Nice start ... keep tutorial compact and simple ...
... Now some criticism: I'm confused by your mentioning of "port-based VLAN" and "trunk port" in the same sentence ...
So with port-based VLAN, all ports can be just access ports, each to its own VLAN, and that is it. Once you start using some kind of tags carrying a VLAN ID consciously, in my understanding it is not a port-based approach any more.
So, it's too early to make this topic sticky?Allow me to finish up what I've got, and then we can edit that down. Will take me a few weeks.
So do you mean wired or actually weirdBecause weird, we "also" add the Bridge
So do you mean wired or actually weird
/interface wireless set [ find name=wlan1 ] vlan-mode=use-tag vlan-id=BLUE
I'll take this opportunity to open a discussion about how to deal with wifi "access ports" to vlans. There are two ways:So what is the better (more understandable/readable) way to configure it? My guess is that way 2 is better as it keeps VLAN config in single config subtree ... but what do other forum members think about this?
- vlan-mode=use-tag vlan-id=BLUE
- interface bridge subtree where wlan1 interface is an access port to a VLAN
Hi pcunite. Two questions:
I don't see vlan-mode=use-tag as candy, it used to be the only way back in ROS<=6.40 ... as was the switch-chip VLAN stuff.Off the top, vlan-mode=use-tag is like free candy, which can only mean its bad for you. Not sure yet. Whatever the case, don't let me be weak!
I'm with you on this one. Let's leave taking shortcuts to experienced and adventureous users and keep newbies straight on the right path ...Question 1:
Responding to what you have written, for now I will say that, one reason why I break out commands is to show, conceptually speaking, what is happening. When designing VLANs, the administrator has to think about how Access ports will interact with Trunk Ports, and how all that will eventually work over L3. Naturally, when someone is familiar with the MikroTik command line, they can combine several settings into one liners. But that is confusing when trying to learn it for the first time.
Thanks for the response, and I fully 1000% support this educational reference.Hi pcunite. Two questions:
@anav,
I have updated the configuration files. Please reexamine, and then ask your question again. Then, I'll give you a formal response. Yesterday evening, I had the opportunity to actually implement the config files on real hardware and made some adjustments.
Question 1:
Responding to what you have written, for now I will say that, one reason why I break out commands is to show, conceptually speaking, what is happening. When designing VLANs, the administrator has to think about how Access ports will interact with Trunk Ports, and how all that will eventually work over L3. Naturally, when someone is familiar with the MikroTik command line, they can combine several settings into one liners. But that is confusing when trying to learn it for the first time.
Question 2:
I think MikroTik's current API is not expressive enough for what is happening. There are times when you must specify PVID, so I feel, personal opinion, that as I'm trying to illustrate the VLAN concept, that the reader understands better by doing it this way. With PVID=1, it is explicitly being shown that a Trunk port is being created.
Well since I am only bringing 2 cents to the table, so perhaps you have a quark of a pointJust my 5 cents about firewall rules: regardless one's personal preferences, the default firewall is "drop not wanted, implicitly allow everything else". Personally I don't think this approach is wrong and while teaching less knowledgeable users about VLAN config I don't think we should mess with default firewall philosophy.
(2) Add text explaining how oneliners can be used. example:
/ip interface bridge vlan bridge=BR1 tagged=BR1,sfp1,sfp2 vlan-ids=10,20,30
(3) (a) Why not show ingressfiltering=yes?
(3) (b) Why not show pvid=xx admit frame types=?
As for Firewall rules
1) Only allow permitted traffic then Drop all else
2) There is no reason to let everyone on the LAN (or VLAN for that matter) have access to the router.
3) Why use connection-state=new?
I don't have NEW in any of my rules, I don't see any in the default config, so where are you pulling this rectal pluck from?
Consider this rule:You obviously understand what you are doing and I dont. Thus I have no idea what new is for as I have never seen it or put it in any of my rules.
add chain=input in-interface-list=LAN protocol=udp port=53
add chain=input in-interface-list=LAN connection-state=established,related
add chain=input in-interface-list=LAN protocol=udp port=53
Yes I AGREE, if traffic doesnt match a rule I have (for a specific purpose), then off with its head!!
For UDP, only the first packet between a connection with two unique IP/port tupels are new, all return packets and subsequent packets are established. For TCP the first three packets are new (three way handshake: SYN, SYN/ACK, ACK), everything thereafter is established.
Packets can only belong to one connection, and each connection can only have on mark. Every packet can also have an independent packet mark, and an independent routing mark. So you can mark connections for policy routing purposes (routing marks derived from the connection mark), and use the packet mark independently for QoS purposes (but not use the connection mark for QoS decisions), or vice versa.
... it would be just fine if we added connection-state=new to the second rule ... from a functionality point of view it wouldn't change a bit, but it'd show the real reason for having this rule.
I've made a dedicated topic for that, please continue there.@anav, can we keep this thread talking about VLANs and (if needed) start a new thread (or three) to bitch about other things?
I clearly did LOL, and I know what I did. I mixed that up, I read it as his way was the old way and the way I do it as the new way.@anav, did you manage to miss the second part of post #17 above? And @pcunite's reply to it ... seems like he made his mind
# model = RouterBOARD cAP Gi-5acD2nD
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridgeHallway \
vlan-filtering=yes
/interface vlan
add interface=bridgeHallway name=Guests_WIFI-v200 vlan-id=200
add interface=bridgeHallway name=Wifi_SDevices_cap2 vlan-id=45
/interface list
add name=WAN
add name=LAN
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-g/n basic-rates-b="" \
country=canada disabled=no distance=indoors frequency-mode=\
regulatory-domain installation=indoor mac-address= mode=\
ap-bridge name=DevicesHallway rate-set=configured scan-list=2412,2437,2462 \
security-profile=devices_only ssid=RD2 supported-rates-b="" \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac channel-width=\
20/40mhz-Ce country=canada disabled=no frequency-mode=regulatory-domain \
mode=ap-bridge name=Hallway5G rate-set=configured scan-list=\
5175-5185,5195-5205,5215-5225 security-profile=Hallway_wifi ssid=\
Hallway_CellPhones wireless-protocol=802.11 wmm-support=enabled wps-mode=\
disabled
add disabled=no mac-address=master-interface=Hallway5G name=\
VisitorWIFI security-profile=HouseGuestsSecurity ssid=Guest_Wifi \
wmm-support=enabled wps-mode=disabled
/interface bridge port
add bridge=bridgeHallway comment=defconf interface=ether1
add bridge=bridgeHallway comment=defconf interface=DevicesHallway pvid=45
add bridge=bridgeHallway comment=defconf interface=Hallway5G
add bridge=bridgeHallway interface=VisitorWIFI pvid=200 trusted=yes
/interface bridge vlan
add bridge=bridgeHallway untagged=DevicesHallway vlan-ids=45
add bridge=bridgeHallway untagged=VisitorWIFI vlan-ids=200
add bridge=bridgeHallway untagged=Hallway5G vlan-ids=1
/interface list member
add interface=ether1 list=WAN
add interface=Wifi_SDevices_cap2 list=LAN
add interface=Guests_WIFI-v200 list=LAN
add interface=bridgeHallway list=LAN
/interface bridge
add admin-mac=auto-mac=no comment=defconf name=bridgeHallway vlan-filtering=yes
/interface vlan
add interface=bridgeHallway name=Guests_WIFI-v200 vlan-id=200
add interface=bridgeHallway name=Wifi_SDevices_cap2 vlan-id=45
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-g/n basic-rates-b="" country=canada disabled=no distance=indoors frequency-mode=regulatory-domain installation=indoor mac-address=mode=\
ap-bridge name=DevicesHallway rate-set=configured scan-list=2412,2437,2462 security-profile=devices_only ssid=RD2 supported-rates-b="" wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac channel-width=20/40mhz-Ce country=canada disabled=no frequency-mode=regulatory-domain mode=ap-bridge name=Hallway5G rate-set=configured scan-list=\
5175-5185,5195-5205,5215-5225 security-profile=Hallway_wifi ssid=Hallway_CellPhones wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no mac-address= master-interface=Hallway5G name=VisitorWIFI security-profile=HouseGuestsSecurity ssid=Guest_Wifi wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled
/interface bridge port
add bridge=bridgeHallway comment=defconf interface=ether1
add bridge=bridgeHallway comment=defconf interface=DevicesHallway pvid=45
add bridge=bridgeHallway comment=defconf interface=Hallway5G
add bridge=bridgeHallway interface=VisitorWIFI pvid=200 trusted=yes
/interface bridge vlan
add bridge=bridgeHallway tagged=ether1 untagged=DevicesHallway vlan-ids=45
add bridge=bridgeHallway tagged=ether1 untagged=VisitorWIFI vlan-ids=200
add bridge=bridgeHallway tagged=ether1 vlan-ids=1
It may look like an over-complication but the sad truth is that inside it works exactly like that (tagless packets on the bridge). So your simplification that the bridge's pvid is only meaningful for the bridge's role as its own port is useful in most situations, but sometimes people get surprised when they try to attach an /interface vlan with vlan-id=1 to a bridge with a (default) pvid=1 and get surprised that it doesn't work, or when you need to combine switch chip settings with bridge settings.the way you describe what happens when bridge has pvid set (that ether ports untag packets) is an over complication.
I'd say bridges (in their "port of itself" personality, as in "Salzburg ist die Landeshauptstadt des Landes Salzburg") don't become tagged members of a VLAN but have to be made tagged members of a VLAN if you want to make that VLAN accessible for the L3 on the Mikrotik itself. And an AP (wireless interface) with vlan-mode=use-tag does become a member interface of a VLAN, except that you don't need to configure that manually, it is added dynamically (see /interface bridge vlan print).@anav: bridges become tagged members of a VLAN when device needs some L3 (mostly, could be L2 as well) interaction with said VLAN. AP doesn't, its job is to forward packets between L2 interfaces. Router does, it needs to shuffle packets on L3 through CPU.
Yes, I also wonder where @anav has seen the advice that at least one VLAN on each port should be tagless - I only use "hybrid" ports or "native VLAN on a trunk" where the connected equipment requires that and it is too complex to change it, typically for administrative reasons.I really hate when tagged and untagged get mixed on the same ports ... much easier (conceptually) is to run full tagged with (plenty of) access ports ...
Bridges need to be tagged members of a VLAN when device needs some L3 (mostly, could be L2 as well) interaction with said VLAN. Access Point doesn't, its job is to forward packets between L2 interfaces. Router does, it needs to shuffle packets on L3 through CPU. So yes, adding BR1 as tagged member of VLAN_RED, VLAN_GREEN and VLAN_BLUE is unnecessary (in the AP example) and probably @pcunite should fix it in the config example.
This is a complication because Mikrotik uses VLAN ID 1 as synonym for untagged while other vendors might actually support it as tagged. So not only I hate using mixed tagged/untagged, I also avoid use of VLAN ID 1 at all cost.It may look like an over-complication but the sad truth is that inside it works exactly like that (tagless packets on the bridge). So your simplification that the bridge's pvid is only meaningful for the bridge's role as its own port is useful in most situations, but sometimes people get surprised when they try to attach an /interface vlan with vlan-id=1 to a bridge with a (default) pvid=1 and get surprised that it doesn't work, or when you need to combine switch chip settings with bridge settings.the way you describe what happens when bridge has pvid set (that ether ports untag packets) is an over complication.
This is, fortunately or unfortunately, not true. I used to think the same until I've found out that it is not VLAN ID 1 which is always handled untagged but it's actually "the VLAN ID which is configured as bridge's own pvid parameter" which is treated as untagged on the bridge. If you change bridge's own pvid to something else than 1, VID 1 starts behaving normally.Mikrotik uses VLAN ID 1 as synonym for untagged
The biggest problem with VID 1 is that it is a default value, and as such it is often not explicitly shown on command line interfaces, in configuration items like switchport access vlan or switchport trunk native vlan on Cisco, and in /interface bridge port pvid and /interface vlan pvid in RouterOS.But if we push vlan-id=1 out of picture (because it very obviously stinks), does my simplification still smell rotten?
[me@MyTik] > interface bridge export verbose
...
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no comment=\
"interconnection with OTC network" dhcp-snooping=no disabled=no ether-type=0x8100 fast-forward=yes frame-types=admit-all \
igmp-snooping=no ingress-filtering=no mtu=auto name=bridge-otc protocol-mode=none \
pvid=1 vlan-filtering=yes
[me@MyTik] > interface bridge vlan export
...
/interface bridge vlan
add bridge=bridge-otc tagged=ether1,bridge-otc vlan-ids=2,5,6
[me@MyTik] > interface bridge vlan print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge-otc 2 bridge-otc
5 ether1
6
1 D bridge-otc 1 bridge-otc
ether1
Perhaps things slightly changed with event of bridge vlan-filtering ... in previous times, when bridge was sort of a dumb switch, bridge interface happily utilized packets belonging to VLAN ID 1 just the same as explicitly untagged while one had to use VLAN interface for the rest of VLANs. This might explain why pvid=1 is default setting ... to keep (broken) bridge port behaviour the same as it was before 6.42.This is, fortunately or unfortunately, not true. I used to think the same until I've found out that it is not VLAN ID 1 which is always handled untagged but it's actually "the VLAN ID which is configured as bridge's own pvid parameter" which is treated as untagged on the bridge. If you change bridge's own pvid to something else than 1, VID 1 starts behaving normally.Mikrotik uses VLAN ID 1 as synonym for untagged
There's a distinction between untagged frame and frame tagged with VLAN ID=1. The former has ethertype value 0x0800 (or, if it's not about IPv4 packet, appropriate ethertype value), the later has (outer) ether type 0x8100 with additional header (3 bits PCP - priority code point; 1 bit DEI - drop eligible indicator and 12 bits VID with value of 1 in this particular case) followed by usual ethertype 0x0800 (or, if it's not IPv4 packet, appropriate ethertype value)./interface bridge port
add bridge=bridgeHallway comment=defconf interface=ether1 (pvid=1)
add bridge=bridgeHallway comment=defconf interface=DevicesHallway pvid=45
/ip bridge vlan
bridge=homebridge untagged=ether1 vlanid=1 is correct as it is consistent with the other interfaces
But what does that mean.......... Will the CapAC remove vlanID1 from packets going to the WLAN?? and the packets will have vlanid0 and if so how will that affect devices connecting??
As you can surmize I am still not sure how to handle the bridge vlan for my capAC for ether1
100% agree.don't ever use VID=1 in any setup and always have frames tagged in LAN infrastructure ... untagged should only live on access points (wires outside active LAN infrastructure perimeter and wireless SSIDs). I'm sticking to these rules and I don't have any problems whatsoever (neither conceptual nor real)..
/interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
set [ find default-name=ether1 ] comment=Port1 name=Eastlink_eth1 speed=\
100Mbps
set [ find default-name=ether2 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether3 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether4 ] comment=LAN2-DMZ
/interface bridge
add admin-mac=CC:2D:E0:F4:3F:AE auto-mac=no comment=defconf name=HomeBridge \
vlan-filtering=yes
/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=HomeBridge name=Guests_WIFI-v200 vlan-id=200
add interface=HomeBridge name=MediaStreaming_V40 vlan-id=40
add interface=HomeBridge name=NAS_V33 vlan-id=33
add interface=HomeBridge name=SOLAR-36 vlan-id=36
add interface=HomeBridge name=TheoVLAN vlan-id=666
add interface=HomeBridge name=VOIP_77 vlan-id=77
add interface=HomeBridge name=VideoCamVLAN vlan-id=99
add interface=HomeBridge name=Wifi-SDevices_cap1 vlan-id=30
add interface=HomeBridge name=Wifi_SDevices_cap2 vlan-id=45
add interface=HomeBridge name=vlan11-home vlan-id=11
add interface=Bell_eth5 name=vlanbell vlan-id=35
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANSwInt
add name=VLANSwoInt
/ip pool
add name=dhcp-HomeLAN ranges=192.168.0.33-192.168.0.150
/ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=vlan11-home lease-time=1d \
name=HoMeLAN
/interface bridge port
add bridge=HomeBridge comment=defconf [color=#4000FF]ingress-filtering=yes[/color] interface=ether2
add bridge=HomeBridge comment=defconf [color=#4000FF]ingress-filtering=yes[/color] interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=VLANSwInt
/ip settings
set allow-fast-path=no icmp-rate-limit=100 rp-filter=loose
/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether2 vlan-ids=\
30,36,40,45,100,200,666
add bridge=HomeBridge tagged=HomeBridge,ether3 vlan-ids=99,77,33
add bridge=HomeBridge tagged=HomeBridge,ether2,ether3 vlan-ids=11
/interface list member
add comment=defconf interface=HomeBridge list=LAN
add interface=vlan11-home list=LAN
add interface=vlan11-home list=VLANSwInt
/ip address
add address=192.168.0.1/24 interface=vlan11-home network=192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24,192.168.2.100/32 port=xx
set api disabled=yes
set winbox address=192.168.0.0/24,192.168.2.100/32 port=xx
set api-ssl disabled=yes
ip smb
set allow-guests=no
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set interfaces=VOIP_77
/system clock
set time-zone-name=America/Moncton
/system identity
set name="MikroTik RM"
/system ntp client
set enabled=yes server-dns-names=time.nrc.ca,nrc.chu.ca
/system resource irq rps
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=VLANSwInt src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state="" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE" log-prefix=\
"INPUT DROP ALL"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=forward comment=" - Drop external DNS - UDP" \
dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=forward comment=" - Drop external DNS - TCP" \
dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward comment=\
" - Drop invalid/malformed packets" connection-state=invalid \
log-prefix=INVALID
add action=accept chain=forward comment=\
"defconf: accept established,related, " connection-state=\
established,related
add action=accept chain=forward comment="ENABLE HomeLAN to WAN" \
in-interface=HomeBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" \
out-interface-list=WAN src-address=192.168.0.0/24
add action=accept chain=forward comment="allow VLANS to WAN " \
in-interface-list=VLANSwInt out-interface-list=WAN
add action=accept chain=forward comment="Admin_To_VLANS \
dst-address-list=VLANS-theo in-interface=vlan11-home log=yes log-prefix=\
"Admin to VLANS" src-address=192.168.0.39
add action=drop chain=forward comment=\
"Alex - DROP ALL other FORWARD traffic" log-prefix="FORWARD DROP ALL"
I made the big switch tonight using vlan11 vs. vlan1 for my homelan. However, I can no longer access my capacs to manage them. Remember we do not tag the bridge on the capac for some reason LOL. So why can I not, with my pc being on vlan11, use winbox to see capacs? I see the router just fine!
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] disabled=yes speed=100Mbps
/interface bridge
add admin-mac=xx auto-mac=no comment=defconf name=\
bridgeHallway vlan-filtering=yes
/interface vlan
add interface=bridgeHallway name=Guests_WIFI-v200 vlan-id=200
add interface=bridgeHallway name=Wifi_SDevices_cap2 vlan-id=45
add interface=bridgeHallway name=homevlan vlan-id=11
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=Hallway_wifi supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=devices_only supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=HouseGuestsSecurity supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-g/n basic-rates-b="" \
country=canada disabled=no distance=indoors frequency-mode=\
regulatory-domain installation=indoor mac-address=CC:2D:E1:AF:73:91 mode=\
ap-bridge name=DevicesHallway rate-set=configured scan-list=\
2412,2437,2462 security-profile=devices_only ssid=RD2 supported-rates-b=\
"" wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac \
channel-width=20/40mhz-Ce country=canada disabled=no frequency-mode=\
regulatory-domain mode=ap-bridge name=Hallway5G rate-set=configured \
scan-list=5175-5185,5195-5205,5215-5225 security-profile=Hallway_wifi \
ssid=Hallway_CellPhones wireless-protocol=802.11 wmm-support=enabled \
wps-mode=disabled
add disabled=no mac-address=CE:2D:E2:AF:73:92 master-interface=Hallway5G \
name=VisitorWIFI security-profile=HouseGuestsSecurity ssid=Guest_Wifi \
wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled
/interface bridge port
add bridge=bridgeHallway comment=defconf interface=ether1
add bridge=bridgeHallway comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=DevicesHallway pvid=45
add bridge=bridgeHallway comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=Hallway5G pvid=11
add bridge=bridgeHallway frame-types=admit-only-untagged-and-priority-tagged \
interface=VisitorWIFI pvid=200 trusted=yes
/interface bridge vlan
add bridge=bridgeHallway tagged=ether1 untagged=DevicesHallway vlan-ids=45
add bridge=bridgeHallway tagged=ether1 untagged=VisitorWIFI vlan-ids=200
add bridge=bridgeHallway tagged=bridgeHallway,ether1 untagged=Hallway5G vlan-ids=11
/ip address
add address=192.168.0.112/24 disabled=yes interface=ether2 network=\
192.168.0.0
/ip route
add disabled=yes distance=1 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24 port=xx
set api disabled=yes
set winbox address=192.168.0.0/24 port=xx
set api-ssl disabled=yes
1) What the heck is BASE_VLAN?
2) Why assign ether7 to be an access port?
The rest of the discussion has not been resolved. Many are having problems trying to implement your examples and many issues stem from the lack of clarity on pvid=1 vs pvid=99. In other words, what is being assigned to the bridge, and what affect it has on reaching devices such as router, switches, APs, etc.
I lose connectivity to my cAP ACs and router, they no longer show up in Winbox. How do I ensure all devices are still reachable?
# "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
# Set the VLAN that can "see" L2 broadcast for Neighbor Discovery protocol
/ip neighbor discovery-settings set discover-interface-list=BASE
# Setup a firewall to allow connecting to Winbox (via L3 IP Address)
/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to use DNS services running on the Router
add chain=input action=accept dst-port=53 in-interface-list=VLAN protocol=udp comment="Allow VLAN DNS"
# Allow VLANs to access everything on the Router. NOT recommended
add chain=input action=accept disabled=yes in-interface-list=VLAN comment="Allow VLAN Everything" disabled=yes
# Allow BASE (MGMT) VLAN access to everything. Recommended
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan to MikroTik"
# Allow Winbox access from a list of IP addresses. Change this to be different interfaces, whatever you want
add chain=input action=accept dst-port=8291,22 protocol=tcp src-address-list=RemoteAccess comment="Remote Winbox"
# Standard VLAN rules
add chain=input action=drop comment=Drop
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=drop comment=Drop
/ip firewall filter
# Forward rules that allow for port forwarding
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=accept connection-nat-state=dstnat in-interface=ether1 comment="Allow port forwards"
add chain=forward action=drop comment=Drop
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN
# Winbox to AP1 & AP2
add chain=dstnat action=dst-nat dst-port=8301 to-ports=8291 in-interface=ether1 protocol=tcp to-addresses=10.0.0.2 src-address-list=RemoteAccess
add chain=dstnat action=dst-nat dst-port=8302 to-ports=8291 in-interface=ether1 protocol=tcp to-addresses=10.0.0.3 src-address-list=RemoteAccess
One thing MikroTik discusses that you don't mention is hybrid ports ... I believe they say this is not a safe way to operate security wise in conclusion but it wasn't clear.
I don't think this is the correct topic for this. By means of software bridges, this can be done using the information provided by @pcunite, who has stated the purpose of this topic to be a substitute for a missing layer of the documentation, not a place where people could ask for individual help. So if individual help is what you need, open a new topic for that, please.Can you work this out if you want?
# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24
/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
Create a new dedicated topic an post the complete config there. The few lines you've posted look fine as such so there is likely a firewall issue.Can me anbody explain where my thinking fault is?
...It is possible to drop all untagged packets that are destined to the CPU port:
/interface bridge
set bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes
This does not only drop untagged packets, but this disables the feature that dynamically adds untagged ports to the bridge VLAN table. If you print out the current bridge VLAN table you would notice that bridge1 is not dynamically added as an untagged port:
[admin@MikroTik] > /interface bridge vlan print
Note: When frame-type=admit-only-vlan-tagged is used on a port, then the port is not dynamically added as untagged port for the PVID.
Thanks for the reference, it will be very helpful!If you're coming from Cisco, this may also be helpful for bridge VLAN configuration in MIkroTik.
https://www.stubarea51.net/2019/02/06/c ... and-vlans/
# egress behavior
/interface bridge plan
# egress behavior
/interface bridge vlan
in the topic Switch with a separate router (RoaS), what is the difference between the Switch Config file and the Router Config file?
Just to make sure I got it right.in the topic Switch with a separate router (RoaS), what is the difference between the Switch Config file and the Router Config file?
The two files are the configurations for the two hardware devices that will be in use. One a switch, the other a router.
Got it, thanks!The fun thing about MT devices is there is no one answer EVER! LOL.
IF its acting as a router and access point, look for this file........... "Router-Switch-AP (all in one)"
IF its acting solely as an access point, look for this file ............. "Access Point"
IF its acting solely as a switch, look for this file............. "Switch with a separate router (RoaS): and use the switch config.
I'm sure you're aware that when configured according to settings posted, none of interfaces allow untagged (access) connectivity. So to test things, you can't simply plug in a normal PC and expect "something to happen". You either need to configure interface as access (untagged) port for selected VLAN or configure PC to properly deal with tagged ethernet frames.BUT I cannot get internet from Ether2 to Ether5. That is why I asked here. I just want to try it according this tutorial see if it works.
Too funny I assumed due to his config that all the ports were considered trunk ports and going to managed switches or business class APs etc.........I'm sure you're aware that when configured according to settings posted, none of interfaces allow untagged (access) connectivity. So to test things, you can't simply plug in a normal PC and expect "something to happen". You either need to configure interface as access (untagged) port for selected VLAN or configure PC to properly deal with tagged ethernet frames.BUT I cannot get internet from Ether2 to Ether5. That is why I asked here. I just want to try it according this tutorial see if it works.
Too funny I assumed ...
# Please note that these rules are using "all-vlan" interface and
# it is assumed that gateway/uplink interface is not using VLAN.
# If gateway/uplink interface uses VLAN, use interface lists instead of
# all-vlan.
# all-vlan example was found from the topic below:
# https://forum.mikrotik.com
# Search for: "Comfortable way to block inter-vlan traffic"
# Attention, when pasting to serial connection, the whole URL
# seems to have some strange effects because of the question mark in
# the URL, even when it's commented out, so the whole URL is not
# written above.
/ip firewall filter
######## ROUTER FIREWALL RULES ########
# Allow traffic back as long as the traffic has started from "inside"
# your network.
add action=accept chain=input comment="Allow Established & Related" \
connection-state=established,related
# If you're using IPsec, allow untracked.
# This rule is especially important if one is using "Drop all"
# as the last rule.
# More information in forum.mikrotik.com topic:
# "New" default firewall config in ROS - why ipsec is default allowed
add action=accept chain=input \
comment="Allow untracked" connection-state=untracked disabled=yes
# Allow DNS requests from VLANs (udp/tcp)
add action=accept chain=input comment=\
"Allow DNS requests from LAN / VLANs UDP" dst-port=53 in-interface=\
all-vlan protocol=udp
add action=accept chain=input comment=\
"Allow DNS requrests from LAN / VLANs TCP" dst-port=53 in-interface=\
all-vlan protocol=tcp
# Allow pinging the router from the VLANs
# This is mainly a troubleshooting option to check:
# "Why my internet is not working? Well, I can ping the gateway."
add action=accept chain=input comment=\
"Allow pinging the router from LAN / VLANs" in-interface=all-vlan \
protocol=icmp
# Allow full access to your router from the Base / Management VLAN
add action=accept chain=input comment="Allow Base Full Access" in-interface=\
BASE_VLAN
# Allow PING from internet. Might be nice or not.
# It's disabled by default in this conf.
add action=accept chain=input comment="Allow PING from internet" disabled=yes \
protocol=icmp
# It's important to drop everything else incoming traffic to router,
# so any malicious intends are blocked.
add action=drop chain=input comment="Drop everything else in input"
######## CLIENT/INTERNAL NETWORK FIREWALL RULES ########
# Allow traffic back as long as the traffic has started from "inside"
# client/internal network.
add action=accept chain=forward comment="Allow Established & Related" \
connection-state=established,related
# If you're using IPsec, allow untracked.
# This rule is especially important if one is using "Drop all"
# as the last rule.
# More information in forum.mikrotik.com topic:
# "New" default firewall config in ROS - why ipsec is default allowed
add action=accept chain=forward \
comment="Allow untracked" connection-state=untracked disabled=yes
# Allow Base / Management VLAN to connect any other VLAN
add action=accept chain=forward comment=\
"Allow BASE / mgmt to connect all VLANs" in-interface=BASE_VLAN \
out-interface=all-vlan
# This rule is associated with the rule below about stopping inter-VLAN
# communication (or drop all). If VLAN communication between certain VLANs
# is required, one can add something like the examples below.
# Notice that one can also only allow one direction of communication.
# In this example communication is allowed in both directions between
# BLUE and GREEN VLANs.
# Notice that the rules are disabled by default.
add action=accept chain=forward \
comment="Allow communication from BLUE to GREEN VLAN" disabled=yes \
in-interface=BLUE_VLAN out-interface=GREEN_VLAN
add action=accept chain=forward \
comment="Allow communication from GREEN to BLUE VLAN" disabled=yes \
in-interface=GREEN_VLAN out-interface=BLUE_VLAN
# Stop VLANs from communicating each other. By default VLANs are able
# to communicate each other, which doesn't make sense security-wise
# in many scenarios.
# Notice that this doesn't stop VLANs from pinging different
# router/bridge IPs. This doesn't also stop clients inside a certain
# VLAN from communicating each other.
# Notice that this rule is pointless if "Drop all" rule is being used.
add action=drop chain=forward comment="Drop all inter-VLAN traffic" \
in-interface=all-vlan out-interface=all-vlan
# Drop invalid packets in forward chain is required if one is using NAT.
# Otherwise it's possible that packets leave router with wrong LAN IP address.
# Notice that this rule is pointless if "Drop all" rule is being used.
add action=drop chain=forward comment="Drop invalid in forward chain" \
connection-state=invalid
# This is a bit of preference of firewall rule creator if "drop all" or
# the "drop invalid" should be used.
# If this rule is used, then the above "drop invalid" and
# "drop inter-vlan communication" are pointless.
# Notice that in this example this is disabled.
add action=drop chain=forward comment="Drop all" disabled=yes
add action=drop chain=input comment="Drop everything else in input"
BASE_VLAN GREEN_VLAN ether4-trunk
BLUE_VLAN all-vlan ether5-trunk
BR1 ether1-gw !
all-ethernet ether2
all-ppp ether3
From Mikrotik support post:Drop invalid rule is necessary if you use NAT on your router. It is possible that for different reasons packet can leave router with wrong (LAN) IP address. This firewall rule will drop such packets.
Mikrotik's own wiki page of securing router doesn't include "drop everything else" rule in forward chain. I think there would be a need for another topic for discussion if "drop everything else" vs "drop invalid" is better in forward chain.
That's the one.Where is the ALL VLAN option. I cannot find it on my router?? The one where I can use it rules with "Interface" only (and not interface-list)/
Hehe I must be blind I will look when I get home, I could have sworn there was only WAN and LAN and everything else one had to create.That's the one.Where is the ALL VLAN option. I cannot find it on my router?? The one where I can use it rules with "Interface" only (and not interface-list)/
To me it seems as some relict of the past before the user-managed interface lists have been introduced - pre-defined items all-vlan, all-ppp, all-wireless, all-ethernet really exist. But although functionally these items are lists, their names have to be used as values of in-interface and out-interface, not of in-interface-list and out-interface-list.Hehe I must be blind I will look when I get home, I could have sworn there was only WAN and LAN and everything else one had to create.
Do I get that right that the herein provided configuration examples work on Atheros8327-based devices (like the hAP ac²) but for the cost of losing bridging (speed) in hardware (due to the lack of VLAN filtering in hardware with some devices the devices' CPUs need to kick in)?
Please share a direct link to the new post then...Yes please take your diagram and post to a new thread and I would like to help after that.
Good day everyone,
I'm new to Mikrotik and very new to VLANs. I have read through a number of posts here and am about to start writing up my own file to implement in my home network. I am still in the learning curve of Mikrotik language so I just wanted to ask about a few of the things stated within the how-tos.
I have a RB4011iGS+5HacQ2HnD so I am trying to implement the method suggested in post #3. While reading through the RouterSwitchAP.rsc, there are a few things I am not sure how to do.
While configuring:
Access Ports: "L3 switching":
What does it mean to [find vlan-ids=10]?
IP Addressing & Routing: DNS Server:
Do I put my preferred DNS here or do I put 9.9.9.9?
IP Services: /ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
How is the dns-server=x.x.0.1? Is this defined somewhere that I missed? I haven't loaded the RB without default config yet so I am a bit uncertain how this setting works from a fresh start.
This is about as far as I've gotten through the file so far before I had enough questions that I feel comfortably lost. Figured I'd post now and get more knowledge before moving forward.
I more than likely will need to post my own topic to get more advice on how to proceed with the way I want my network laid out, but I wan to at least understand this current topic as much as I can before doing so. I've attached my network diagram (very skeleton) for ref.
Thank you so much in advance!! I've been learning so much already and have mustered enough courage to at least post something here in hopes that you fine folk can lend some expertise.
###############################################################################
# Topic: Using RouterOS to VLAN your network
# Example: Router-Switch-AP all in one device
# Web: viewtopic.php?t=143620
# RouterOS: 6.43.12
# Date: Mar 28, 2019
# Notes: Start with a reset (/system reset-configuration)
# Thanks: mkx, sindy
###############################################################################
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="rb2011"
#######################################
# VLAN Overview
#######################################
# 10 = Guest
# 20 = IoT
# 99 = BASE (MGMT) VLAN
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=bridge1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk to AP. PVID is only needed when combining tagged + untagged
# trunk (vs fully tagged), but does not hurt so enable.
add bridge=bridge1 interface=ether1 pvid=99
# Guest VLAN
add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=10
# IoT VLAN
# BASE_VLAN / Full access
add bridge=bridge1 interface=ether2 pvid=99
add bridge=bridge1 interface=ether5 pvid=99
add bridge=bridge1 interface=ether6 pvid=99
add bridge=bridge1 interface=ether7 pvid=99
add bridge=bridge1 interface=ether8 pvid=99
add bridge=bridge1 interface=ether9 pvid=99
add bridge=bridge1 interface=ether10 pvid=99
# Tim: WAN VLAN tagging is not set here because it's not part of bridge
#
# egress behavior
#
/interface bridge vlan
# Guest, IoT, & BASE VLAN + Purple uplink trunk (ether1)
# L3 switching so Bridge must be a tagged member
# In case of fully tagged trunk, set ether1 to tagged for vlan 99 as well (instead of untagged)
add bridge=bridge1 vlan-ids=10 tagged=bridge1,ether1 untagged=ether3,ether4
add bridge=bridge1 vlan-ids=20 tagged=bridge1,ether1
add bridge=bridge1 vlan-ids=99 tagged=bridge1 untagged=ether1,ether2,ether5,ether6,ether7,ether8,ether9,ether10
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=bridge1 name=BASE_VLAN vlan-id=99
/ip address add address=172.16.99.1/24 interface=BASE_VLAN
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="172.16.99.1"
# From viewtopic.php?t=90052#p452139
/interface vlan add interface=sfp1 name=WAN_VLAN vlan-id=34
# Set DHCP WAN client on ether6 AND WAN_VLAN
/ip dhcp-client
add disabled=no interface=WAN_VLAN
#######################################
# IP Services
#######################################
# Guest VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=GUEST_VLAN vlan-id=10
/ip address add interface=GUEST_VLAN address=172.16.10.1/24
/ip pool add name=GUEST_POOL ranges=172.16.10.100-172.16.10.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=172.16.10.0/24 dns-server=172.16.99.1 gateway=172.16.10.1
# IoT VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=IoT_VLAN vlan-id=20
/ip address add interface=IoT_VLAN address=172.16.20.1/24
/ip pool add name=IoT_POOL ranges=172.16.20.100-172.16.20.254
/ip dhcp-server add address-pool=IoT_POOL interface=IoT_VLAN name=IoT_DHCP disabled=no
/ip dhcp-server network add address=172.16.20.0/24 dns-server=172.16.99.1 gateway=172.16.20.1
# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=172.16.99.100-172.16.99.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=172.16.99.0/24 dns-server=172.16.99.1 gateway=172.16.99.1
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN2WAN
/interface list add name=VLAN
/interface list add name=BASE
/interface list member
add interface=sfp1 list=WAN
add interface=WAN_VLAN list=WAN
add interface=BASE_VLAN list=VLAN2WAN
add interface=GUEST_VLAN list=VLAN2WAN
# add interface=IoT_VLAN list=VLAN2BASE
add interface=BASE_VLAN list=BASE
add interface=BASE_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=IoT_VLAN list=VLAN
# VLAN aware firewall. Order is important.
##################
# INPUT CHAIN
##################
/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface-list=BASE comment="Allow BASE VLAN router access"
# Allow IKEv2 VPN server on router
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
# Allow clients to do DNS, for both TCP and UDP
add chain=input action=accept dst-port=53 src-address=172.16.0.0/16 proto=tcp comment="Allow all LAN and VPN clients to access DNS"
add chain=input action=accept dst-port=53 src-address=172.16.0.0/16 proto=udp comment="Allow all LAN and VPN clients to access DNS"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
/ip firewall filter
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow selected VLANs to access the Internet
add chain=forward action=accept connection-state=new in-interface-list=VLAN2WAN out-interface-list=WAN comment="VLAN Internet Access only"
# Allow IoT IoT_VLAN to access server in BASE_VLAN, but no WAN.
add chain=forward action=accept connection-state=new in-interface=IoT_VLAN out-interface=BASE_VLAN dst-address=172.16.99.2 comment="Allow IoT_VLAN -> server in BASE_VLAN"
add chain=forward action=accept connection-state=new in-interface=BASE_VLAN out-interface=IoT_VLAN comment="Allow all of BASE_VLAN -> IoT_VLAN"
# Allow IPSec traffic from 172.16.30.0/24
add action=accept chain=forward comment="DEFAULT: Accept In IPsec policy." ipsec-policy=in,ipsec src-address=172.16.30.0/24
add action=accept chain=forward comment="DEFAULT: Accept Out IPsec policy." disabled=yes ipsec-policy=out,ipsec
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
add action=masquerade chain=srcnat comment="Hairpin NAT https://www.steveocee.co.uk/mikrotik/hairpin-nat/" dst-address=172.16.99.2 out-interface=BASE_VLAN src-address=172.16.0.0/16
##################
# Disable unused service ports, whatever this is
##################
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set sctp disabled=yes
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
# Only
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether9]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether10]
/interface bridge port
# For tagged + untagged trunk (management VLAN being untagged), we allow both type of frames
set bridge=bridge1 ingress-filtering=yes frame-types=admit-all [find interface=ether1]
# Only allow tagged packets on WAN port
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp1]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge1 vlan-filtering=yes
... getting some pushback of late on the use of pvid and the associated bridge vlan settings ... personally I think its clearer when configuring and reading to have the bridge vlan settings visible. Is there any downside to RELYING on the dynamically generated settings?
I don't know about this. I got the new config pretty quickly, so I didn't explore dead ends much. :) But if it breaks something, then RouterOS could at least warn about it (similar to warnings in other places).You can specify both, but if they do not match it causes wierd connectivity issues ...
interface ethernet
set [ find default-name=ether1 ] mac-address=xx:xx:xx:xx:xx:xx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
/certificate settings
set crl-use=no
set crl-download=no
/interface dot1x client
add anon-identity=xx:xx:xx:xx:xx:xx certificate=\
Client_xxxxxx-xxxxxxxxxxxxxx.pem_0 eap-methods=eap-tls identity=\
10:93:97:36:D3:81 interface=ether1
/ip dhcp-client
add disabled=no interface=ether1
/interface ethernet switch port set ether1 vlan-mode=fallback
Just to be clear are you saying that the reason setting untagged ports explicitly doesn't do anything because when you add an access port to a vlan by setting its pvid it is automatically added to the vlan table as an untagged port for that vlan. Is that correct?One thing I do not like about the configuration shown in the examples up at the top (which are otherwise very good) is that it has unnecessary use of the "untagged" setting. You never really have to set anything as untagged manually like that, unless you are using something like MAC-based VLAN assignment. For 99% of situations, setting untagged ports for an /interface bridge vlan really just makes the configuration more complicated and doesn't really do anything.
YesIs that correct?
I hope you are not literally trying to set the address to a.a.a.a? Either set the address the ISP provided to you or add a DHCP client if the ISP is providing dynamic IP addresses.I tried to implement the great tutorial, unfortunately I get an error when defining the WAN IP
# Yellow WAN facing port with IP Address provided by ISP
/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0
get me this error back
"error while running run-after-reset script: invalid value for argument address"
a manual change also results in an error message. I am grateful for any help.
greetings Sven
Basically you don't need to set up this one. Most ISPs are assigning public IP automatically. Only those who with leased line need to set up the default route and set up WAN facing interface with public IP. Ignore this one or you can see whether the default route is already there, try typing /ip route print if there a value with number 0.0.0.0/0 then you are good to go.I tried to implement the great tutorial, unfortunately I get an error when defining the WAN IP
# Yellow WAN facing port with IP Address provided by ISP
/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0
get me this error back
"error while running run-after-reset script: invalid value for argument address"
a manual change also results in an error message. I am grateful for any help.
greetings Sven
One thing I do not like about the configuration shown in the examples up at the top (which are otherwise very good) is that it has unnecessary use of the "untagged" setting.
Yes, that is correct - by setting the PVID it is dynamically added as an untagged port for the VLAN. All you are doing by statically setting it as an untagged port for that VLAN is making it so that you have to change the untagged VLAN in two places instead of one. It makes it more error prone because if you ever change the PVID and forget to remove the associated untagged setting, you may then have both the old and new vlans untagged on egress for the same port which can make weird things happen.Just to be clear are you saying that the reason setting untagged ports explicitly doesn't do anything because when you add an access port to a vlan by setting its pvid it is automatically added to the vlan table as an untagged port for that vlan. Is that correct?
Yes, I think that would be good. I have the same problem with the MikroTik documentation actually. The reason I feel it is bad practice to unnecessarily set the "untagged" port statically in addition to the PVID is when it comes time to make changes, you have to remember to make the change in two different places.@mducharme
What if I put in a disclaimer, stating it was unnecessary and handled automatically? This article series is primarily about learning the VLAN concept on MikroTik hardware, not RouterOS syntax. In fact, I try to take a most verbose approach with the syntax to slow everything down and make it clear what is happening.
Yes, I think that would be good. I have the same problem with the MikroTik documentation actually. The reason I feel it is bad practice to unnecessarily set the "untagged" port statically in addition to the PVID is when it comes time to make changes, you have to remember to make the change in two different places.
You shouldn't use this "untagged" setting as a sort of documentation for how things are set up. You can always add a comment to the bridge vlan (ex. "pvid ether1-ether23") if you are concerned about documentation purposes as a reminder for yourself. At least then if you forget to change the comment it won't cause a problem.I disagree, I find it very confusing to have set PVID on the bridge ports and then not put the associated untagged entries on the bridge vlan.
When reading a config its dirt easy visually to see what a person has done.
Its so difficult to have to double check a config when not seeing the config, especially when they use hybrid ports.
I disagree, I find it very confusing to have set PVID on the bridge ports and then not put the associated untagged entries on the bridge vlan.
When reading a config its dirt easy visually to see what a person has done. It's so difficult to have to double check a config when not seeing the config, especially when they use hybrid ports ... So far I have not seen any input to change my mind.
PCUNITEs article addresses vlans and the various equipment combinations. It does not address the use of capsman.I like the idea of using vlans to partition and isolate network traffic using ROUTEROS. You're contribution to this article is much appreciated @PCUNITE, MKX, SINDY. I also hope you generate enough traction for this to make it into the Wiki. Thank you ahead of time. Could you kindly show me how to modify the router and switchOS config in order to distribute the vlan information to several AP's using CAPsMan? Assuming you have already tried it. If you haven't it all good. I'm kind of embarrassed for saying this, so I'll just be straight up.... No offense ANAV, and with all due respect, please kindly refrain from lecturing me as to why it won't be possible. A simple no will suffice. Yes and NO are both answers to me.
Regards T Navarrete (tmoneymikrotik)
Mikrotik SOHO Devices: purchased 1 day ago.
1 x Non Wireless - POE Router (RouterOS)
1 x Poe Switch (SwitchOS)
2 x CAPs AC (RouterOS)
Hi Mudharm, I use capac and bridge vlan filtering with great success (and no capsman). I use a vlan per SSID to separate users.As sindy suggested, for any CAPs you are using, I would generally recommend *not* using bridge VLAN filtering on the CAP itself. Use it on the routers and the switches, but not the CAP. The issue is that bridge VLAN filtering artificially limits what you can do with the CAP. For instance, normally you can do per client VLAN assignments for individual clients if you wish, but as soon as you enable bridge VLAN filtering on the CAP itself, that feature becomes, if not impossible, much more difficult to accomplish.
You are talking about per-SSID VLANs - those work fine with bridge VLAN filtering. I'm talking about per-user VLANs with a single SSID - that does not work so well with bridge VLAN filtering. There are workarounds you could potentially use, but I find it easier to just not use bridge VLAN filtering on a CAP in the first place.Hi Mudharm, I use capac and bridge vlan filtering with great success (and no capsman). I use a vlan per SSID to separate users.
What am I missing here??
Ah okay got it, capsman and vlans is like mixing beer and wine.......and then drinking vodka LOLYou are talking about per-SSID VLANs - those work fine with bridge VLAN filtering. I'm talking about per-user VLANs with a single SSID - that does not work so well with bridge VLAN filtering. There are workarounds you could potentially use, but I find it easier to just not use bridge VLAN filtering on a CAP in the first place.Hi Mudharm, I use capac and bridge vlan filtering with great success (and no capsman). I use a vlan per SSID to separate users.
What am I missing here??
It isn't only with CAPsMAN - you can also assign VLANs to different clients on a single SSID without CAPsMAN using an access list that assigns the VLAN tag based on the MAC, or with RADIUS assigning per-user VLANs outside of CAPsMAN. The issue is that in either of those cases, the bridge VLAN filtering function is going to be blissfully unaware of what VLAN tags are being assigned to users based on either their MAC (in the ACL) or some RADIUS attribute, and are not going to allow those to pass to the switch by default as a result. But, if you do not enable bridge VLAN filtering on the CAP, all VLANs are passed, so this issue will not occur in the first place.Ah okay got it, capsman and vlans is like mixing beer and wine.......and then drinking vodka LOL
AndUsing RouterOS(6.41+) to VLAN your network.
This to make i clear what type of VLAN implementation you are using in this guid.Title:
Using RouterOS to VLAN your network the new way with RouterOS 6.41+
Negative as a homeowner, don't agree and it leads to nothing but problems.@pcunite
Nice guide
I do suggest you edit your header to
AndUsing RouterOS(6.41+) to VLAN your network.
This to make i clear what type of VLAN implementation you are using in this guid.Title:
Using RouterOS to VLAN your network the new way with RouterOS 6.41+
In Router-Switch-AP (all in one) you do use VLAN 99 as BASE/Native VLAN.
That is OK for learning, but my experience tells me that most starts off with VLAN 1 only and then later add one or more VLAN.
This will then make VLAN 1 as BASE/Native VLAN for the most of the people with small home router.
I totally agree with you. This was just from what I do see from real life situation. Most starts off with a basic router with all in VLAN 1, then add more VLANs as needed. In a good deign, management VLAN should be it own VLAN not one that are used for normal traffic.Negative as a homeowner, don't agree and it leads to nothing but problems.
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=no
/interface bridge port
add hw=yes bridge=bridge1 interface=ether1 pvid=399 comment="Switch management"
add hw=yes bridge=bridge1 interface=ether3 pvid=399 comment="Modem management"
/interface bridge vlan
add bridge=bridge1 untagged=ether3,ether1 vlan-ids=399
set [find bridge=bridge1 vlan-ids=399] tagged=bridge1
/interface vlan
add interface=bridge1 name=MGMT_VLAN vlan-id=399
/ip address
add address=192.168.3.1/28 interface=MGMT_VLAN
The first time you refer to vlan-id, you need to use this syntax:Hello, I've tried to replicate switch.rsc and router.rsc in GNS3 2.2.21 but it didn't work. I am using MikroTik firmware version v6.48.2.
I had to modify this section:
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=sfp1,sfp2 [find vlan-ids=10]
set bridge=BR1 tagged=sfp1,sfp2 [find vlan-ids=20]
set bridge=BR1 tagged=sfp1,sfp2 [find vlan-ids=30]
add bridge=BR1 tagged=BR1,sfp1,sfp2 vlan-ids=99
With this to get it working:
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=sfp1,sfp2 untagged=ether1,ether2,... vlan-ids=10
set bridge=BR1 tagged=sfp1,sfp2 untagged=ether9,ether10,... vlan-ids=20
set bridge=BR1 tagged=sfp1,sfp2 untagged=ether17,ether18,... vlan-ids=30
add bridge=BR1 tagged=BR1,sfp1,sfp2 vlan-ids=99
Any idea why it doesn't work?
/interface bridge vlan
add bridge=bridge1 untagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,ether13,ether18,ether19,ether22,ether23 vlan-ids=100
add bridge=bridge1 untagged=ether11 vlan-ids=213
/interface bridge vlan
set [find bridge=bridge1 vlan-ids=100] tagged=ether2
set [find bridge=bridge1 vlan-ids=211,212,213,311,399] tagged=ether4
I have a question about security or probably best practices when it comes to VLANs with WIFI:
I guess setting all access ports to "admit-only-untagged-and-priority-tagged" is clearer, but is there an actual impact on network security here, or are those just two ways to do the same thing?
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=sfp1,sfp2 [find vlan-ids=10]
set bridge=BR1 tagged=sfp1,sfp2 [find vlan-ids=20]
set bridge=BR1 tagged=sfp1,sfp2 [find vlan-ids=30]
/interface/bridge/vlan
:put [find vlan-ids=10]
add bridge=BR1 tagged=BR1,sfp1,sfp2 vlan-ids=99
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=10
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=20
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=30
add bridge=BR1 tagged=BR1,sfp1,sfp2 vlan-ids=99
###############################################################################
# Topic: Using RouterOS to VLAN your network
# Example: Switch with a separate router (RoaS)
# Web: https://forum.mikrotik.com/viewtopic.php?t=143620
# RouterOS: 6.43.12
# Date: Mar 28, 2019
# Notes: Start with a reset (/system reset-configuration no-defaults=yes skip-backup=yes run-after-reset=flash/router.rsc)
# Thanks: mkx, sindy
###############################################################################
:delay 30s
#######################################
# Housekeeping
#######################################
# name the device being configured
/system identity set name="MainRouterSwitch"
/system clock set time-zone-name=Asia/Jerusalem
#######################################
# VLAN Overview
#######################################
# 60 = GUEST (GREEN)
# 70 = RED
# 80 = BLUE
# 99 = BASE (MGMT) VLAN
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# WIFI Setup
#
#######################################
# BASE SSID, admin level access to Winbox the device. Use a local ethernet port if preferred.
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""
/interface wireless set [ find default-name=wlan1 ] ssid=Home frequency=auto mode=ap-bridge disabled=no distance=indoors band=2ghz-b/g/n channel-width=20/40mhz-XX wireless-protocol=802.11
/interface wireless set [ find default-name=wlan2 ] ssid=Home frequency=auto mode=ap-bridge disabled=no distance=indoors band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX wireless-protocol=802.11
# GUEST SSID
/interface wireless security-profiles add name=HomeGuest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""
/interface wireless add name=wlan3 ssid=HomeGuest master-interface=wlan1 security-profile=HomeGuest disabled=no
/interface wireless add name=wlan4 ssid=HomeGuest master-interface=wlan2 security-profile=HomeGuest disabled=no
# RED SSID
/interface wireless security-profiles add name=HomeUntrusted authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""
/interface wireless add name=wlan5 ssid=HomeUntrusted master-interface=wlan1 security-profile=HomeUntrusted disabled=no
/interface wireless add name=wlan6 ssid=HomeUntrusted master-interface=wlan2 security-profile=HomeUntrusted disabled=no
# BLUE SSID
/interface wireless security-profiles add name=HomeSafe authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""
/interface wireless add name=wlan7 ssid=HomeSafe hide-ssid=yes master-interface=wlan1 security-profile=HomeSafe disabled=no
/interface wireless add name=wlan8 ssid=HomeSafe hide-ssid=yes master-interface=wlan2 security-profile=HomeSafe disabled=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# BASE VLAN
add bridge=BR1 interface=wlan1 pvid=99
add bridge=BR1 interface=wlan2 pvid=99
# GUEST
add bridge=BR1 interface=wlan3 pvid=60
add bridge=BR1 interface=wlan4 pvid=60
# RED
add bridge=BR1 interface=wlan5 pvid=70
add bridge=BR1 interface=wlan6 pvid=70
# BLUE
add bridge=BR1 interface=wlan7 pvid=80
add bridge=BR1 interface=wlan8 pvid=80
# egress behavior, handled automatically
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
# egress behavior
/interface bridge vlan
# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=60
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=70
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=80
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=99
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="1.1.1.1,1.0.0.1"
# PPoE used instead of the config below
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=... use-peer-dns=no user=...
# WAN facing port with IP Address provided by ISP
# /ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0
# router's gateway provided by ISP
# /ip route add distance=1 gateway=b.b.b.b
#######################################
# IP Services
#######################################
# GUEST VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GUEST_VLAN vlan-id=60
/ip address add interface=GUEST_VLAN address=10.0.60.1/24
/ip pool add name=GUEST_POOL ranges=10.0.60.2-10.0.60.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=10.0.60.0/24 dns-server=192.168.0.1 gateway=10.0.60.1
# RED VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=RED_VLAN vlan-id=70
/ip address add interface=RED_VLAN address=10.0.70.1/24
/ip pool add name=RED_POOL ranges=10.0.70.2-10.0.70.254
/ip dhcp-server add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP disabled=no
/ip dhcp-server network add address=10.0.70.0/24 dns-server=192.168.0.1 gateway=10.0.70.1
# BLUE VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=80
/ip address add interface=BLUE_VLAN address=10.0.80.1/24
/ip pool add name=BLUE_POOL ranges=10.0.80.2-10.0.80.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.80.0/24 dns-server=192.168.0.1 gateway=10.0.80.1
/ip dhcp-server lease add address=10.0.80.2 mac-address=... server=BLUE_DHCP
# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=RED
/interface list add name=BLUE
/interface list add name=BASE
/interface list member
# WAN/internet (was ether1, but ISP uses pppoe)
add interface=pppoe-out1 list=WAN
# Access internet, RED from each other
add interface=BASE_VLAN list=RED
add interface=GUEST_VLAN list=RED
add interface=RED_VLAN list=RED
# BLUE is REDd and has no internet access
add interface=BLUE_VLAN list=BLUE
# Base can access everything
add interface=BASE_VLAN list=BASE
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox.
add chain=input action=accept in-interface-list=RED comment="Allow VLAN"
# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"
# Allow server to access router services like DNS, Winbox.
add chain=input action=accept src-address=10.0.80.2 src-mac-address=... comment="Allow Server"
# Allow router services for BLUE
add chain=input action=accept in-interface-list=BLUE comment="Allow VLAN"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow RED VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=RED out-interface-list=WAN comment="VLAN Internet Access only"
# Allow BASE VLAN to access everything
add chain=forward action=accept connection-state=new in-interface=BASE_VLAN comment="BASE VLAN all access"
# Allow server to access the Internet only, NOT other VLANs
add chain=forward action=accept connection-state=new src-address=10.0.80.2 src-mac-address=... out-interface-list=WAN comment="Allow Server"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
#######################################
# VLAN Security
#######################################
# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
###############################################################################
# Topic: Using RouterOS to VLAN your network
# Example: Switch with a separate router (RoaS)
# Web: https://forum.mikrotik.com/viewtopic.php?t=143620
# RouterOS: 6.43.13
# Date: April 15, 2021
# Notes: Start with a reset (/system reset-configuration no-defaults=yes skip-backup=yes run-after-reset=flash/switch.rsc)
# Thanks: mkx, sindy
###############################################################################
:delay 30s
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="CameraSwitch"
/system clock set time-zone-name=Asia/Jerusalem
#######################################
# VLAN Overview
#######################################
# 80 = BLUE
# 99 = BASE (MGMT) VLAN
# Other VLANS, not used here, may be defined elsewhere
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# BLUE VLAN
add bridge=BR1 interface=ether2 pvid=80
add bridge=BR1 interface=ether3 pvid=80
add bridge=BR1 interface=ether4 pvid=80
add bridge=BR1 interface=ether5 pvid=80
add bridge=BR1 interface=ether6 pvid=80
add bridge=BR1 interface=ether7 pvid=80
add bridge=BR1 interface=ether8 pvid=80
# egress behavior, handled automatically
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
add bridge=BR1 interface=sfp9
add bridge=BR1 interface=sfp10
add bridge=BR1 interface=sfp11
add bridge=BR1 interface=sfp12
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1,sfp9,sfp10,sfp11,sfp12 [find vlan-ids=80]
add bridge=BR1 tagged=BR1,ether1,sfp9,sfp10,sfp11,sfp12 vlan-ids=99
#######################################
# IP Addressing & Routing
#######################################
# LAN facing Switch's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.2/24 interface=BASE_VLAN
# The Router's IP this switch will use
/ip route add distance=1 gateway=192.168.0.1
#######################################
# IP Services
#######################################
# We have a router that will handle this. Nothing to set here.
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]
# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp11]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp11]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp12]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
Good question, I was told more than once, but one easily forgets things when older.Hi @pcunite ! Thanks for this comprehensive guide. Really helped me a lot in order to understand vlans and also to correctly config my MT .
I have a question regarding VLAN security: There is also an ingress filtering/frame-type setting on the bridge itself, however it seems you did not configure this but only for the individual bridge ports. In my understanding the VLAN interface 99 for the router is bound to the bridge port (can you confirm?). If that is the case don't we also need to set ingress filtering/admit frame-types for the bridge, which seems to act as a trunk port (since we had to add the bridge as tagged member for VLAN99 for the router)?
PS: I really wish Mikrotik wouldn't have chosen the name bridge for the switch-like grouping of ports AND for the Layer 3 (CPU-Port) capabilities. It is very confusing. A different name in order to make things more clear would solve so many comprehension issues, especially for beginners.
Thank you all for your responses.
@iegg, please have a look at this post and tell me whether it helps remove some of that confusion.I really wish Mikrotik wouldn't have chosen the name bridge for the switch-like grouping of ports AND for the Layer 3 (CPU-Port) capabilities. It is very confusing.
Hello!So do you mean wired or actually weird
Thank you, no I actually mean weird (using because noun phrasing) because I find it confusing to have bridge access set this way at this point in the syntax. The stated reasons, explain why, but I feel that port vs bridge (the bridge is a virtual switch or container for your ports) should be separate concepts. When setting up individual ports, why have this ungainly bridge thingy thrown in? Nevertheless, without understand this, unexpected behavior is the result. So, we have to document it.
...
I think my config file comments should probably be rewritten to be more clear:
Because weird, we "also" add the Bridge itself as a tagged member! This is required to control which packets get access to the Bridge itself.
vlan-filtering=yes
I'd like to also ask this question. I have an RB5009 running ROSv7 and have seen in comments that maybe having the bridge set in RSTP or MSTP is better? I am a beginner, could someone please explain how this affects things in layman terms, and if in my hardware situation that might be the case to run it in RTSP or MSTP? Please let me know which is best. Happy to provide more info if required.VLAN beginner here - why do you disable RSTP on BR1 in the ROAS example?
A couple of things to consider here. How many switches do you have in your topology, how many vlans. Do you employ a topology that could possibly form a loop?I'd like to also ask this question. I have an RB5009 running ROSv7 and have seen in comments that maybe having the bridge set in RSTP or MSTP is better?
In general, I recommend MSTP when a loop prevention protocol is needed because it is the most interoperable and scales much larger than RSTP.I'd like to also ask this question. I have an RB5009 running ROSv7 and have seen in comments that maybe having the bridge set in RSTP or MSTP is better? I am a beginner, could someone please explain how this affects things in layman terms, and if in my hardware situation that might be the case to run it in RTSP or MSTP? Please let me know which is best. Happy to provide more info if required.VLAN beginner here - why do you disable RSTP on BR1 in the ROAS example?
Thanks!
MSTP is a highly complex protocol with a lot of traps if you do not fully understand it. Id say, avoid it if you can! RSTP is good and fast w/o the complexity of MSTP.Not an engineer or IT trained but I like rule of thumbs and I thought it was ---> use RTSP for MT devices, & use MTSP when using mixed devices???
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Blue VLAN
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=wlan1 pvid=10
# Green VLAN
add bridge=BR1 interface=ether4 pvid=20
add bridge=BR1 interface=wlan2 pvid=20
# BASE_VLAN
add bridge=BR1 interface=wlan3 pvid=99
# egress behavior, handled automatically
# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]
#######################################
#
# -- L3 Inter-VLAN switching ---
#
########################################
# L3 switching so Bridge must be a tagged member of any switched (routed) VLANs
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]
# ingress behavior
/interface bridge port add bridge=BR1 interface=ether4 pvid=20
/interface bridge vlan set bridge=BR1 tagged=BR1 [find vlan-ids=20]
/export compact
/export verbose file config.txt
Question 2: Does this command actually do anything, and how can I tell? For simplicity, I am initially testing adding a single Access Port to the Bridge ("Green on ether4"), and then looking at what changed after each step (via /export). When I enter the following commands on the CLI, I am able to see the Bridge Port that was added. But I don't see anything related to the Bridge VLAN, even when I looking at the output of /export verbose).
Code: Select all# ingress behavior /interface bridge port add bridge=BR1 interface=ether4 pvid=20 /interface bridge vlan set bridge=BR1 tagged=BR1 [find vlan-ids=20]
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=20] # <<< does not seem to do anything
add bridge=BR1 tagged=BR1 vlan-ids=20 # <<< this works!
So now I am also confused about the difference between these two options. Also, why do some examples only use "set bridge"
The answer is in the picture in post #2 above.
For router config in this context, all ports are considered trunk ports.
It is not meant to have a PC plugged in directly.
##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
An unfortunate limitation of RoS is that when the system receives a VLAN created by an add statement (I wish add would perform a set automatically) you must use a set later, and worse need to find it.
Am I right to think that this will not work with a CSS3xx switch running switchOS? Would I need a separate Lan interface for each Vlan trunk to the switch?
More practical reasons: one config mistake, your layer 2 winbox options to access the router become harder. And I'm for simplicity, less config changes from defaults is better: there shouldn't untagged packets if you follow @pcunite & if there were, you'd want to troubleshoot why.Your theories only hurt us practical guys LOL
As @anav said, please open new topic. And read @anav's New User Posting For Assistance for good guidelines about "Creating The Perfect Post To Get Assistance!"The RB4011 is successfully running 3 VLAN's, getting the proper IP address and network. The HAP AC connects with 1 VLAN (the base). When I try to connect to one of the other WAP on the other VLAN's it does not get a IP address from the router. Using Winbox I can ping the different VLAN addresses on the RB4011 from the HAP AC.
What else can I do to find out why I am not getting an IP address?
One question: is there any change in behavior when using these configs on RouterOS 7.x?
While "ingress-filtering=yes" may be the default in some V7...one never knows when defaults change & =yes is required to create an access port. Why still good to be explicit about the showing it in the examples. There is no harm in setting a default value to the same thing via config file.This option has been changed to 'on' by default since RouterOS 7.x
One thing I did not know and its not clearly written in this thread. If you set a pvid in /interface bridge port, you do not need to set same port to untagged in /interface bridge vlan. It will show up automatically as current untagged vlan.
In your examples, you have a static IP assigned to the switch, but in your router config, you have a base_vlan dhcp server. But no where can I see where the network knows that the link between port 5 on the router and port 8 on the switch should assign that link to the base vlan (in your case, 99) Is it as simple as setting up a dhcp server on the vlan interface on the switch and it'll pick an address up from the base_vlan dhcp server?
/ip firewall filter add action=accept chain=input protocol=icmp
@pcunite, any reason you don't include allowing ICMP in firewall filter used in the examples? Without it, it breaks PMTUD for flows with a <1500 MTU
@anav, If your cause célèbre is Cloudflare... mine is preventing folks breaking PMTUD by blocking ping .AMMMO its a vlan setup...........if you need fw advice ;-P , then go here --> viewtopic.php?t=180838
# 2023-10-17 13:05:18 by RouterOS 7.11.2
# software id = ############
#
# model = RB951Ui-2HnD
# serial number = ###############
#######################################################
# wireless is uninportant now
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
#######################################################
/interface bridge
add name=BR1 protocol-mode=none
/interface bridge port
add bridge=BR1 interface=ether2 pvid=99
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=99
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
/ip dhcp-client
add interface=ether1
/ip address
add address=192.168.16.1/24 disabled=yes interface=BR1 network=192.168.16.0
add address=192.168.17.1/24 interface=BASE_VLAN network=192.168.17.0
/ip pool
add name=pool_BR1 ranges=192.168.16.2-192.168.16.254
add name=pool_BASE_VLAN ranges=192.168.17.2-192.168.17.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip dhcp-server
add add-arp=yes address-pool=pool_BR1 disabled=yes interface=BR1 name=dhcp_BR1
add add-arp=yes address-pool=pool_BASE_VLAN interface=BASE_VLAN name=dhcp_BASE_VLAN
/ip dhcp-server network
add address=192.168.16.0/24 dns-server=192.168.16.1 gateway=192.168.16.1
add address=192.168.17.0/24 dns-server=192.168.17.1 gateway=192.168.17.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=#########
/system note
set show-at-login=no
I have decided this paragraph is TOO WEAK!!
Native, Base, & MGMT (management) VLAN
Fix this section as you will, but for example: You confuse native and Base from the getgo. The native vlan on any equipment I've worked on is vlan1, so keep it that way.
I was specifically asking about VLANs not under capsman - there's a capsman example here: https://help.mikrotik.com/docs/display/ ... ionexample:The article is meant for vlans primarily and is not intended for vlans under capsman.
Planned move to apartment.Is this a planned exciting move, or a not so glad eviction notice?
You can email the PDF to your Kindle:this is really great. can anyone convert it to an .epub format so I can take it all in slowly on my kindle?
Fair enough. Those are a critical steps.Better to put it in the main text and explain why OFF for start and ON at the end!!
Sounds like have discovered the infinite loopAdding:
if such a user has Safe Mode active and then the bridge burps kicking each connection out ... he's back at where he started.
Or Winbox with MAC.
Equally safe.
I stand corrected. Just tested it again on mAP. Effectively kicked out the moment I flipped the VLAN-switch.Is not. When doing VLANs and bridge (and ethernet switch chip on devices where this still exists), one messes with ethernet config. And MAC winbox relies on working ethernet setup (it does bypass L3 f*kups though). Been there, done that, learned a lesson.
Yes very dangerous command.Effectively kicked out the moment I flipped the VLAN-switch.
Fingerprints, expulsion,, LOL Oh you mean not at school but when they go home!!Another thing in my Ros devices which are faily hard locked (students on holiday press reset and do power off/on sequences as they learned this somewhere as universal problem solving) is using a mode and reset button sequence to activate some script that will open the door for management access (including removing Protected Router Boot Mode)