Community discussions

MikroTik App
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Trying to get the VLANs to work

Tue Aug 30, 2022 10:43 pm

Hi everyone i'm a completely begginer in networking and having some trouble to make the VLANs to work.
My topology would be a Mikrotik RB2011, with 2 ISP working in failover (ether1,2) and 3 ports in LAN bridge (ether3, 4 5). Now i want to make ether 3 working as trunk port, with a tag vlan 10. Then, i have managable switch Aruba 1830, that's connected to ether 3 on the mikrotik and already tag everything there (have the ether1 in the switch with a tag vlan 10 and untagged vlan 1, then i have ehter2 with an untagged vlan 10 connected to a PC).

This is my config:
# aug/30/2022 16:24:25 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS

/interface bridge
add admin-mac=64:D1:54:38:F5:A7 auto-mac=no comment=defconf fast-forward=no \
    name=bridgeLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] name=ether3-LAN speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether3-LAN name=VLAN10 vlan-id=10
add interface=ether3-LAN name=VLAN20 vlan-id=20
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.3-192.168.1.254
add name=dhcp_pool2 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool3 ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridgeLAN name=dhcp
add address-pool=dhcp_pool2 disabled=no interface=VLAN10 name=dhcp1
add address-pool=dhcp_pool3 disabled=no interface=VLAN20 name=dhcp2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=<CENSORED> name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridgeLAN comment=defconf interface=ether3-LAN
add bridge=bridgeLAN interface=ether4
add bridge=bridgeLAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridgeLAN tagged=ether3-LAN,bridgeLAN vlan-ids=10
/interface list member
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=bridgeLAN list=LAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
/ip address
add address=192.168.1.1/24 comment=LAN interface=ether3-LAN network=\
    192.168.1.0
add address=10.0.10.1/24 interface=VLAN10 network=10.0.10.0
add address=10.0.20.1/24 interface=VLAN20 network=10.0.20.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add gateway=0.0.0.1
add address=10.0.0.0/24 comment="Virtual Machines Net" gateway=10.0.0.1 \
    netmask=24
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall address-list
add address=192.168.1.3-192.168.1.101 comment="Resto de la red" list=\
    a_fibercorp
add address=192.168.1.102 comment=Cosag list=a_claro
add address=192.168.1.103 comment=W2019 list=a_claro
add address=192.168.1.201 comment=webserver list=a_claro
add address=192.168.1.106-192.168.1.199 list=a_fibercorp
add address=192.168.1.203-192.168.1.254 list=a_fibercorp
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1-Claro
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether2-Fibercorp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes in-interface=\
    ether1-Claro
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-Claro
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether2-Fibercorp
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1-Claro
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether2-Fibercorp
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    X.X.X.X routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    X.X.X.X routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    X.X.X.X routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
    X.X.X.1 routing-mark=a-claro
add distance=1 gateway=10.0.10.1
add distance=1 gateway=10.0.20.1
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/ip traffic-flow target
add dst-address=192.168.1.253 port=5536 version=5
/lcd interface
add
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3-LAN,ether4,ether5,\
    ether6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=10m name="cada 10 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system ups
add name=APC900 offline-time=10h port=usbhid1
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon
set enabled=yes
(I know i'm using native vlan 1 for the bridge but that was already working like that when i started to work here, and really don't know how to "move" everything to a base vlan)
I Can't pìng or obteing an ip address from the PC connected to the aruba switch.
Any help or advice would be great. Thanks in advance.
Last edited by rextended on Wed Aug 31, 2022 12:15 am, edited 1 time in total.
Reason: <CENSORED> email
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 8930
Joined: Tue Feb 25, 2014 12:49 pm
Location: 🇮🇹, my 💔 is in 🇺🇦

Re: Trying to get the VLANs to work

Wed Aug 31, 2022 12:15 am

<CENSORED> email
✂ Rextended Fragments of Snippets

Vld4UmVHUkdhelJUTTJzOQ==
 
marinekev88
just joined
Posts: 1
Joined: Wed Aug 31, 2022 4:56 am

Re: Trying to get the VLANs to work

Wed Aug 31, 2022 7:41 am

I am currently dealing with the same thing. My topology is a bit different:

ISP fiber terminal > netgear smart switch > mikrotik RB2011 > netgear smart switch #2

I am trying to setup the first switch to tag ISP incoming on port 8 (set PVID for untagged traffic) and egress port 7 (not sure to strip tag or leave in tact ) but port 7 will be the trunk port for two other VLANs (home, business networks). Switch #2 will be just business network management. The reason I have to set up this way is location, I have a business server downstairs colocated with the home network and the RB along with second business server is upstairs in the office.

I hate to piggy back but I am not a network guru either and I could really use some guidance (preferably in idiot language).

I did get a standard bridge setup to handle a WAP but that hopefully will be moved to the business VLAN
 
mkx
Forum Guru
Forum Guru
Posts: 8467
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to get the VLANs to work

Wed Aug 31, 2022 8:39 am

Read through this excellent tutorial.

But in short: you should never use slave ports (ether3-LAN is slave port ... it's member of a bridge) as interface (your config defines VLAN interfaces on ether3-LAN, it should define them on bridgeLAN interface). Ditto for IP address (192.168.1.1) and DHCP server.
BR,
Metod
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Wed Aug 31, 2022 5:23 pm


it should define them on bridgeLAN - Perfect i'll do that!.
Ditto for IP address (192.168.1.1) and DHCP server.
Ditto for IP address (192.168.1.1) and DHCP server.
Yes a i realize that, but is it "safe" to chango de interface address from ether3 to bridgeLAN without loosing connection? Because clients are accesing the servers.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work

Wed Aug 31, 2022 5:27 pm

Hi consultar, you are very right to be concerned with changing config with users in place.

1. Try to use quiet time when most users are NOT online.
2. Use SAFE MODE always when changing config
3. Consider changing the config OFF the bridge as if the bridge burps it wont affect your access to the bridge.
viewtopic.php?t=181718

If you have any questions about it feel free to ask!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Wed Aug 31, 2022 8:56 pm

Thanks a lot i'll keep that in mind, and start using the SAFE MODE!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Mon Sep 05, 2022 9:28 pm

So i've been trying te get it work before i try it in the production bridge. In a similar enviroment with bridge99 and ether6, where i'm trying to make it a trunk port, but without success, the dhcp server seems to not giving an ip address to the switch in port ether6.
Here is my config setup, can anyone help me, where i'm messing it? Thank's a lot
# sep/05/2022 15:24:43 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
# serial number = 
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge99 protocol-mode=none \
    vlan-filtering=yes
add admin-mac=64:D1:54:38:F5:A7 auto-mac=no comment=defconf fast-forward=no \
    name=bridgeLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridgeLAN name=VLAN10-LAN vlan-id=10
add interface=bridge99 name=VLAN20-Clientes vlan-id=20
add interface=bridgeLAN name=VLAN30-Camaras vlan-id=30
add interface=bridge99 name=vlan99 vlan-id=99
/interface ethernet switch port
set 6 vlan-mode=fallback
set 7 vlan-mode=fallback
set 8 vlan-mode=fallback
set 9 vlan-mode=fallback
set 10 vlan-mode=fallback
set 12 vlan-mode=fallback
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.3-192.168.1.254
add name=dhcp_pool3 ranges=10.0.20.2-10.0.20.254
add name=dhcp_pool4 ranges=10.0.30.2-10.0.30.254
add name=dhcp_pool8 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridgeLAN name=dhcp
add address-pool=dhcp_pool3 disabled=no interface=VLAN20-Clientes name=dhcp2
add address-pool=dhcp_pool4 disabled=no interface=VLAN30-Camaras name=dhcp3
add address-pool=dhcp_pool8 disabled=no interface=bridge99 name=dhcp1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridgeLAN comment=defconf interface=ether3
add bridge=bridgeLAN interface=ether4
add bridge=bridgeLAN interface=ether5
add bridge=bridge99 frame-types=admit-only-vlan-tagged interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridgeLAN tagged=ether3,ether5,bridgeLAN,ether4 vlan-ids=10
add bridge=bridgeLAN tagged=ether3,ether5,bridgeLAN vlan-ids=30
add bridge=bridge99 tagged=bridge99,ether6 vlan-ids=99
add bridge=bridge99 tagged=bridge99,ether6 vlan-ids=20
/interface list member
add interface=sfp1 list=discover
add interface=ether2-Fibercorp list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridgeLAN list=discover
add list=discover
add interface=bridgeLAN list=mactel
add interface=bridgeLAN list=mac-winbox
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=bridgeLAN list=LAN
add interface=VLAN10-LAN list=VLAN
add interface=VLAN20-Clientes list=VLAN
add interface=VLAN30-Camaras list=VLAN
add interface=vlan99 list=VLAN
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridgeLAN network=\
    192.168.1.0
add address=10.0.20.1/24 interface=VLAN20-Clientes network=10.0.20.0
add address=10.0.30.1/24 interface=VLAN30-Camaras network=10.0.30.0
add address=192.168.99.1/24 interface=bridge99 network=192.168.99.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add gateway=0.0.0.1
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall address-list
add address=192.168.1.3-192.168.1.101 comment="Resto de la red" list=\
    a_fibercorp
add address=192.168.1.102 comment=Cosag list=a_claro
add address=192.168.1.103 comment=W2019 list=a_claro
add address=192.168.1.201 comment=webserver list=a_claro
add address=192.168.1.106-192.168.1.199 list=a_fibercorp
add address=192.168.1.203-192.168.1.254 list=a_fibercorp
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1-Claro
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether2-Fibercorp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes in-interface=\
    ether1-Claro
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-Claro
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether2-Fibercorp
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1-Claro
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether2-Fibercorp
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
    x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/ip traffic-flow target
add dst-address=192.168.1.253 port=5536 version=5
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
    r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=10m name="cada 10 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system ups
add name=APC900 offline-time=10h port=usbhid1
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon
set enabled=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work

Tue Sep 06, 2022 2:40 am

Normally what I do is when I have a management LAN (or VLAN), where all smart devices should get their IP from, (could be a trusted subnet if one doesn't have a dedicated management subnet).
Is pick an IP address within the subnet, outside the pool and using the mac address of the switch set the IP up manually on the Mikrotik and make it static.
On the switch just set the IP manually in its config.

(1) What is with the two bridge nonsense, you only need one??

(2) Keep life simple the ONLY thing you should do when identifying the bridge is turn vlan-filtering on at the end (and perhaps add a pretty name).
The rest is just going to get you in trouble, remove the yellow bits, I almost thought you set pvid to 99 when I first looked at the rule but see its just a confusing name convention........

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge99 protocol-mode=none \
vlan-filtering=yes

(3) I see you have two other vlans and think its a good idea to mix apples and oranges have one subnet tied to the bridge............ why?
Use all vlans, and keep the bridge doing only bridging, simple.
So create another vlan so it looks like this.

/interface vlan
add interface=bridgeONE name=VLAN10-LAN vlan-id=10
add interface=bridgeONE name=VLAN20-Clientes vlan-id=20
add interface=bridgeONE name=VLAN30-Camaras vlan-id=30
add interface=bridgeONE name=vlan99 vlan-id=99

Only two other spots will require changes for the new vlan.......
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no \
interface=vlan10-LAN name=dhcp

AND
/ip address
add address=192.168.1.1/24 comment=LAN interface=vlan10-LAN network=\
192.168.1.0


(2) Forget all that really old default crap, discover and mactel blah blah blah
Keep interfaces simple.
WAN, LAN, MANAGE or in your case use VLAN instead of LAN, but not both.......... (unless there is a compelling reason)

Mac-winbox is already covered under the MANAGE interface list.
discover is already covered under the MANAGE interface list

(3) Input chain - fix order and some Missing firewall rules or missing bits........
a. first three rules should look like this, in this order
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp


b. First these rules can be expressed as one rule if you used interface-list=WAN vice each interface!
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1-Claro
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether2-Fibercorp


However why not simplify and make the rules read to what it actually does, by the following and of course also more secure.
add action=accept chain=input in-interface-list=VLAN
add action=drop chain=input comment="drop all else"


4. Forward chain

a. two rules after the fastrack rule should look like.
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

THEN the other rules.........

b. Finally this rule is better served by the alternate approach which is clearer and more secure.......
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


Here we are saying allow port forwarding and then drop all other traffic not permitted in any of the above allow rules!!

(5) From

/
/ip neighbor discovery-settings
set discover-interface-list=all
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox


TO
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

6. Lets reign in that mess of an interface list members...... and it appears that vlan10-LAN is your trusted subnet (not vlan99 for example which I thought maybe a management vlan).
FROM:
/interface list member
add interface=sfp1 list=discover
add interface=ether2-Fibercorp list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridgeLAN list=discover
add list=discover
add interface=bridgeLAN list=mactel
add interface=bridgeLAN list=mac-winbox
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=bridgeLAN list=LAN
add interface=VLAN10-LAN list=VLAN
add interface=VLAN20-Clientes list=VLAN
add interface=VLAN30-Camaras list=VLAN
add interface=vlan99 list=VLAN


TO
/interface list member
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=VLAN10-LAN list=VLAN
add interface=VLAN20-Clientes list=VLAN
add interface=VLAN30-Camaras list=VLAN
add interface=vlan99 list=VLAN
add interface-list=VLAN10-LAN list=MANAGE

7. Bridgeports to match.
/interface bridge port
add bridge=bridgeONE interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridgeONE interface=ether4 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridgeONE interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridgeONE interface=ether6 ingress-filtering=yes frame-types=admit-only-vlan-tagged

8. VLANS to match
/interface bridge vlan
add bridge=bridgeONE tagged=bridgeONE,ether3,ether4,ether5 vlan-ids=10
add bridge=bridgeONE tagged=bridgeONE,ether3,ether5 vlan-ids=30
add bridge=bridgeONE tagged=bridgeONE,ether6 vlan-ids=20,99

9. Finally lets talk about your mangles and routes.
The mangling setup is a bit strange......... in that its not clear what you are doing,
You have some four users that you want to ONLY use one ISP and then two groups of users in the same subnet to use the other ISP.
WHAT ABOUT all the other users that you dont identify in that subnet????

What is the intent of the rest of the uses aka the other VLANS?
What is the intended primary WAN and the secondary WAN?

Once we have it clear what the needs are then we can finish the mangling and routes part of your config................... Somethings not right with it currently
Then there should be no reason why you cannot accomplish your goals
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Tue Sep 06, 2022 6:43 am

moderator note: do not quote preceding post, use "post Reply".

Anav, fist of all i just want to thank you for taking the time to answer in such detailed. Know that there's a special place in heaven for people like you.
This is more than i expected, i'll have to review it carefully. And i'm so sorry about making you read about the second, useless, bridge99, but all the other ports in bridgeLAN are currently un production, so my test times are very limited, and i'm just try to learn with bridge99 without messing with the production servers.

To explain a little bit better, i want to divide my current untagged network, in 3 different tagged VLANs (10, 20 y 30) .
The vlan 10 should replace current network for exception of a couple of clients that should be connected trough trunk port that uses both vlans (proxmox server in vlan 10 and VM inside it on the vlan 20, for clients). The valn 30 It's just anticipating future camera system.
the VLAN 20 i'ts for our clients datacenter, and should have a dedicated ISP1, working in a failover with a secondary ISP2 (that would be in fact the primary for vlans 10 and 30), and viceversa if the ISP2 for vlan 10 and 30 fails, ISP1 shoul take control of everything. Hope this helps understand the mangle rules, and addresses that are a mess right now (the failover it`s working fine but messy).

I'll stick my hands into this and i'll be updating you whatever happends! I going to follow your wise advice to keep it as simple as i can.
I'm so excited to get this to work!! :D Muchas gracias!!
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3079
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Trying to get the VLANs to work

Tue Sep 06, 2022 9:54 am

@consultar

Use post reply under the post, instead of quoting the complete post above you. Just makes all double to read.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work

Tue Sep 06, 2022 3:10 pm

No worries, glad its coming together. Keeping it clean will help you when you need to make changes and for anyone assisting you or filling in when you are not availale.
In that regard dont be afraid to use comments for clarity and understanding!

As for Jotne, never hurts to see golden prose again, but is it really you or is it Bartoz in disguise ;-P
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Sun Oct 02, 2022 4:36 am

Hi! I'm glad to announce that it's finally working on production. And i've got to tell you... it was a wild ride...

After a couple of fail trys, (and lock my self out of the mikrotik in one of them, forgetting to use the safe mode), after a little panic attack there, i was able to restore config after reboot the mikrotik. Fortunaly everything went well.
The switch wasn't propperly configured, so i had to fix that as well.
After the lockout i just add another bridge to one of the unused interfaces on mikrotik, to have a secondary access.

So this is my actual config status rigth now. Hope it's cleaner now.

I just need to finish with a couple of things:
1) I don't want that vlans 20 and 30 have access to mikrotik trought the gateway.
2) I want to be able to access vlan 20 and 30 from vlan 10 but not the other way around.

Thanks everyone!!
# oct/01/2022 22:30:00 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
/interface bridge
add comment="Bridge VLAN" name=BridgeVLAN vlan-filtering=yes
add comment="Acceso Secundario" name=Rescate vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether7-Trunk
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name="vlan10-LAN Consultar" vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=mac-winbox
add name=LAN
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_99 ranges=192.168.99.2-192.168.99.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface="vlan10-LAN Consultar" name=\
    dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_99 disabled=no interface=Rescate name=dhcp3
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=ingandresrocha@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN comment=BridgeVLAN frame-types=admit-only-vlan-tagged \
    interface=ether3 pvid=99
add bridge=BridgeVLAN interface=ether4 pvid=10
add bridge=BridgeVLAN interface=ether5 pvid=10
add bridge=Rescate comment="Acceso Secundario a Mikrotik" interface=ether10 \
    trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether7-Trunk,ether5,ether3 vlan-ids=\
    10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether7-Trunk,ether5 vlan-ids=20
add bridge=BridgeVLAN tagged=BridgeVLAN,ether7-Trunk,ether3 vlan-ids=30
/interface list member
add list=mac-winbox
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface="vlan10-LAN Consultar" list=VLAN
add interface=vlan30-Camaras list=VLAN
add interface=Rescate list=mac-winbox
add interface=vlan20-Clientes list=VLAN
add interface=Rescate list=LAN
/ip address
add address=10.0.10.1/24 interface="vlan10-LAN Consultar" network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=192.168.99.1/24 comment="Red Secundaria" interface=Rescate \
    network=192.168.99.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add gateway=0.0.0.1
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall address-list
add address=10.0.10.1-10.0.10.110 comment="Resto de la red" list=a_fibercorp
add address=10.0.10.201 comment=webserver list=a_claro
add address=10.0.10.250-10.0.10.254 comment=Servidores list=a_fibercorp
add address=10.0.20.0/24 comment=Clientes list=a_claro
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
    x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/ip traffic-flow target
add dst-address=192.168.1.253 port=5536 version=5
/lcd interface
add
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
    r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
    ;\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
    teway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
    gw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
    way ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
    ;\r\
    \n}\r\
    \n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
    ateway];\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
    ] gateway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
    \$newgw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
    ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
    \n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=xxx@gmail.com password=\
    ntrtjatvlbgoxsuj port=587 start-tls=yes user=xxx
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon
set enabled=yes
Last edited by consultar on Mon Oct 03, 2022 4:44 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work

Sun Oct 02, 2022 5:29 pm

Please remove your router serial number entries from your posts........apparently they should not be displayed. Not sure why MT doesnt block this on a normal export ???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work

Sun Oct 02, 2022 6:01 pm

Hola, a bit of a confused design and understanding. You have many errors in /interface bridge port and /interface bridge settings.

Can you confirm that the aruba is expecting the management VLAN untagged? This is not the normal way of doing things but some devices can be strange.
The reason being is that your /interface bridge port setting is unclear as I thought ether3 was to the aruba?
/interface bridge port
add bridge=BridgeVLAN comment=BridgeVLAN frame-types=admit-only-vlan-tagged \
interface=ether3 pvid=99


You cannot have it both ways. The port cannot have a PVID set as well allow only vlan tagged ???????????

Also, the off bridge access should not be another bridge LOL,
It should not be the management vlan either which is on bridge.
Its simply a separate subnet only for the admin to go to the router physically and plug in and gain router access when the bridge, especially during configuration is not cooperating.

IN any case please answer the first question above, for me to continue!

Also you really need to confirm what your ports are connected to?? Dumb devices (pc, printer), smart devices (managed switch, AP that can read tags etc.)
Fill in the blank and what vlan(s) should read each port

ether3 -->?
ether4--?
Ethe5-->?
Ether6 -->
ether7--->
ether10 --->



Which port is the admin PC connected to or is that done through the aruba switch?
Which vlan do you want the admin PC connected to..... should only be the management vlan!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Tue Oct 04, 2022 5:19 pm

Hola Anav.
I can imagine that have a lot of errors, but i'm happy that vlans are working at least. I appreciate your recommendations.

Let me explain what it's connected on each interface:
VLAN 10 should be the admin vlan.

Ether3 --> Direct connection to a proxmox server (should receive all vlans)
Ether4 --> Goes to an unmanaged switch (only vlan 10)
Ether5 --> Goes to the ARUBA (all vlan should go) - My PC it's connected to this switch on vlan 10.
Ether6 --> Disabled
Ether7 --> Disabled
Ether10-> Secondary acces (I understand that i dont need to create an another bridge to do this, i could just simply put the interface on the address?)

In reference to this matter, sould i put the pvid value as 1 ?
add bridge=BridgeVLAN comment=BridgeVLAN frame-types=admit-only-vlan-tagged \
interface=ether3 pvid=99
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work

Tue Oct 04, 2022 7:19 pm

No, there should be no PVID setting as its all vlans going there..........
Assuming promoxon server can read vlans, your are good to go (just dont need put pvid. (thats for untagging of a vlan etc......)

This should work, CHECK EVERY LINE from current to this and understand before implementing.
If not clear ask first!
.................................
# oct/01/2022 22:30:00 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
# serial number = vvvvvv
/interface bridge
add comment="Bridge VLAN" name=BridgeVLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether7-Trunk
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name="vlan10-LAN Consultar" vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=LAN
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface="vlan10-LAN Consultar" name=\
    dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=ingandresrocha@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=BridgeVLAN frame-types=admit-prioirity and untagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=BridgeVLAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 untagged=ether4 vlan-ids=10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 vlan-ids=10,20,30
/interface list member
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface="vlan10-LAN Consultar" list=VLAN
add interface=vlan30-Camaras list=VLAN
add interface=vlan20-Clientes list=VLAN
add interface="vlan10-LAN Consultar" list=ADMIN
add interface=ether10 list=ADMIN
/ip address
add address=10.0.10.1/24 interface="vlan10-LAN Consultar" network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=192.168.99.1/24 comment="Red Secundaria" interface=ether10 \
    network=192.168.99.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.0.10.1-10.0.10.110 comment="Resto de la red" list=a_fibercorp
add address=10.0.10.201 comment=webserver list=a_claro
add address=10.0.10.250-10.0.10.254 comment=Servidores list=a_fibercorp
add address=10.0.20.0/24 comment=Clientes list=a_claro
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=ADMIN 
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
    dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
    x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/ip traffic-flow target
add dst-address=192.168.1.253 port=5536 version=5
/lcd interface
add
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
    r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
    ;\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
    teway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
    gw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
    way ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
    ;\r\
    \n}\r\
    \n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
    ateway];\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
    ] gateway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
    \$newgw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
    ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
    \n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=xxx@gmail.com password=\
    ntrtjatvlbgoxsuj port=587 start-tls=yes user=xxx
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
/tool romon
set enabled=yes
Last edited by anav on Wed Oct 05, 2022 2:20 am, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Wed Oct 05, 2022 1:21 am

Can you explain the input chain firewall filter rules? Not really sure what i'm i doing here...

4 add action=accept chain=input in-interface-list="vlan10-LAN Consultar"
5 add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=VLAN protocol=udp
6 add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=VLAN protocol=tcp
7 add action=drop chain=input comment="drop all else"

There's no need to have an dhcp server for ether10??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work

Wed Oct 05, 2022 2:18 am

Can you explain the input chain firewall filter rules? Not really sure what i'm i doing here...

4 add action=accept chain=input in-interface-list="vlan10-LAN Consultar"
GOOD PICKUP, I referenced the vlan by mistake it should ADMIN which allows both you on vlan10 and you on ether10 to access the router for config purposes. It should be:
add action=accept chain=input in-interface-list=ADMIN

5 add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=VLAN protocol=udp
6 add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=VLAN protocol=tcp


THere is no reason for any vlan users to have full access to the router, but they typically still need access to some router resources, normally its ONLY DNS services, if you also need NTP services from the router to the vlans then add it as well.
IF you do simply add the NTP services in on the UDP rule.

add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53,123 in-interface-list=LAN protocol=udp

7 add action=drop chain=input comment="drop all else"
This is very efficient rule that basically drops all other traffic including anything not allowed in above rules, so it stops all vlan to vlan traffic, lan to wan and wan to lan traffic.

There's no need to have an dhcp server for ether10??
CORRECT. All you need is the IP address, and ether10 added to the ADMIN list, as a list member.
If you start narrowing down access by IP address then you will need to remember which IP address you use for ipv4 settings, typically I use .5

A BETTER APPROACH TO ROUTER ACCESS:
add action=accept chain=input in-interface-list=ADMIN source-address=list=authorized
where authorized is a firewall address list for admin access.
add address=IP-admin-laptop list=authorized
add address=IP-admin-desktop list=authorized
add address=IP-admin-ipad list=authorized
add address=192.168.99.5 list=authorized

In this way only the admin from vlan10 gets access to the router. Even better security.
...................................

Note: I fixed my error on the config as well.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Wed Oct 05, 2022 2:44 am

Great, just one more thing, here we stops all vlan to vlan traffic, but i need to be able to access all vlan from vlan 10. It's that possible to achive?

7 add action=drop chain=input comment="drop all else"
This is very efficient rule that basically drops all other traffic including anything not allowed in above rules, so it stops all vlan to vlan traffic, lan to wan and wan to lan traffic.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work

Wed Oct 05, 2022 3:10 am

You have to understand that the rules follow the order within a chain.
As I stated, the drop rule is the last rule so it stops any further traffic that didnt match on one of the above rules.
Put simply, if you didnt already allow it, then it aint going to happen.

We DO NOT NEED state is new, either, its redundant.

What we have allowed is in green besides default rules..........

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN

add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat

add action=drop chain=forward comment="drop all else"


So if you want vlan10 to access all other vlans........
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN

add action=accept chain=forward comment="allow admin access to vlans" \
in-interface="vlan10-LAN Consultar" out-interface-list=VLAN

add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Wed Oct 05, 2022 6:40 pm

This are my filter rules, and everything it's working propperly except the access from vlan 10 to vlan 20, i've tryed different compinations, with the out-interface-list=VLAN, and in-interface-list=ADMIN, but none of them seems to work (cannot ping or access trought remote desktop)

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN" in-interface-list=ADMIN
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin access to vlans" \
in-interface=vlan10-LAN out-interface=vlan20-Clientes

add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work

Wed Oct 05, 2022 7:03 pm

are you sure you have the name of the vlan correct??

from:
in-interface=vlan10-LAN out-interface=vlan20-Clientes
TO:"vlan10-LAN Consultar"

As per.............
/interface vlan
add interface=BridgeVLAN name="vlan10-LAN Consultar" vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Thu Oct 06, 2022 6:19 pm

Yes, i changed the name of the vlan to "vlan10-LAN"
# oct/06/2022 12:10:02 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
/interface bridge
add name=BridgeVLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether7-Trunk
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name=vlan10-LAN vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=mac-winbox
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface=vlan10-LAN name=dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=xxx@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN comment=BridgeVLAN frame-types=admit-only-vlan-tagged \
    interface=ether3 pvid=10
add bridge=BridgeVLAN interface=ether4 pvid=10
add bridge=BridgeVLAN interface=ether5 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether4,ether5 vlan-ids=10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether5 vlan-ids=20
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 vlan-ids=30
/interface list member
add list=mac-winbox
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add list=mac-winbox
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN
/ip address
add address=10.0.10.1/24 interface=vlan10-LAN network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
add address=192.168.99.1/24 comment="acceso secundario" interface=ether10 \
    network=192.168.99.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add gateway=0.0.0.1
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall address-list
add address=10.0.10.1-10.0.10.101 comment="Resto de la red" list=a_fibercorp
add address=10.0.10.201 comment=webserver list=a_claro
add address=10.0.10.250-10.0.10.254 comment=Servidores list=a_fibercorp
add address=10.0.20.0/24 comment=Clientes list=a_claro
add address=10.0.10.7 comment=Des07 list=a_claro
add address=10.0.10.102 comment=cosag list=a_claro
add address=10.0.10.103 comment=w2019 list=a_claro
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN" in-interface-list=ADMIN
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin access to vlans" \
    connection-state=new in-interface=vlan10-LAN out-interface=\
    vlan20-Clientes
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=cosag dst-port=5536 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.102 to-ports=5536
add action=dst-nat chain=dstnat comment=servidor_cp dst-port=3389 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.101 to-ports=3389
add action=dst-nat chain=dstnat comment=des07 dst-port=5347 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.7 to-ports=5347
add action=dst-nat chain=dstnat comment=w2019 dst-port=5550 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.103 to-ports=5550
add action=dst-nat chain=dstnat comment=webserver dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.201 to-ports=80
add action=dst-nat chain=dstnat comment=ftp dst-port=21 in-interface-list=WAN \
    protocol=tcp to-addresses=10.0.10.101 to-ports=21
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
    x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/ip traffic-flow target
add dst-address=192.168.1.253 port=5536 version=5
/lcd interface
add
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
    r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
    ;\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
    teway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
    gw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
    way ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
    ;\r\
    \n}\r\
    \n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
    ateway];\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
    ] gateway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
    \$newgw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
    ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
    \n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=xxxx@gmail.com port=587 start-tls=\
    yes user=xxx
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon
set enabled=yes
That's the complete config... i don't know why isn't working...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work

Thu Oct 06, 2022 8:25 pm

(1) Your /interface bridge port and /interface bridge vlan settings are mierda, they contradict each other! This is the main issue!

You tell me which vlans are supposed to go over which ports.
Also what the port is connected to ( dumb device can only accept untagged traffic like PC), or smart device (like managed switch or another MT device which can accept vlans)


(2) Get rid of the not needed entries in yellow. They are not required plus duplicates.
/interface list member
add list=mac-winbox
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add list=mac-winbox
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN


(3) One Bizarre entry with weird format, in red, delete, and you dont need dhcp server on ether10!!
/ip dhcp-server network
add gateway=0.0.0.1
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=192.168.99.0/24 gateway=192.168.99.1

(4) You need to remove this old default entry, go to winbox, go to IP, go to DNS, select Static on the right hand side menu of the popup.
/ip dns static
add address=192.168.1.1 name=router


(5) Add some IP DNS servers, at the top of the IP DNS page, under SERVERS, add like 1.1.1.2 and 9.9.9.9

(6) Change comment to reflect reality
add action=accept chain=input comment="Allow VLAN" in-interface-list=ADMIN
TO:
add action=accept chain=input comment="Allow admin to config router" in-interface-list=ADMIN

(7) Drop the bit about new, it is not required................. read ---->
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin access to vlans" \
connection-state=new in-interface=vlan10-LAN out-interface=\
vlan20-Clientes

TO:
add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin access to vlans" \
in-interface=vlan10-LAN out-interface=\
vlan20-Clientes


(8) Set this to ADMIN
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Fri Oct 07, 2022 5:02 pm

Well, i hope to get rid of all the mierda left XD

On ether3 --> Proxmox server (expects tagged traffic) - vlan 10 and 30
iether4- --> unmanaged swutch (untagged vlan 10)
ether5 --> Aruba switch (all vlan 10, 20, 30)

On the Aruba until now i'v got on port1 - a trunk port with all 3 vlans.
on port2 a proxmox server with vlans 10 and 20.
and on port 3 an access port where my PC is connected with vlan 10.
# oct/07/2022 y:45:29 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
/interface bridge
add name=BridgeVLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether7-Trunk
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name=vlan10-LAN vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface=vlan10-LAN name=dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=xxxx@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN comment=BridgeVLAN frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=ether3
add bridge=BridgeVLAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4
add bridge=BridgeVLAN frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 untagged=ether4 \
    vlan-ids=10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether5 vlan-ids=20
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 vlan-ids=30
/interface list member
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN
/ip address
add address=10.0.10.1/24 interface=vlan10-LAN network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
add address=192.168.99.1/24 comment="acceso secundario" interface=ether10 \
    network=192.168.99.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,9.9.9.9
/ip firewall address-list
add address=10.0.10.1-10.0.10.101 comment="Resto de la red" list=a_fibercorp
add address=10.0.10.201 comment=webserver list=a_claro
add address=10.0.10.250-10.0.10.254 comment=Servidores list=a_fibercorp
add address=10.0.20.0/24 comment=Clientes list=a_claro
add address=10.0.10.7 comment=Des07 list=a_claro
add address=10.0.10.102 comment=cosag list=a_claro
add address=10.0.10.103 comment=w2019 list=a_claro
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow admin to config router" \
    in-interface-list=ADMIN
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin access to vlans" \
    connection-state="" in-interface=vlan10-LAN out-interface=vlan20-Clientes
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=cosag dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.102 to-ports=xxxx
add action=dst-nat chain=dstnat comment=servidor_cp dst-port=3389 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.101 to-ports=3389
add action=dst-nat chain=dstnat comment=des07 dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.7 to-ports=xxx
add action=dst-nat chain=dstnat comment=w2019 dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.103 to-ports=xxxx
add action=dst-nat chain=dstnat comment=webserver dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.201 to-ports=80
add action=dst-nat chain=dstnat comment=ftp dst-port=21 in-interface-list=WAN \
    protocol=tcp to-addresses=10.0.10.101 to-ports=21
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
	x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/lcd interface
add
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
    r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
    ;\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
    teway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
    gw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
    way ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
    ;\r\
    \n}\r\
    \n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
    ateway];\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
    ] gateway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
    \$newgw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
    ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
    \n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=xxxx@gmail.com port=zzz start-tls=\
    yes user=xxxx
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
/tool romon
set enabled=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 13696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to get the VLANs to work  [SOLVED]

Fri Oct 07, 2022 11:34 pm

Yup, your bridge ports and bridge vlans setting make 100% sense to me, good job!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
PS. I only scratch the surface!
 
User avatar
consultar
just joined
Topic Author
Posts: 22
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Trying to get the VLANs to work

Sun Oct 09, 2022 6:50 am

Thanks a lot anav for all of your recommendations, and your time. they where more than helpfull... Thank you!!

Who is online

Users browsing this forum: Chasteaux, josepc, Josephny and 54 guests