Community discussions

MikroTik App
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Help me visually understand routing

Sat Jan 28, 2023 11:49 pm

Hi everybody,

I'm trying to understand VLAN routing in Mikrotik, some docs like Bridge VLAN Table helped a lot, but I'm still lacking a core understanding of where packets go and how they are routed inside a Mikrotik router. Is this explained somewhere?

I tried to draw this:
/interface bridge add name=bridge
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2 pvid=99
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2 vlan-ids=99
/interface vlan add interface=bridge name=VLAN99 vlan-id=99
/ip address=192.168.99.2/24 interface=VLAN99
# Forgot that in v1 of this post
/interface bridge set bridge1 vlan-filtering=yes

which most likely does not look like that: (Sorry for the wiggly lines, the drawing is actually quite small, but looks terrible on large screens)
vlan.png

So, I'm wondering …
  • How do I know the order in which the different filters apply?
  • How and where are different interfaces (physical interface, bridge interface, VLAN interface, …) connected?
  • Is the Bridge VLAN table applying at multiple locations, e.g. if I add untagged=bridge, will it filter packets both after entering ether1 and after entering bridge?
  • Will the VLAN interface receive tagged packages or untagged ones because the tag has already been removed?

I know these are really basic questions, but I could not find any answers to them. The Internet provides a lot of “that’s how you do it”, but not the why.

Looking forward to answers!
Simon
You do not have the required permissions to view the files attached to this post.
Last edited by granjow on Wed Feb 01, 2023 10:39 pm, edited 1 time in total.
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: Help me visually understand routing

Sun Jan 29, 2023 12:38 am

IMO your diagram is good but I'm concerned about L2 line placement which varies by MT device model. Can you share the make and model numbers in play?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me visually understand routing

Sun Jan 29, 2023 1:37 am

Vlans dont filter, firewall rules filter..........
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: Help me visually understand routing

Sun Jan 29, 2023 2:58 am

IMO the best MikroTik page on topic is Packet Flow in RouterOS - in particular the "Flow of Routed Packet" section.
It's opaque reading at first :? but helps understanding other pages which help understanding flow - a virtuous :D or vicious :shock: circle - take your pick.
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Mon Jan 30, 2023 9:26 pm

That looks … very … exhaustive. :D Thanks a lot. See you in a few weeks when I'm done reading it.

@anav Sorry, bad word choice. What is the term for something that adds/removes something on a packet?

@ConradPino I'm using the hEX, https://mikrotik.com/product/RB750Gr3, and the hAP lite TC, https://mikrotik.com/product/RB941-2nD-TC
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me visually understand routing

Mon Jan 30, 2023 9:41 pm

in basic terms,,, vlans are a conveniently way of packaging subnets since it conveniently isolates subnets from each other at layer2 (mac address).
So in a way it does accomplish removing packets/traffic between subnets.
However a router looks at connecting users/devices at layer 3 (IP address) and thus we need to ensure through filter rules (firewall rules), to prevent that from occurring.
There are different ways to accomplish the same thing. The MT default setup basically states stop a few known bad things and let the rest of the traffic happen.
Great for a newbie connecting initially. However better, once comfortable to config, is to change the concept or approach to allow known desired traffic and drop everything else.
In this way one doesnt have to know any of the bad traffic as its dropped if not desired.
However, traffic cannot actually get anywhere without routing
Filter rules - is it allowed
Routing - is there a path
- the router automatically creates default routes for any interface with an IP address
seen in Route Prints with <DAC>.
- the router creates routes for WAN connections if the admin has selected the checkbox for Routes
- the admin can create manual routes for anything else required.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Help me visually understand routing

Mon Jan 30, 2023 10:07 pm

That looks … very … exhaustive. :D Thanks a lot. See you in a few weeks when I'm done reading it.

Unfortunately the Mikrotik packet flow docs are not just exhaustive, they are also overly complicated so don't worry if you don't get the principle at a first try. It's actually much easier than you think once you've found the red thread.

Since RoS is based on Linux you might get more comprehensible explanations if you google "iptables". The only differens is that RoS execute iptables instructions in the background using tools like Winbox. Another thing you should be aware of which might be very confusing at first is that Winbox mixes "input" and "forward" in the same window but are in real life completely separate chains.

Check for example: "IPTables Tutorial: Beginners to Advanced Guide To Linux Firewall"
Last edited by Larsa on Mon Jan 30, 2023 10:22 pm, edited 2 times in total.
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: Help me visually understand routing

Mon Jan 30, 2023 10:17 pm

Next is find your devices respective switch chip model (if any) here: Switch Chip Features
The lower table maps RouterBoard model to the respective switch chip. The upper table enumerates switch chip features.
I suggest bringing reading questions here; I'll do what I can. Be safe and best wishes.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me visually understand routing

Mon Jan 30, 2023 10:34 pm

In addition to Larsa's input
the input chain can be thought of as traffic to the router LAN to router, WAN to router.
the forward chain can be thought of as traffic through the router LAN to WAN LAN to LAN WAN to LAN
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: Help me visually understand routing

Mon Jan 30, 2023 11:00 pm

A packet flow variation is L3 Hardware Offloading which doesn't apply to your devices but is relevant to learning MikroTik.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Help me visually understand routing

Mon Jan 30, 2023 11:30 pm

In your diagram the "VLAN interface" box should be outside of the bridge, and the bridge interface is where the L3 VLAN interfaces meet the bridge – not inside it. But it more like a Venn diagram: check out the "RouterOS bridge mysteries explained": viewtopic.php?t=173692

Basically the VLAN table in the bridge is essentially the allow/deny at the L2 layer, which is entirely separate from VLAN interfaces that are L3 constructs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me visually understand routing

Tue Jan 31, 2023 3:43 pm

Ammo, that was the best comment on vlans for me! You must be getting water in CA these days, the brain is no longer just pickled from mexican beer.
Serioiusly, that was a nice way of splitting things up........
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Help me visually understand routing

Tue Jan 31, 2023 6:36 pm

I liked the diagram OP had – it's actually useful way to look at it – just the boxes were wrong.

BUT now that I look at the config OP has...that's also wrong. It doesn't show vlan-filtering=yes – I kinda assumed that part since he references @pcunite's VLAN manifesto...

So without vlan-filtering=yes, the bridge is an "unmanaged switch", thus all ports become"trunk ports". VLAN 99 still be there, on all bridge port members, based on /interface/vlan listening on the bridge interface. BUT the pvid= and /interface/bridge/vlan stuff is ignored without vlan-filtering being enabled. Now if vlan-filtering=yes is added to the snippet, then ether2 would would be an "access port" to the VLAN interface with subnet of 192.168.99.0/24 on it – based on the pvid=99 being set. But since the default is for ingress-filtering to be off, the /interface/bridge/vlan stuff in snippet does nothing.

So if the expectation is that VLAN 99 is untagged on ether2, that's not what this config does:
/interface bridge add name=bridge
/interface bridge port
add bridge=bridge interface=ether
add bridge=bridge interface=ether2 pvid=99
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2 vlan-ids=99
/interface vlan add interface=bridge name=VLAN99 vlan-id=99
/ip address=192.168.99.2/24 interface=VLAN99
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me visually understand routing

Tue Jan 31, 2023 6:54 pm

NO need for vlan filtering if vlans are associated directly to etherports and not the bridge.
Another reason why once you start using vlans, I prefer vlans for all subnets and have the bridge do no DHCP.
Clear, consistent approach.
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Wed Feb 01, 2023 10:26 pm

Thanks for all your answers! I see some things more clearly now, especially the routing part, and others have become more misterious :D

First, I forgot to enable vlan-filtering in my initial post. It should be vlan-filtering=yes.

After going through the packet filtering docs, I imagine the package would be routed as in the following picture. With VLAN filtering enabled, it would end up quite quickly on LOCAL_IN because it is already decapsulated in the first bridging decision visit and not after visiting the L3 routing decision. Without the VLAN filter table, it would do an additional round trip through the whole chain. (Please correct me where I'm wrong.)

What does not fit into this picture yet is the VLAN interface. The drawing on the bottom right is my current understanding of what this configuration would look like according to the “RouterOS bridge mysteries explained” forum post. The /interface/vlan would create an additional (L3) interface connected to one of the ports of the virtual switch (i.e. the /interface/bridge I created). But how does the VLAN come into play here? Isn't the VLAN interface already the LOCAL_IN where the packet has long ago been decapsulated from the VLAN tag?
vlan-routing.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help me visually understand routing

Wed Feb 01, 2023 11:52 pm

Looking at overall packet flow diagram most of time:

When physical in-interface receives VLAN-tagged frame, it passes the bridging magic (which determines it's destined to router itself ... so passing points A and B), then passes all those diamonds via "NO" branch until reaching diamond "Decapsulate?" (yes, it passes "IPv4?" via "NO" branch, because outer header says that frame is ethertype 0x8100 "VLAN 802.1Q"). It exits this diamond via "YES" branch, hitting parallelogram "DECAPSULATION" which strips off the VLAN header. And that's the function of "/interface vlan" interface. Then packets returns to the "In-interface bridge port?" diamond which this time exits via "NO" branch (because /interface vlan is not a bridge port) and proceeds to the right until "IPv4 traffic" diamond. This time it hits "YES" branch because the remaining ethernet header will say "0x0800 IPv4 packet". Then this packet will enter routing jungle via point I. The jungle might include also the right-most grawed area (router processes), but it's not important in this discussion.

On the way back out of IP routing jungle, packet will pass point L, then proceed using "NO" branch to the left until diamond "encapsulate?". If it needs to be tagged on the physical out-interface, it takes branch "YES", taking it right to the "encapsulation" parallelogram (this is the point where "/interface vlan" does the tagging). Resulting frame hits the "LOCAL OUT" hexagon, then proceeds via "NO" branches until it hits "ENCAPSULATE" diamond (again). This time, it follows the "NO" branch towards physical out interface.
Last edited by mkx on Wed Feb 01, 2023 11:56 pm, edited 1 time in total.
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: Help me visually understand routing

Wed Feb 01, 2023 11:53 pm

The firewall INPUT and OUTPUT chains DO NOT APPLY to packets passing through the device (forwarding i.e. routing).
The firewall INPUT and OUTPUT chains apply to packets destined to or origination from router CPU processes.

Packets passing through device in SAME VLAN are bridged by switch and bypass CPU (firewall).

Packets passing through device in DIFFERENT VLAN are bridged according to VLAN Table by switch and bypass CPU (firewall) when "use-ip-firewall=no".
Packets passing through device in DIFFERENT VLAN are bridged according to VLAN Table by switch and seen CPU (firewall) when "use-ip-firewall=yes".

Packets passing through device and seen by CPU are subject to firewall PREROUTING, FORWARD, POSTROUTING chains.

Untagged packets entering physical interfaces (bridge ports) are encapsulated with the port's "pvid=..." value.
VLAN encapsulation happens leaving CPU via virtual VLAN interfaces and leaving tagged physical interfaces.
VLAN decapsulation happens entering CPU via virtual VLAN interfaces and leaving untagged physical interfaces.
The CPU routes between virtual VLAN interfaces when "use-ip-firewall=yes".

Physical interfaces excluded from bridge and assigned IP address can forward, input, output, and all are subject to routing tables and firewall.
Mixing physical interface routing and VLAN routing is overly complicated; using either method alone is the general recommendation.
Last edited by ConradPino on Thu Feb 02, 2023 12:03 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help me visually understand routing

Wed Feb 01, 2023 11:59 pm

Packets passing through device in DIFFERENT VLAN are bridged according to VLAN Table by switch and bypass CPU (firewall) when "use-ip-firewall=no".

Conceptually this is not true. Packets passing through device in different VLAN are routed and thus have to pass all the routing machinery. Unless L3HW is available and enabled this means CPU.
And even if L3HW is enabled, conceptually packets still pass the routing magic (even though it's done in much different manner by switch ASIC).
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: Help me visually understand routing

Thu Feb 02, 2023 12:17 am

I can't say I've tested exhaustively but work with CRS326 suggests L3 Hardware Routing can bypass firewall per "use-ip-firewall" setting. At this level I'm expecting switch chip model variations.

Packet Flow in RouterOS Bridge Forward case is where "use-ip-firewall" shows up:
https://help.mikrotik.com/docs/display/ ... dgeForward

Packet Flow in RouterOS Switch Forward case is where CPU can be bypassed:
https://help.mikrotik.com/docs/display/ ... tchForward

All I'm saying is the above flowcharts have pathways bypassing the firewall chains.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Help me visually understand routing

Thu Feb 02, 2023 1:27 am

I'm not sure L3HW helps understanding the conceptual mapping. In theory, L3HW should follow same configured IP routing, but yes the switch chip specifics would "superseed" the packet flow diagram WRT to firewall.

I think the part that's potentially confusing is that from the bridge decision, inter-VLAN routing is an input, not forward, within the bridging decision box. This is how you get to the @mkx's summary, in particular this one:
yes, it passes "IPv4?" via "NO" branch, because outer header says that frame is ethertype 0x8100 "VLAN 802.1Q"
which is how it comes "back around" to get to the routing decision (where it like be forward for traffic, except for local services like DHCP/DNS/etc. which are input in firewall).

But the docs do say which implies a "hidden untag" within the packet flow diagram:
Tagged packets might get decapsulated on the "BRIDGING DECISION" block, which means these packets will no longer match the mac-protocol=vlan and vlan-encap settings. Decapsulation can happen if the packet's VLAN ID matches the outgoing port's untagged VLAN membership
.

The critical thing to understand is VLANs are not bridge ports in the vlan-filtering=yes model - instead they are "slaves" of the bridge interface. So all the routing will still happen via the /interface/vlan - but how the ports and VLANs are wired in bridge is just plain confusing. And mainly because you have to be explicit about bridge being a tagged member in the bridge VLAN filing if you want Layer3 services on a VLAN.
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: Help me visually understand routing

Thu Feb 02, 2023 2:32 am

L3HW does't apply to OP devices so I'm avoiding that hornet's nest. Agreed L3HW routing should be the same but I've found multiple CRS326 settings that differ like L3HW doesn't MAC learn.

IMO Packet Flow in RouterOS covers switch chip paths but doesn't always explicitly differentiate them; sometimes you have to learn more elsewhere before the diagrams become fully recognized. The Packet Flow in RouterOS page uses "Bridge Forward" and "Switch Forward" terms so I follow suit even though inter-VLAN input and output have substantial merit as well.

By the time routing occurs, CPU works with untagged packets and agreed, nothing under "/interface bridge" affects routing,
Beneath "/interface bridge port" is where PVID values are set.
Beneath "/interface bridge vlan" is where VLAN Table is built.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help me visually understand routing

Thu Feb 02, 2023 8:45 am

But the docs do say which implies a "hidden untag" within the packet flow diagram:
Tagged packets might get decapsulated on the "BRIDGING DECISION" block, which means these packets will no longer match the mac-protocol=vlan and vlan-encap settings. Decapsulation can happen if the packet's VLAN ID matches the outgoing port's untagged VLAN membership
.

Not really. This case only describes some specifics of bridging (or switching) between bridge ports inside same VLAN ... what the note says is that if egress port belongs to same VLAN as ingress port and ingress frame is not tagged, then VLAN header won't be attached (or it will even be stripped on ingress port if ingress frame is tagged). And that's only true when egress port is untagged.
Which might explain how bridge/switch might save a few CPU cycles on those particular frames, but doesn't change the fact that inter-VLAN routing is done the way I explained. Additionally, this "saving a few cycles" adds confusion because, as note says, some frames might have different mac-protocol for no really apparent reason and thus making bridge filter rules correct quite more challenging.
Sometimes I wish developers didn't get that smart with optimization and shortcuts because these can convert debugging into a nightmare.

@ConradPino: I think that MT is aiming to keep the basic logic even when employing HW offload (either L2 or L3). So it should not really matter where some function is executed, either in SW on CPU or in switc chip ASIC. So when studying packet flow, it should not be necessary to consider different underlying hardware. If there are differences in how the whole setup is applied to a particular packet, affecting the outcome (i.e. packet is not dropped if L3HW is enabled v.s. packet is dropped if dealt with in software) should clearly be documented. If things behave radically differently when toggling l3hw property and documentation doesn't explain it, then this is clearly a bug and should be reported to MT.
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: Help me visually understand routing

Thu Feb 02, 2023 7:46 pm

@ConradPino: I think that MT is aiming to keep the basic logic even when employing HW offload (either L2 or L3). So it should not really matter where some function is executed, either in SW on CPU or in switc chip ASIC. So when studying packet flow, it should not be necessary to consider different underlying hardware. If there are differences in how the whole setup is applied to a particular packet, affecting the outcome (i.e. packet is not dropped if L3HW is enabled v.s. packet is dropped if dealt with in software) should clearly be documented. If things behave radically differently when toggling l3hw property and documentation doesn't explain it, then this is clearly a bug and should be reported to MT.

MAC Learning implied disable occurs in Bridging and Switching # Fast Forward and MAC Learning implications are covered elsewhere; the documentation is where I made the discovery; IMO MikroTik knows. A different issue is how much repetition across related pages like the packet flow page actually helps or distracts which is target audience skill level specific.
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Sun Feb 05, 2023 12:50 am

Your comments were again really helpful, also the hint about IPv4 being skipped due to the 0x8100 Ethertype.

In the meantime I have spent some time on reading about iptables internals, which definitely helped a lot for my understanding of firewalls and routing.

Naturally, this does not prevent me from getting stuck again. I now have a router which delivers two VLANs over a trunk port (10 and 99), and I connect one trunk port to ether1 of the ax³ access point. Then I configure the
# Starting point is CAP mode, defcon (all interfaces bridged)

# Want ether4/5 to be access ports
/interface/bridge/port remove numbers=3,4
/interface/bridge/port add bridge=bridgeLocal interface=ether4 pvid=10
/interface/bridge/port add bridge=bridgeLocal interface=ether5 pvid=10

# Configure Bridge VLAN table: ether1-3 = TRUNK, ether4-5 = access to VLAN10
/interface/bridge/vlan/add bridge=bridgeLocal tagged=ether1,ether2,ether3 untagged=ether4,ether5,wlan1 vlan-ids=10
/interface/bridge/vlan/add bridge=bridgeLocal tagged=ether1,ether2,ether3 vlan-ids=99

# Create the L3 VLAN interfaces
/interface/vlan/add interface=bridgeLocal name=VLAN10 vlan-id=10
/interface/vlan/add interface=bridgeLocal name=VLAN99 vlan-id=99

# Need some static IPs (until now I can only use Winbox, and I don't like to dualboot to Windows)
/ip/address/add interface=bridgeLocal address=192.168.88.4/24
/ip/address/add interface=VLAN99 address=10.10.99.4/24

# Check if we can get a DHCP address (answer is: no)
/ip/dhcp-client/add interface=VLAN10 disabled=no
/ip/dhcp-client/add interface=VLAN99 disabled=no

# Enable VLAN Filtering
/interface/bridge/set bridgeLocal vlan-filtering=yes
vlan-no-ac-access.drawio.png
Now almost everything works as it should. I can connect my laptop to a trunk port and (when I configure my laptop's interface to use VLAN tags) I get a DHCP address from VLANs 10 and 99 from the router. I can connect it to one of the access ports and I get (without VLAN config on the laptop interface) a DHCP address in VLAN 10. I can also access the router over the 192.168.88.4/24 address from any port.

But I can not ping/access the router on 10.10.99.4/24 from the trunk port (with VLAN configured on the laptop). Also, the DHCP clients of the ax³ do not get an address.

I have no clue about the first point. This should work according to what I know so far. That should be exactly the INPUT case from the past few posts.

Regarding DHCP I assume the ax³ does not know where to get its DHCP address from because I have not configured a gateway. I actually also don't know where I'd configure this correctly. A simple /ip/route/add dst-address=10.10.99.1/24 does not cut it.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Help me visually understand routing

Sun Feb 05, 2023 3:05 am

But I can not ping/access the router on 10.10.99.4/24 from the trunk port (with VLAN configured on the laptop).
There are "interface list" in the default configurations. So if you add the [Layer3] VLAN interfaces as the "LAN" interface-list in /interface/list/members, inter-vlan routing should work. There is "drop !LAN" someplace in most firewall default/examples. Once it leave the bridge, without 0x8100 ether-type ;), the IPv4 hits the firewall filter rules. So this sounds like the firewall is blocking it...

Also, the DHCP clients of the ax³ do not get an address.
Do you have an /ip/dhcp-server configured, or is there already one someplace else? If not, the "DHCP Setup" button in Winbox under IP>DHCP Server can create one on the [Layer3] VLAN interface and will generally do the right thing to create DHCP on a VLAN. It's build-a-bear with the Mikrotik, so just creating a VLAN interface doesn't enable DHCP on it.

By creating an IP address on the VLAN, that's becomes the default gateway for the VLAN. And a "connected route" for the subnet is automatically added by virtue of the Mikrotik having an IP address on the interface – so shouldn't need to mess with /ip/route for VLANs.
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Sun Feb 05, 2023 8:51 am

I first thought so too, but the CAP mode firewall is just empty except for one line which I added because I suspected the firewall blocking it, but this line should not even be necessary assuming the default policy of the input chain is ACCEPT.
/ip/firewall/export  
# jan/02/1970 00:04:56 by RouterOS 7.2.3
# software id = G5Z2-0M7F
#
# model = RBD53iG-5HacD2HnD
# serial number = …
# I added this line – did not change anything however
/ip firewall filter
add action=accept chain=input in-interface-list=all

Yes, I do have a DHCP server on the router, one for VLAN 10 and one for VLAN 99. I created it there on the VLANs.
/ip pool add name="pool_vlan10" ranges=10.10.10.160-10.10.10.199
/ip dhcp-server add name="dhcp_vlan10" interface=VLAN10 address-pool=pool_vlan10 disabled=no
/ip dhcp-server network add address=10.10.10.0/24 gateway=10.10.10.1

/ip pool add name="pool_base" ranges=10.10.99.160-10.10.99.199
/ip dhcp-server add name="dhcp_base" interface=BASE_VLAN address-pool=pool_base disabled=no
/ip dhcp-server network add address=10.10.99.0/24 gateway=10.10.99.1
This works fine when I connect my laptop to the trunk ports directly, I get an IP and internet access.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me visually understand routing

Sun Feb 05, 2023 4:13 pm

Post your lastest router config and cap config and will have a look, i never look at snippets...........
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Tue Feb 07, 2023 12:33 am

Thanks. So, here the router configuration I get with /export:
/interface bridge
add name=br-vlan protocol-mode=none vlan-filtering=yes
add admin-mac=64:D1:54:8D:B9:0F auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=br-vlan name=BASE_VLAN vlan-id=99
add interface=br-vlan name=VLAN10 vlan-id=10
/caps-man configuration
add channel.band=2ghz-g/n .frequency=2412 country=switzerland datapath.bridge=br-vlan .local-forwarding=yes .vlan-id=10 .vlan-mode=no-tag installation=any mode=ap name=AP10 security.authentication-types=\
    wpa2-psk ssid=Game
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=BASE
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool_vlan10 ranges=10.10.10.160-10.10.10.199
add name=pool_base ranges=10.10.99.160-10.10.99.199
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool_vlan10 interface=VLAN10 name=dhcp_vlan10
add address-pool=pool_base interface=BASE_VLAN name=dhcp_base
/port
set 0 name=serial0
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=AP10
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=br-vlan frame-types=admit-only-vlan-tagged interface=ether3
add bridge=br-vlan frame-types=admit-only-vlan-tagged interface=ether4
add bridge=br-vlan frame-types=admit-only-vlan-tagged interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=br-vlan tagged=br-vlan,ether3,ether4,ether5 vlan-ids=10
add bridge=br-vlan tagged=br-vlan,ether3,ether4,ether5 vlan-ids=99
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=BASE_VLAN list=BASE
add interface=VLAN10 list=VLAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.99.1/24 interface=BASE_VLAN network=10.10.99.0
add address=10.10.10.1/24 interface=VLAN10 network=10.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.99.0/24 gateway=10.10.99.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow management access" in-interface-list=BASE
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=hEX
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
And the ax³:
/interface bridge
add admin-mac=18:FD:74:39:29:1C auto-mac=no comment=defconf name=bridgeLocal vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridgeLocal name=VLAN10 vlan-id=10
add interface=bridgeLocal name=VLAN99 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal interface=ether4 pvid=10
add bridge=bridgeLocal interface=ether5 pvid=10
add bridge=bridgeLocal interface=wlan1 pvid=10
add bridge=bridgeLocal interface=wlan2 pvid=10
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,ether2,ether3 untagged=ether4,ether5,wlan1 vlan-ids=10
add bridge=bridgeLocal tagged=ether1,ether2,ether3 vlan-ids=99
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1,wlan2
/ip address
add address=10.10.99.4/24 interface=VLAN99 network=10.10.99.0
add address=192.168.88.4/24 interface=bridgeLocal network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=bridgeLocal
add interface=VLAN10
add interface=VLAN99
/ip firewall filter
add action=accept chain=input in-interface-list=all
/ip route
add dst-address=10.10.99.1/24
/system identity
set name=ax3
/system logging
add topics=bridge,debug,firewall,interface,packet,raw,route
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me visually understand routing

Tue Feb 07, 2023 3:50 am

R1

(1) Two bridges are for kids, ONE Bridge only!!!

/interface bridge
add name=br-vlan protocol-mode=none vlan-filtering=yes


(2) I dont mix apples and oranges, adds a layer of confusion. Just have the bridge bridge, no effing DHCP nonsense.......

/interface vlan
add interface=br-vlan name=BASE_VLAN vlan-id=99
add interface=br-vlan name=VLAN10 vlan-id=10
add interfac=br-vlan name=vlanHOME vlan-id=5


/ip dhcp-server
add address-pool=default-dhcp interface=vlanHOME name=defconf
add address-pool=pool_vlan10 interface=VLAN10 name=dhcp_vlan10
add address-pool=pool_base interface=BASE_VLAN name=dhcp_base

/interface bridge port
add bridge=br-vlan frame-types=admit-priority-and-untagged ingress-filtering=yes interface=ether2 pvid=5
add bridge=br-vlan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=br-vlan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
add bridge=br-vlan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5


/interface bridge vlan
add bridge=br-vlan tagged=br-vlan untagged=ether2 vlan-ids=5
add bridge=br-vlan tagged=br-vlan,ether3,ether4,ether5 vlan-ids=10
add bridge=br-vlan tagged=br-vlan,ether3,ether4,ether5 vlan-ids=99


/ip address
add address=192.168.88.1/24 comment=defconf interface=vlanHOME network=192.168.88.0
add address=10.10.99.1/24 interface=BASE_VLAN network=10.10.99.0
add address=10.10.10.1/24 interface=VLAN10 network=10.10.10.0


(3) Your interface does not require so many interfaces, simplify and apply BASE to correct entities..........
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlanHOME list=LAN
add interface=VLAN10 list=LAN
add interface=BASE_VLAN list=LAN
add interface=BASE_VLAN list=BASE


/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=BASE


/ip neighbor discovery-settings
set discover-interface-list=BASE


/tool mac-server
set allowed-interface-list=NONE { not a secure method of access so set to NONE }
/tool mac-server mac-winbox
set allowed-interface-list=BASE


(4) Do you see the sillyness of this pairing............
add action=accept chain=input comment="Allow management access" in-interface-list=BASE
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN


WHY have the BASE as separate if you let every tom dick and harry access the router in the next line???
SHOULD BE.......
add action=accept chain=input comment="Allow management access" in-interface-list=BASE
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else
"
{ make sure this is the last rule implemented }

(5) Similarly modify this rule in the forward chain for clarity and better control......
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable if not required }
add action=drop chain=forward comment="drop all else"


Note: If you need access to shared device on a subnet, or if you need access from one vlan to the other, then place an allow traffic rule prior to the drop rule.

(6) Why do you have duplicate rule, just remove the second one........
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me visually understand routing

Tue Feb 07, 2023 4:08 am

ax3 - Assuming its acting as an AP / SWITCH and not a router!!!


(1) One only defines the Base VLAN.
add interface=bridgeLocal name=VLAN99 vlan-id=99

(2) Adjusted...........
/interface bridge port
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=10
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=10


(3) Missing WLAN2 on first line!
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,ether2,ether3 untagged=ether4,ether5,wlan1,wlan2 vlan-ids=10
add bridge=bridgeLocal tagged=ether1,ether2,ether3 vlan-ids=99


(4) Remove address of Bridge..... not relevant.
The fixed static IP address of the AXE on the BASE VLAN is necessary.

(5) REMOVE IP DHCP CLIENT ( all the entries are bogus), for two reasons, it has nothing to do with BRIDGE and is not required in this setup, NO ROUTER function, and its IP is fixed

(6) REMOVE the filter rule....... ( no firewall rules required )

(7) ADD the following..............

/interface list
add name=MANAGE

/interface list members
add interface=VLAN99 list=MANAGE

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/ip dns
set allow-remote-requests=yes servers=10.10.99.1 comment="dns through trusted subnet gateway"

/ip route (change the one you have to this)
From:
add dst-address=10.10.99.1/24
TO:
add disabled=no dst-address=0.0.0.0/0 gateway=10.10.99.1 comment="ensures route avail through trusted subnet gateway"

/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Wed Feb 08, 2023 12:11 am

Thanks anav for all the valuable input, I'm learning a lot of good practices! Going through the configuration changes step by step, it becomes much cleaner and it makes more sense to me.

Yes, the ax³ should act as a switch, not as a router. I will go through that part of the config another day as it is already late here.

On the bridge, does it matter which protocol-mode I choose or can i leave it to the rstp default?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me visually understand routing

Wed Feb 08, 2023 5:31 am

The only thing I change on the bridge is when I turn on vlan filtering as a last step.

On my router I typically take one port and put if off the bridge for emergency access.............. and thus if I screw up on a bridge setting I am not affected..........
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Wed Feb 08, 2023 10:13 pm

Ah. So the emergency port directly has an IP address, e.g. /ip address add interface=ether2 address…?

I continued with the ac³ (not ax³ … unfortunately :)), and when I got to CAPs mode, stuff stopped working. First, it created hidden SSIDs. I then enabled caps logging and found that:
 19:16:56 caps,debug CAP Select->Sulking
 19:17:01 caps,debug CAP Sulking->Discover
 19:17:01 caps,debug CAP discovery target list:
 19:17:03 caps,debug CAP discovery over, no results
 19:17:03 caps,debug CAP Discover->Select
 19:17:03 caps,debug CAP did not find suitable CAPsMAN
So I set the /interface/wireless/cap discovery-interface to vlanBase, and it found the CAPsMAN, but still had a hidden SSID.

Then I found out that I still had VLAN filtering disabled on the router. I enabled it, and there goes connectivity. When I connect to a ac³ trunk port, I can ping its address, but pinging the router has 90 % packet loss. When I connect to the router trunk port, pinging ac³ has huge packet loss.

If I add two switches (RB260GS) in-between, i.e. Router → Sw1 → Sw2 → ac³, and I get the same results. From Router, I can only work the router reliably. From Sw1, Sw2, or ac³, I can reach all devices except for the router reliably. When I disable vlan filtering, ping works fine again in both directions.

That's confusing because it is not all-or-nothing. And also because I lose packets in the first place.

Here is the router configuration I am using now:
/interface bridge
add admin-mac=64:D1:54:8D:B9:0F auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlanBase vlan-id=99
add interface=bridge name=vlanHome vlan-id=5

/caps-man configuration
add channel.band=2ghz-g/n .frequency=2412 country=switzerland datapath.bridge=bridge .local-forwarding=yes .vlan-id=10 .vlan-mode=no-tag hide-ssid=no installation=indoor mode=ap name=AP10 \
    security.authentication-types=wpa2-psk ssid=Game

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=BASE

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip pool
add name=pool_home ranges=192.168.88.160-192.168.88.254
add name=pool_vlan10 ranges=10.10.10.160-10.10.10.199
add name=pool_base ranges=10.10.99.160-10.10.99.199

/ip dhcp-server
add address-pool=pool_home interface=vlanHome name=dhcp_home
add address-pool=pool_vlan10 interface=vlan10 name=dhcp_vlan10
add address-pool=pool_base interface=vlanBase name=dhcp_base

/port
set 0 name=serial0

/caps-man manager
set enabled=yes

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=AP10

/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5

/ip neighbor discovery-settings
set discover-interface-list=BASE

/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether3,ether4,ether5 vlan-ids=99
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=5

/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN
add interface=vlanBase list=LAN
add interface=vlanHome list=LAN
add interface=vlanBase list=BASE

/ip address
add address=10.10.99.1/24 interface=vlanBase network=10.10.99.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=192.168.99.1/24 interface=vlanHome network=192.168.99.0

/ip dhcp-client
add comment=defconf interface=ether1

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.99.0/24 gateway=10.10.99.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow management access" in-interface-list=BASE
add action=accept chain=input comment="Users: Services access" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Users: Services access" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all other traffic"
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/system clock
set time-zone-name=Europe/Zurich

/system identity
set name=hEX

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=BASE
And the ac³ configuration: (With ether2 as emergency port if I got it right)
/interface bridge
add admin-mac=18:FD:74:39:29:1D auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-392921 wireless-protocol=802.11
# managed by CAPsMAN
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-392922 wireless-protocol=802.11

/interface vlan
add interface=bridge name=vlanBase vlan-id=99

/interface list
add comment=defconf name=LAN
add name=MANAGE

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=10

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether3,ether4 untagged=ether5,wlan1,wlan2 vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether3,ether4 vlan-ids=99

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlanBase list=MANAGE

/interface wireless cap
#
set bridge=bridge discovery-interfaces=vlanBase enabled=yes interfaces=wlan1,wlan2

/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
add address=10.10.99.4/24 interface=vlanBase network=10.10.99.0

/ip dns
set allow-remote-requests=yes servers=10.10.99.1

/ip route
add comment="ensures route avail through trusted subnet gateway" disabled=no dst-address=0.0.0.0/0 gateway=10.10.99.1

/system clock
set time-zone-name=Europe/Zurich

/system identity
set name=ac3

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
What am I doing wrong? Why is the router dropping most of the packages?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me visually understand routing

Thu Feb 09, 2023 1:59 am

Probably because I dont use capsman in any of my configs and it requires something non-standard???
I detest capsman.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Help me visually understand routing

Thu Feb 09, 2023 2:22 am

It looks like there is no configuration for 5Ghz on the capsman side.

One important note is that the "local-forwarding=yes" is a pretty critical setting here & what you'd want I think you'd want – otherwise boy your diagram gets confusing with local-forwarding=no since that uses tunnels of the raw frames to be processed centrally (see @anav's commentary above).

But I recommend disabling that capsman for now, and get the wifi working directly on the Wi-Fi interface first – see if your still getting lost packets. Then if you want to use capsman add the same local configuration to the capsman profile, and troubleshoot that separately.

@Anav -
I detest capsman.
Just waiting for your hAPax3 diatribe on wifiwave2 configuration...
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Thu Feb 09, 2023 9:35 am

Okay. I disabled CAPsMAN on the router, and the problem persists.
I disconnect ac³ and the problem persists.
I connect the router to Sw2 (which is just an unconfigured RB260Gs, unlike Sw1 where I have configured trunk ports), 2 packets get through, and then same problem.

The switches have IPs 10.10.99.2 and 10.10.99.3. When I check traffic on my PC, I see that ICMP requests with VLAN tag 99 are sent to 10.10.99.2/24, and just sometimes answered.
icmp.png
I disable all firewall rules, 2 packets get through, and again same problem.
I do /interface/bridge/port set frame-types=admit-all [ find where interface=ether4 ] (this goes to the switches), and all packets get through.

This gives me an idea. Is the switch maybe misconfigured so it sometimes responds to the ICMP with VLAN tag and sometimes without?
I connect my second laptop to ether5 on the router (all ports on admit-only-vlan-tagged again), it receives 10.10.99.198/24 from the router, and I can always ping it from my first laptop connected to ether3.
I give my second laptop a static IP 10.10.99.5/24 and I can also ping it.

However, I had the issue also without the switches.
I connect ac³ directly to the router on ether5 instead, and it is still unrechable.
I set ether5 to admit-all, and I can ping it.

So, I can ping my other laptop, but with the same settings I cannot ping another MikroTik device. The switches cannot be the issue because I see the same behaviour with and without them.
I set admit-all on the ac³ and admit-only-vlan-tagged on the router. ac³ is unreachable.
I set admit-only-vlan-tagged on ac³ and admit-all on the router. ac³ is rechable.
I connect the devices as follows: hEX → ac³ → Sw2 → Sw1. All are reachable when pinging from my laptop connected to the router on ether3. (note, still with admit-all on the router.)

What the??? What is wrong?

I'm on RouterOS 7.7 (firmware too) on both devices. The router is a hEX RB750Gr3.

(And, regarding CAPsMAN: Is there a better alternative when I have multiple APs?)
You do not have the required permissions to view the files attached to this post.
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Thu Feb 09, 2023 11:24 am

hEX] > /interface/bridge/host/print where !local
Flags: D - DYNAMIC; E - EXTERNAL
Columns: MAC-ADDRESS, VID, ON-INTERFACE, BRIDGE
#    MAC-ADDRESS        VID  ON-INTERFACE  BRIDGE
0 DE 18:FD:74:39:29:1C    1  ether5        bridge ← this is ether1 of ac³
1 DE 18:FD:74:39:29:1D   99  ether5        bridge ← this is ether2 of ac³ (which is not connected physically …) (edit: nevermind, probably a cached entry, had my other laptop connected on ac³s ether2  previously)

Why does VLAN learning learn that ac³ has VID 1? Or is this unrelated?
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Thu Feb 09, 2023 12:03 pm

Using /tool/sniffer quick ip-protocol=icmp and running ping against 10.10.99.1-4, I see ICMP traffic between only 10.10.99.1 (the router) and my laptop. It is using a VLAN tag on bridge and ether4, and no tag von vlanBase, which makes sense. I cannot see any other ICMP traffic, even when I disable VLAN filtering and 10.10.99.2-4 are reachable too. Why?
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Fri Feb 10, 2023 10:14 am

New day, new luck.

I power on the network setup, and it behaves exactly the same way as yesterday. Finally, consistency. Thanks.

As I just found the configuration of the existing network setup (which is at a different place, but uses VLANs as well), I started comparing the lines. The only difference I found was that protocol-mode was set to none. So I
/interface/bridge set bridge protocol-mode=none
and shit works. With VLAN filtering enabled.

/interface/bridge/port set edge=yes [ find where interface=ether5 ]
has the same effect, as it disable STP learning on that specific port (that is where I have ac³ attached atm).

The L2 Misconfiguration Guide says to set protocol-mode=none when bridging VLAN interface and suggests to use VLAN filtering instead, but that's what I'm doing here.

Well, it seems like I have to learn a bit about the STPs now. Because:
for larger networks properly configured STP is very crucial, leaving STP-related values to default may result in a completely unreachable network in case of an even single bridge failure. To achieve a proper loop-free and redundant topology, it is necessary to properly set bridge priorities, port path costs, and port priorities.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Help me visually understand routing

Fri Feb 10, 2023 10:57 am

If it touches other networks, understand something about STP is helpful for sure. But I'd almost say shouldn't matter if you don't have loops in your switched network, since M/R/STP only triggers to resolve loops.

But that's not always true since some smart/managed switches (e.g. Cisco) sometimes default to "blocking" a port if it sees STP traffic on something defined as an "access port". This feature is called "bpdu guard", which RouterOS supports but on Mikrotik it defaults off. Other equipment sometimes has this feature enabled by default. I suspect this may be happening if setting =none helps and things work.
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Fri Feb 10, 2023 3:46 pm

Hm. Well, it also happens with this setup where only 2 Mikrotik devices are in the network, plus my laptop which is connected to a trunk port on ac³ atm.
simple-setup.drawio.png
And the issue only happens when I enable VLAN filtering. Possible that BPDUs are blocked for some reason and STP breaks?

/interface bridge port monitor [find interface=ether1]
on the ac³ shows that its role is designated-port, same for the hEX port it is connected to, and as of my current STP understanding, at least one of them should be root-port.

When I run a /tool/sniffer/quick capture on ether3 of hEX and ether1 of ac³, I see that
  • hEX sends out (but does not receive) MST packages (as a test, I have set it to MSTP now on both sides, but no difference compared to RSTP). It sends the MAC address of its ether2 port as root bridge – this is where my laptop is connected. Not sure if that is correct.
  • ac³ sends out and receives (from hEX) MST packages. It sends its ether1 port as root bridge.

I don't have BDPU Guard enabled on any port.

So some part in hEX must be filtering out the BPDUs on the hEX, but not on the ac³. I still can't see why only protocol-mode=none works …
You do not have the required permissions to view the files attached to this post.
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Tue Feb 14, 2023 11:23 pm

So, for now I will stick with protocol-mode=none as this works, also together with CAPsMAN.

Reading this post helped a lot with configuring CAPsMAN correctly.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Help me visually understand routing

Wed Feb 15, 2023 12:43 am

Nothing in your config file + diagrams jumps out as wrong that cause m/r/stp issues, or why =none would help... Maybe someone else here spots something – I'd recommend post the most current configs to make sure it's apples-to-apples with your diagram above. You may need a trusted=yes or edge=no on the relevant ports, but I don't see why instantly.

But using none and having no loops, should be okay.
 
granjow
newbie
Topic Author
Posts: 29
Joined: Sat Jul 24, 2021 11:27 pm

Re: Help me visually understand routing

Thu Feb 16, 2023 9:10 am

Sure. I have slightly modified port order, but the general setup is still the same, and I can still reproduce the issue. With protocol-mode=none on either of the devices I can communicate, and as soon as I enable m/rstp on both devices, bye. I tried setting the ports on both sides to trusted=yes, however this did not change anything.

Here is the hEX config (trunk ports are now on ether4/5 and I have connected ac³ to ether4) including CAPsMAN noise which I left in for the sake of completeness:
# model = RB750Gr3
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch1 tx-power=-20
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch6 tx-power=-20
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch11 tx-power=-20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36-20MHz tx-power=-10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5210 name=Ch42-20MHz tx-power=-10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5250 name=Ch50-20MHz tx-power=-10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5290 name=Ch58-20MHz tx-power=-10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5500 name=Ch100-20MHz tx-power=-10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5540 name=Ch108-20MHz tx-power=-10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5580 name=Ch116-20MHz tx-power=-10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5620 name=Ch124-20MHz tx-power=-10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5660 name=Ch132-20MHz tx-power=-10
/interface bridge
add admin-mac=64:D1:54:8D:B9:0F auto-mac=no comment=defconf name=bridge protocol-mode=mstp vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlanBase vlan-id=99
/caps-man datapath
add bridge=bridge local-forwarding=yes name=vlan10-datapath vlan-id=10 vlan-mode=no-tag
/caps-man rates
add basic=11Mbps,6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps name=GN-only
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=game-psk
/caps-man configuration
add channel=Ch1 country=switzerland datapath=vlan10-datapath mode=ap name=AP10 rates=GN-only security=game-psk ssid=Game
add channel=Ch36-20MHz country=switzerland datapath=vlan10-datapath mode=ap name=AP10-5GHz security=game-psk ssid=Game-5GHz
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=pool_home ranges=192.168.99.160-192.168.99.254
add name=pool_vlan10 ranges=10.10.10.160-10.10.10.199
add name=pool_base ranges=10.10.99.160-10.10.99.199
/ip dhcp-server
add address-pool=pool_vlan10 interface=vlan10 name=dhcp_vlan10
add address-pool=pool_base interface=vlanBase name=dhcp_base
/port
set 0 name=serial0
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-enabled comment="2.4 GHz, 802.11g capable" hw-supported-modes=g master-configuration=AP10 name-format=prefix-identity name-prefix=2.4GHz
add action=create-enabled comment="5 GHz, 802.11ac capable" hw-supported-modes=ac master-configuration=AP10-5GHz name-format=prefix-identity name-prefix=5GHz
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether4,ether5 vlan-ids=99
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN
add interface=vlanBase list=LAN
add interface=vlanBase list=BASE
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
add address=10.10.99.1/24 interface=vlanBase network=10.10.99.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.99.0/24 gateway=10.10.99.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.99.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow management access" in-interface-list=BASE
add action=accept chain=input comment="Allow emergency port access" in-interface=ether2
add action=accept chain=input comment="Users: Services access" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Users: Services access" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all other traffic"
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=hEX-ug1-buero
/system logging
add topics=caps,debug
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

And the ac³ config (ether1/4/5 are trunk, connects to hEX on ether1):
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=18:FD:74:39:29:1D auto-mac=no comment=defconf name=bridge protocol-mode=mstp vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-392921 wireless-protocol=802.11
# managed by CAPsMAN
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-392922 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlanBase vlan-id=99
/interface list
add comment=defconf name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether4,ether5 vlan-ids=99
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlanBase list=MANAGE
/interface wireless cap
#
set bridge=bridge discovery-interfaces=vlanBase enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.99.10/24 interface=ether2 network=192.168.99.0
add address=10.10.99.10/24 interface=vlanBase network=10.10.99.0
/ip dns
set allow-remote-requests=yes servers=10.10.99.1
/ip route
add comment="ensures route avail through trusted subnet gateway" disabled=no dst-address=0.0.0.0/0 gateway=10.10.99.1
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=ac3-ug1-eingang
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

Who is online

Users browsing this forum: dmconde, GoogleOther [Bot] and 39 guests