I came up with my VLAN final setup eventually
Here is the diagram. Everything is set up on a VM workstation virtual environment:
the router setup:
Code: Select all
# oct/22/2022 13:30:41 by RouterOS 7.5
# software id =
#
/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 protocol-mode=none \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=TRUNK
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=Blue_VLAN vlan-id=30
add interface=BR1 name=Green_VLAN vlan-id=10
add interface=BR1 name=Red_VLAN vlan-id=20
/disk
set sata1 disabled=no
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=Green_POOL ranges=10.0.10.2-10.0.10.254
add name=Red_POOL ranges=10.0.20.2-10.0.20.254
add name=Blue_POOL ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=Green_POOL interface=Green_VLAN name=Green_DHCP
add address-pool=Red_POOL interface=Red_VLAN name=Red_DHCP
add address-pool=Blue_POOL interface=Blue_VLAN name=Blue_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether4 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether2 pvid=30
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 untagged=ether4 vlan-ids=99
add bridge=BR1 tagged=BR1,ether1 untagged=ether2 vlan-ids=30
add bridge=BR1 tagged=BR1,ether1 untagged=ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,ether1 vlan-ids=20
/interface list member
add interface=ether5 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=Blue_VLAN list=VLAN
add interface=Green_VLAN list=VLAN
add interface=Red_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=10.0.10.1/24 interface=Green_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=Red_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=Blue_VLAN network=10.0.30.0
add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
/ip dhcp-client
add interface=ether5 use-peer-dns=no
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.99.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.99.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=192.168.99.1 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input in-interface-list=WAN src-address=192.168.3.100
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment="Allow DNS services" dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow DNS services" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow Green_VLAN" in-interface=\
Green_VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface-list=\
VLAN
add action=drop chain=input comment="drop all else" log=yes log-prefix=\
drop_in
add action=drop chain=forward comment=Drop log=yes log-prefix=drop_forw
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool romon
set enabled=yes
Code: Select all
# oct/25/2022 16:21:13 by RouterOS 7.5
# software id =
#
/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 protocol-mode=none \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=TRUNK
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
/disk
set sata1 disabled=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether2 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether5 pvid=20
/interface bridge vlan
add bridge=BR1 tagged=ether1 untagged=ether2 vlan-ids=30
add bridge=BR1 tagged=ether1 untagged=ether3 vlan-ids=10
add bridge=BR1 tagged=ether1 untagged=ether4,ether5 vlan-ids=20
add bridge=BR1 tagged=ether1,BR1 vlan-ids=99
/ip address
add address=192.168.99.2/24 interface=BASE_VLAN network=192.168.99.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add interface=ether1
/ip route
add distance=1 gateway=192.168.99.1
/system identity
set name=switch-AP
/tool romon
set enabled=yes
I then created a virtual Windows pc in VMworkstation to check every port in the switch/AP, in which I installed winbox too, so that the acces via WAN wouldn't be necessary anymore.
As far as I've understood everything works properly. However, any suggestions would be very welcome.
Thanks