I am new to RouterOS and am trying to physically separate two networks with VLANs.
The goal is to later provide separate networks for different apartments (guests), which all use the same internet connection. I have decided to work with VLANs to separate the networks cleanly and securely.
Now I have started to set up a simple test scenario to familiarise myself with the topic of VLANs.
I have read various tutorials and watched YouTube videos, but the configuration options seem to be complex.
I am using an RB2011iL-RM.
APs and clients are to be connected directly to this device.
There are no other switches or similar.
I would like to map the following test scenario:
Port 3, 4 --> no VLAN, but a common IP range via DHCP.
Port 5, 6, 7 --> VLAN ID 10 (Private) and a shared IP range via DHCP.
Port 8, 9, 10 --> VLAN ID 45 (Guest) and a shared IP range via DHCP
In my configuration I have set up bridges for ports 3,4 // 5,6,7 and 8,9,10.
In the Interfaces --> VLANs section I have defined VLANs for Private (ID10) and Guest (ID45) and assigned them to the bridge interfaces.
Under IP --> Addresses I have configured the corresponding addresses and assigned them to the VLAN interfaces, or for port 3,4 to the bridge.
DHCP with address ranges is configured and assigned to the VLAN interfaces.
The DHCP for port 3,4 is assigned to the bridge.
Now I get an IP from the DHCP with my Windows client when I connect to port 3 or port 4. Very good!
If I connect my Windows client to one of the ports that are assigned to a VLAN, I do not get an IP address from the DHCP.
This is where I need help. What is wrong with my configuration?
I have read that ports to which clients are to be directly connected must be "untaged".
Then I also created the VLANs in the Bridges --> VLAN area and the corresponding ports as "untaged".
Unfortunately without success. I am grateful for any tips at this point.
Greetings
Code: Select all
# sep/30/2022 19:44:36 by RouterOS 7.4.1
# software id = 7V5K-7VZN
#
# model = RB2011iL
/interface bridge
add frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no \
name=bridge-Guest pvid=45 vlan-filtering=yes
add admin-mac=18:FD:74:19:40:D1 auto-mac=no name=bridge-Other
add frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no \
name=bridge-Private pvid=10 vlan-filtering=yes
/interface vlan
add interface=bridge-Private name=vlan-10-Private vlan-id=10
add interface=bridge-Guest name=vlan-45-Guest vlan-id=45
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP-Pool-Other ranges=192.168.88.50-192.168.88.200
add name=DHCP-Pool-Private ranges=192.168.10.50-192.168.10.200
add name=DHCP-Pool-Guest ranges=192.168.45.50-192.168.45.200
/ip dhcp-server
add address-pool=DHCP-Pool-Other interface=bridge-Other name=DHCP-Other
add address-pool=DHCP-Pool-Private interface=vlan-10-Private name=\
DHCP-Private
add address-pool=DHCP-Pool-Guest interface=vlan-45-Guest name=DHCP-Guest
/interface bridge port
add bridge=bridge-Other comment=defconf interface=ether4
add bridge=bridge-Other interface=ether3
add bridge=bridge-Private interface=ether5
add bridge=bridge-Private interface=ether6
add bridge=bridge-Private interface=ether7
add bridge=bridge-Guest interface=ether8
add bridge=bridge-Guest interface=ether9
add bridge=bridge-Guest interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN-Privat
/interface bridge vlan
add bridge=bridge-Private untagged=ether5,ether6,ether7 vlan-ids=10
add bridge=bridge-Guest untagged=ether8,ether9,ether10 vlan-ids=45
/ip address
add address=192.168.88.1/24 interface=bridge-Other network=192.168.88.0
add address=192.168.10.1/24 interface=vlan-10-Private network=192.168.10.0
add address=192.168.45.1/24 interface=vlan-45-Guest network=192.168.45.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-none=yes gateway=192.168.10.1
add address=192.168.45.0/24 dns-none=yes gateway=192.168.45.1
add address=192.168.88.0/24 dns-none=yes gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN-Privat
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN-Privat
/tool mac-server
set allowed-interface-list=LAN-Privat
/tool mac-server mac-winbox
set allowed-interface-list=LAN-Privat