ;-)
Only a prestigious few get the MTUNA designation. I did say exalted right?
 
brusuillis
just joined
Topic Author
Posts: 11
Joined: Tue Jul 19, 2022 8:11 pm

Re: RB2011, 2 VLANs & VPN

Thu Jul 28, 2022 12:58 am

Do you want to get a ready-made configuration for the router? Without doing any work yourself?
Of course not. Just some directions on which direction to take.
Just to clarify, I have tried to replicate (from commandline, to learn more..) the instructions on Router-Switch-AP (all in one) (viewtopic.php?t=143620) but as soon as I apply them, the interfaces are not working anymore (seems that DHCP server is not active on BLUE or GREEN) and MAC connectivity is locked out...
 
brusuillis
just joined
Topic Author
Posts: 11
Joined: Tue Jul 19, 2022 8:11 pm

Re: RB2011, 2 VLANs & VPN

Thu Jul 28, 2022 1:03 am

Do you want to get a ready-made configuration for the router? Without doing any work yourself?
Fully agree.
What's the fun in there ?
And how would one learn not trying, failing, getting up again, seeing the light, understanding and applying knowledge ?
I can understand the "mission", being in IT world for the last 30 years. Learnt Linux from scratch when everybody else was bullying with Windows. But sometimes you need to get straight to the point: I need a setup for the router because it ONE part of my domotic project. Hence I cannot spend weeks just for the router. If you can help, as I have always seen in forums like this one, I'm grateful. If the scope is to show how hard is the path to the Grail, I pass: Thanks anyway. This would not prevent me to provide support should you need to KNX your house....

Greetings
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB2011, 2 VLANs & VPN

Thu Jul 28, 2022 4:41 am

Please post your latest config /export less any public IP information.
 
brusuillis
just joined
Topic Author
Posts: 11
Joined: Tue Jul 19, 2022 8:11 pm

Re: RB2011, 2 VLANs & VPN

Thu Jul 28, 2022 1:02 pm

Hi and thanks.
I re-made the whole config this morning following the Router-Switch-AP (all in one) guide from viewtopic.php?t=143620, but this time I tried to "Bridge-Off" the ether10 of my RB2011.
While I have the same issues as before, I can now connect to the router via MAC address (Winbox)

Here is the cfg:
# jul/28/2022 11:37:20 by RouterOS 7.4
# software id = EBV1-UKWG
#
# model = RB2011UiAS-2HnD
/interface bridge
add name=BR1 protocol-mode=none
/interface ethernet
set [ find default-name=ether10 ] name=ether10-safe
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto hide-ssid=yes \
    mode=ap-bridge ssid=theFarmSvc
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=SAFE_POOL ranges=10.10.0.10-10.10.0.20
add name=BLUE_POOL ranges=192.168.3.2-192.168.3.254
add name=GREEN_POOL ranges=192.168.203.2-192.168.203.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.20
/ip dhcp-server
# DHCP server can not run on slave interface!
add address-pool=SAFE_POOL interface=ether10-safe name=SAFE_DHCP
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=ether4 pvid=20
add bridge=BR1 interface=ether5 pvid=20
add bridge=BR1 interface=ether9 pvid=99
add bridge=BR1 interface=ether10-safe pvid=99
/interface list member
add interface=ether1 list=WAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=ether10-safe list=BASE
/ip address
add address=10.10.0.1/24 interface=ether10-safe network=10.10.0.0
add address=192.168.3.1/24 interface=BLUE_VLAN network=192.168.3.0
add address=192.168.203.1/24 interface=GREEN_VLAN network=192.168.203.0
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=192.168.0.1 gateway=10.10.0.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.3.0/24 dns-server=192.168.0.1 gateway=192.168.3.1
add address=192.168.203.0/24 dns-server=192.168.0.1 gateway=192.168.203.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MTtheFarm
Issue1:
there must be something wrong in how I set up the dhcp for ether10-safe, Winbox tell me DHCP server can not run on slave interface. (I did it to avoid setting a manual IP on my laptop...).
As you can see, the router is now getting WAN from another router (just "LAB" mode), and I can connect even from "my" LAN 192.168.1.0/24: log say I'm in from local...

Issue2:
I actually don't need the BASE VLAN other than to get SAFE access to the router: can it be simplified?

Issue3:
clients connected to ether2, ether3 or ether4, ether5, DON'T receive any address...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB2011, 2 VLANs & VPN

Thu Jul 28, 2022 3:07 pm

(1) Not a problem.
Once you have made the necessary corrections, the final step will be this......
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes


++++++++++++++++++++++++++++++++

(2) Strangely you have 3 vlans but four of everything else........... I hope you didnt keep one subnet without a vlan, will have to zap you with a taser.........
Ahh I see the problem, YOU ONLY need to set the IP address on ether10 nothing else.................. for a safe entry point to the router.

(3) Without a network diagram little harder to discern intent but looks like you have vlan10 going to dumb devices on ether2, ether3 and wlan1, and you have vlan20 going to dumb devices on ether4,5 and then you have vlan99 going to dumb devices on ether9, ether10.
Mistake, you dont want vlan99 going to ether10 because ITS NOT SUPPOSED TO BE ON THE BRIDGE!

(4) Forgot to add BASE vlan to BASE interface list as a member.

(5) Add a few missing items that are not visible on the config.
/ip neighbor discovery-settings and /tool mac-server mac-winbox

+++++++++++++++++++++++++++++++++++++++++++++++++++++

To enter the router and config from ether 10, just set an ipv4 IP address of 10.0.10.0.5 on the laptop or PC connecting up on ether10 for example.
What you are missing completely is firewall rules, so this should not be hooked up directly to the internet. Thus ensure you read this
and add as appropriate........
viewtopic.php?t=180838

/interface bridge
add name=BR1 protocol-mode=none  vlan-filtering=yes
/interface ethernet
set [ find default-name=ether10 ] name=ether10-safe
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto hide-ssid=yes \
    mode=ap-bridge ssid=theFarmSvc
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=192.168.3.2-192.168.3.254
add name=GREEN_POOL ranges=192.168.203.2-192.168.203.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.20
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=ether4 pvid=20
add bridge=BR1 interface=ether5 pvid=20
add bridge=BR1 interface=ether9 pvid=99
/interface list member
add interface=ether1 list=WAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=ether10-safe list=BASE
/ip address
add address=10.10.0.1/24 interface=ether10-safe network=10.10.0.0
add address=192.168.3.1/24 interface=BLUE_VLAN network=192.168.3.0
add address=192.168.203.1/24 interface=GREEN_VLAN network=192.168.203.0
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.3.0/24 dns-server=192.168.0.1 gateway=192.168.3.1
add address=192.168.203.0/24 dns-server=192.168.0.1 gateway=192.168.203.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip neighbor discovery-settings
set discover-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MTtheFarm
 
brusuillis
just joined
Topic Author
Posts: 11
Joined: Tue Jul 19, 2022 8:11 pm

Re: RB2011, 2 VLANs & VPN

Thu Jul 28, 2022 6:09 pm

After resetting the router, I have typed the code you provided.
Leaving a apart the firewall, this is the new cfg:
# jul/28/2022 17:03:26 by RouterOS 7.4
# software id = EBV1-UKWG
#
# model = RB2011UiAS-2HnD
# serial number = HCJ087SPZEY
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether10 ] name=ether10-safe
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto hide-ssid=yes \
    mode=ap-bridge ssid=theFarmSvc
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=192.168.3.2-192.168.3.254
add name=GREEN_POOL ranges=192.168.203.2-192.168.203.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.20
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=ether4 pvid=20
add bridge=BR1 interface=ether5 pvid=20
add bridge=BR1 interface=ether9 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface list member
add interface=ether1 list=WAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=ether10-safe list=BASE
/ip address
add address=10.10.0.1/24 interface=ether10-safe network=10.10.0.0
add address=192.168.3.1/24 interface=BLUE_VLAN network=192.168.3.0
add address=192.168.203.1/24 interface=GREEN_VLAN network=192.168.203.0
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.3.0/24 dns-server=192.168.0.1 gateway=192.168.3.1
add address=192.168.203.0/24 dns-server=192.168.0.1 gateway=192.168.203.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MTtheFarm
/tool mac-server mac-winbox
set allowed-interface-list=BASE
I can't get an IP address on ANY of the ports
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB2011, 2 VLANs & VPN  [SOLVED]

Thu Jul 28, 2022 6:20 pm

Thats because the router has a self-preservation mode.
If there is no firewall or a crappy firewall it doesnt permit people to be connected to such a poor setup. ;-P

Seriously, you were supposed to read the link and put in a firewall rule.......... how disappointing you were so lazy.

Something like this.
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=BASE
add action=accept chain=input in-interface-list=VLAN  dst-port=53  protocol=tcp
add action=accept chain=input in-interface-list=VLAN  dst-port=53  protocol=udp
add action=drop chain=input comment="drop all else
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
Now as to the current config, after you add the firewall you are missing the /interface bridge vlan settings.....

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,WLAN1 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether4,ether5 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether9 pvid=99
 
brusuillis
just joined
Topic Author
Posts: 11
Joined: Tue Jul 19, 2022 8:11 pm

Re: RB2011, 2 VLANs & VPN

Fri Jul 29, 2022 11:25 am

I'm sorry you think it was lazyness. I just wanted to limit the field for troubleshooting: my fault.
Made the adjustment you suggested, now I got IP address and basically working.
I'm now going to invest some time in firewalling (forward some services out of BLUE..) and then start with the VPN (probably AFTER setup in production).

Thank you, really!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB2011, 2 VLANs & VPN

Fri Jul 29, 2022 1:42 pm

No worries, glad its working now!
 
TheLorc
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: RB2011, 2 VLANs & VPN

Sat Jul 30, 2022 8:08 pm

Be part of a commoner structure, nah not elite enough! ;-)
Only a prestigious few get the MTUNA designation. I did say exalted right?
Whats an MTUNA certification?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: RB2011, 2 VLANs & VPN

Sat Jul 30, 2022 8:33 pm

@TheLorc: Use this forum's search and look for first occurence. ;)

Who is online

Users browsing this forum: No registered users and 29 guests