Community discussions

MikroTik App
 
P00HB33R
just joined
Topic Author
Posts: 21
Joined: Tue Aug 10, 2021 4:20 pm

VLAN Question

Fri Aug 12, 2022 10:45 am

Hi All,

Ok so I have managed to wrap my head around the whole Bridge with VLAN filtering. I got it working and all is good, except for once filtering is active, I lose the ability to access the mikrotik via IP and MAC. I want to be able to access the mikrotik from anywhere in my network.

So currently I have SFP1 as tagged port vlan11, untagged ports are all the remaining ports on router.
Then I change all ports PVID to 11, including SFP1. Bridge PVID is 1.
All ports including SFP1 are added to bridge ports.

This config works as stated, but then I lose the ability to access router via IP and MAC. I want to be able to access the router on all ports, no matter the vlan.

Any help would be greatly appreciated
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN Question

Fri Aug 12, 2022 11:02 am

You did not reveal model of router you're using, so I'll assume it's one of "non-pro" devices. Those come with default setup including pretty decent firewall. And default firewall depends on proper interface list membership management. Default rules allow connections to router itself (including management) via one of interfaces members of LAN interface list. The same is true for MAC connections (winbox and telnet). When one configures VLANs, the ingress interface is no longer bridge interface (or physical interface), it's one of vlan interfaces, so one has to allow connections via appropriate vlan interface(s) ... either by adding it(them) to LAN interface list or by overhauling substantial portion of firewall filter rules and MAC access rules.
 
P00HB33R
just joined
Topic Author
Posts: 21
Joined: Tue Aug 10, 2021 4:20 pm

Re: VLAN Question

Fri Aug 12, 2022 11:04 am

I am using a CRS317-1G-16S+

No firewall etc. Just a basic lab I am setting up to test and get a better understanding of VLANS
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN Question

Fri Aug 12, 2022 11:13 am

Post configuration ... execute /export hide-sensitive file=anynameyouwish, copy file off the switch, open it with text editor, obfuscate any remaining sensitive data (such as serial number), and copy-paste it inside [code] [/code] block.
 
P00HB33R
just joined
Topic Author
Posts: 21
Joined: Tue Aug 10, 2021 4:20 pm

Re: VLAN Question

Fri Aug 12, 2022 11:32 am

Thank you. Below my config.
/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus1 pvid=11
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus2 pvid=11
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus3 pvid=11
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=\
    sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=11
add bridge=bridge1 untagged=\
    ether1,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=1

/ip address
add address=192.168.1.43/24 interface=bridge1 network=192.168.1.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
With this config, when I activate filtering, I lose all connectivity to the router
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Question

Fri Aug 12, 2022 1:26 pm

Terrible idea. Why would you want all users to have access to config the router.
The only person that should have access to the router is the admin.
You need to rethink your strategy.

Step1: Ensure all smart devices have their IP address from the same subnet (vlan)
Step2: Ensure only the admin has access to lets say winbox via the input chain....

If you only have the one device/router and wish to be able to access it from every vlan, yuck........... then
at least use a firewall address list.....

/firewall address list
add address=adminPC_on_vlanX list=Authorized
add address=adminPC_on_vlanY list=Authorized
add address=adminPC_on_vlanZ list=Authorized
etc....

add chain=input action=accept in-interface-list=LAN src-address=list=Authorized dst-port=winboxport protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

++++++++++++++++++++++++++++++++++
Well it turns out you dont have a bunch of vlans you only have sorta 2. In any case you kinda have two vlans, but I will let others deal with the config, I have had enough of people using vlan1 for data.....
Since others seems to think its okay, they can provide the extra overhead support that it takes......... such a waste of time.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: VLAN Question

Fri Aug 12, 2022 3:34 pm

With this config, when I activate filtering, I lose all connectivity to the router
You have no vlan interface for the vlan access. The vlan interface is the switch's management connection to the switch ASIC.

See CRS3xx, CRS5xx series switches, CCR2116, CCR2216 and RTL8367, 88E6393X, 88E6191X and MT7621 switch chips

Another worthwhile resource: Mikrotik VLANs - CRS3XX Step by Step - Mikrotik Tutorial

@anav, while I agree the config isn't good for production use, they did say this was for a lab setup to learn vlans. And for that purpose, why introduce other things that can be misconfigured and cause it to fail to work as expected?

Who is online

Users browsing this forum: Bing [Bot], edielson_atm, syslog and 101 guests