RB4011iGS Beginner Configuration incl. VLAN (intern/guests/VoIP)

lenox89 · Fri Oct 22, 2021 5:00 pm

Hello together,

I am currently trying to replace a Fritzbox with a RB4011iGS+RM. I have managed the first hurdles so far (update, PPPoE client, etc.). Unfortunately, I've been stuck with the configuration of the VLANs for a while now. The goal should be to provide two networks:

1. network: internal 192.168.1.1/24
2. network: guests 192.168.2.1/24, VLAN 200

The assignment of the networks should be done for ethernet at the router/switch and for Wlan via different SSIDs. The access points are already configured so that SSID1=network 1, SSID2=network 2 is assigned. Attached is the current configuration of the router and a graphic for a better idea.

The questions that arise are: How do I set up the router accordingly? VLAN trunk with different VLANs or only one VLAN for the guest network? How do I flexibly assign the ethernet ports on the router (internal/guest)?

Another challenge for me is the integration of the VoIp phone (AVM FritzFon). Agreed: I will not miss the rest from the mother-in-law

. The idea is to use a Fritzbox only as a DECT<->Ethernet "converter". Whereby this is actually too wasteful for me energetically. Unfortunately I have no other idea. In addition, I do not know how I would have to configure the router. According to the provider, VoIP should be done via VLAN 20, but how do I set this up?

Last points would be that the router receives only one IPv4 address from the provider. Do you have a tip for me?

Thank you and best regards

Stefan

network.png

b2_sensitive.rsc

lenox89 · Fri Oct 22, 2021 10:32 pm

To move forward I have now tried to configure the VLANs as far as possible. I think it has not become so totally wrong. Unfortunately, I now can no longer access the router via the internal LAN (ether2) using winbox. Using ports 4-8 (without VLAN) the access still works.

I would be very happy if someone could take a look at the configuration. I have updated the export and concretized the graphic.

ConnyMercier · Fri Oct 22, 2021 10:51 pm

Guten Abend ,

This is your mistake :

/interface bridge vlan
add bridge=bridge tagged=ether2 vlan-ids=100
add bridge=bridge tagged=ether3 vlan-ids=200

This should help :

/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4 untagged=ether2 vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4 untagged=ether3 vlan-ids=200

anav · Fri Oct 22, 2021 11:35 pm

This is the bible on vlans,......
viewtopic.php?t=143620

You have fundamental errors in the config............
Ip addresses is a good place to start.....

another good info link
viewtopic.php?t=173692

runningsystemchanger · Sat Oct 23, 2021 10:39 am

Another challenge for me is the integration of the VoIp phone (AVM FritzFon). Agreed: I will not miss the rest from the mother-in-law . The idea is to use a Fritzbox only as a DECT<->Ethernet "converter". Whereby this is actually too wasteful for me energetically. Unfortunately I have no other idea.

Have a look at Gigaset GO Box 100 for a more minimalistic solution, both in terms of hardware and software. It's available for under 14€. There are also several other products around, search for voip dect base station.

lenox89 · Sun Oct 24, 2021 12:10 am

First of all, thank you very much for your great support. I have now studied the linked posts and several tutorials (pascom brothers on youtube). The Vlan basics are so far clear, but I still fail to understand the implementation in RouterOS. I still don't get IP addresses from the DHCP servers if a PC is connected to ether2_internal or ether3_guests. I have not connected the switch and AP yet, as both are currently in use. Is the problem possibly with the configuration of the bridge? I have attached the current configuration here. It would be great if someone could help me on the hint, the WAF (woman acceptance factor) is unfortunately getting orange

. Thanks also for the suggestion about VOIP DECT station.

/interface bridge
add admin-mac=2C:C8:1B:B1:3A:82 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_intern
set [ find default-name=ether3 ] name=ether3_guests
set [ find default-name=ether4 ] name=ether4_AP
/interface vlan
add interface=ether1_WAN name=vlan10_netcologne_data vlan-id=10
add interface=ether1_WAN name=vlan20_netcologne_voip vlan-id=20
add interface=bridge name=vlan100_intern vlan-id=100
add interface=bridge name=vlan200_guests vlan-id=200
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10_netcologne_data name=\
    PPPoE_Out use-peer-dns=yes user=myusername@autoprov.netcologne.de
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_intern ranges=192.168.1.100-192.168.1.200
add name=dhcp_guests ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_intern disabled=no interface=vlan100_intern lease-time=\
    3d name=dhcp_intern relay=192.168.1.1
add address-pool=dhcp_guests disabled=no interface=vlan200_guests lease-time=\
    3d name=dhcp_guests relay=192.168.2.1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_intern pvid=100
add bridge=bridge comment=defconf interface=ether3_guests pvid=200
add bridge=bridge comment=defconf interface=ether4_AP
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether2_intern \
    vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether3_guests \
    vlan-ids=200
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=vlan100_intern network=\
    192.168.1.0
add address=192.168.2.1/24 interface=vlan200_guests network=192.168.2.0
/ip dhcp-client
add comment=defconf interface=ether1_WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=lisa.lan
add address=192.168.2.1 name=lisa.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.2.0/24
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=lisa
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.104
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

b4_sensitive.rsc

ConnyMercier · Sun Oct 24, 2021 12:21 am

Guten Abend ,

Your DHCP-Servers are not configured properly.
Deactivate the DHCP-Relay "Feature" and everything will work again!

/ip dhcp-server
add address-pool=dhcp_intern disabled=no interface=vlan100_intern lease-time=3d name=dhcp_intern relay=192.168.1.1
add address-pool=dhcp_guests disabled=no interface=vlan200_guests lease-time=3d name=dhcp_guests relay=192.168.2.1

lenox89 · Sun Oct 24, 2021 1:14 am

Ebenfalls einen guten Abend!

Thank you very much for the advice. I have now set the address of the relay to 0.0.0.0 (switched off, according to the doc). Unfortunately, Winbox says that the DHCP server configuration is invalid, I do not know why. Previously the configuration was once valid.

ConnyMercier · Sun Oct 24, 2021 1:16 am

Press the "Up-Arrow" to deactivate

lenox89 · Sun Oct 24, 2021 11:56 am

Thanks, I also tried this, also invalid configuration according to Winbox. Also adding the DHCP server again and setting it up manually (without DHCP Setup Wizard) gives the same result.

ConnyMercier · Sun Oct 24, 2021 2:04 pm

I Imported your Config in my Router (RB4011iGS+RM with ROS 6.49 (Stable))
Found a small abnormality in your Export unrelated to the problem.

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add list=WAN

Nevertheless,
I am able to remove the DHCP-Relay without any problems
And when I connect to the Switch I get an IP-Address from the DHCP-Server on the Router.

I don't understand why it isn't working on your side !
Maybe another Forum-Member can help

lenox89 · Sun Oct 24, 2021 10:17 pm

Wow, that's super kind of you to make the effort. Thank you very much for that!

I just put in the above configuration again, so.

/system reset-configuration no-defaults=yes
<Setting Admin PW>
/import b4.rsc 

Infos:
RouterOS 6.49 (stable)
software id = MVBS-WA5G
model = RB4011iGS+

Unfortunately, I am still not getting an IP address on the client (laptop without VLAN configuration). The DHCP server is still shown as invalid. Changing all parameters of the DHCP server even the address pools does not change this. Very interesting behavior.

dhcp_server.png

dhcp_server_details.png

ConnyMercier · Sun Oct 24, 2021 10:22 pm

Do you see something in the LOG ?

lenox89 · Sun Oct 24, 2021 10:57 pm

Nope, but I found the reason: There was no IP-address set (IP->Adresses). Now the configuration of the DHCP-server is valid. You did not had this problem?

Unfortunately, I still do not get an IP address, so I started wireshark. There is probably a DHCP server active, but the address assignment fails (NAK). I still need to understand why. Ff you are interested: https://apackets.com/api/v1/pcaps/publi ... hcp.pcapng.

wireshark.png

https://apackets.com/pcaps?pcap=d1ddf08 ... ew=devices

lenox89 · Sun Oct 24, 2021 11:45 pm

For some reason the DHCP-client of my laptop (ubuntu) was requesting an IP-address from previous configuration (192.168.88.1) after finished DHCP negotiation. I solved this renewing the clients DHCP IP address with the command "sudo dhclient". Now I get correct IP-addresses in both LANs (intern/guest) and I am able to ping the router only in intern LAN.

So next steps will be to configure the switch and the access points. If the VLANs are working, this should actually be done quickly. Regardless, I owe you a beer or two

.

ConnyMercier · Mon Oct 25, 2021 12:07 am

Endlich!!!

I was going crazy.... trying to understand why it wasn't working

If you ever in the Bundesland of Mercedes, Porsche and Kärcher
I'll gladly accept the offer!

lenox89 · Mon Oct 25, 2021 6:40 pm

Today I wanted to prepare the configuration so far that the router can be connected to the Internet. Here I have oriented myself to the following article (most suggestions I have taken over, but not all).
https://help.mikrotik.com/docs/display/ ... figuration

The internet connection from the router works, I can ping in with name resolution from the router. Unfortunately, I cannot ping the router itself from either ether1_internal or ether2_guests. The IP configuration and route on the client is set correctly. In the connections tab of the firewall the connection is also shown, yet I get at the client: ping: sendmsg: Netzwork is unreachable.

I'm unfortunately more so based in the Cologne area, there you can score with beer unfortunately comparatively less. But I can certainly think of something, but come over with a postal address.

ping_ether2_intern_router.png

/interface bridge
add admin-mac=2C:C8:1B:B1:3A:82 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_intern
set [ find default-name=ether3 ] name=ether3_guests
set [ find default-name=ether4 ] name=ether4_AP
/interface vlan
add interface=ether1_WAN name=vlan10_netcologne_data vlan-id=10
add interface=ether1_WAN name=vlan20_netcologne_voip vlan-id=20
add interface=bridge name=vlan100_intern vlan-id=100
add interface=bridge name=vlan200_guests vlan-id=200
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10_netcologne_data name=\
    PPPoE_Out use-peer-dns=yes user=nc-myusername@autoprov.netcologne.de
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_intern ranges=192.168.1.100-192.168.1.200
add name=dhcp_guests ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_intern disabled=no interface=vlan100_intern name=\
    dhcp_intern
add address-pool=dhcp_guests disabled=no interface=vlan200_guests name=\
    dhcp_guests
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_intern pvid=100
add bridge=bridge comment=defconf interface=ether3_guests pvid=200
add bridge=bridge comment=defconf interface=ether4_AP
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether2_intern \
    vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether3_guests \
    vlan-ids=200
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
/ip address
add address=192.168.1.1 interface=vlan100_intern network=192.168.1.0
add address=192.168.2.1 interface=vlan200_guests network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=lan gateway=\
    192.168.1.1 ntp-server=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 domain=guests gateway=\
    192.168.2.1 ntp-server=192.168.2.1
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1_WAN \
    protocol=icmp
add action=drop chain=input comment="block everything else" in-interface=\
    ether1_WAN
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT form WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.1.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

ConnyMercier · Mon Oct 25, 2021 7:47 pm

DNS is missing,

/ip dns
set allow-remote-requests=yes

anav · Mon Oct 25, 2021 9:48 pm

Also suggest that you adjust setup so. I cannot remember the reason offhand though, sigh getting old.
/interface list member
add comment=defconf interface=bridge list=LAN (optional in this case - only necessary when bridge is also handling dhcp etc......I think?)
add interface=vlan100_intern list=LAN
add interface=vlan200_guests list=LAN
add comment=defconf interface=ether1_WAN list=WAN

lenox89 · Tue Oct 26, 2021 1:00 pm

Thanks for the tips, I have adopted the configuration accordingly. Unfortunately, I still can not reach the router via IP address (e.g. via Winbox IP/ ICMP Ping). WinBox Mac on the other hand works. In the firewall of the router the connection is still shown. I suspect a problem with the vlan configuration or the firewall, but have not been able to find it yet. Attached is the current configuration from also the terminal output from the client to ether2_internal. Any ideas?

/interface bridge
add admin-mac=2C:C8:1B:B1:3A:82 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_intern
set [ find default-name=ether3 ] name=ether3_guests
set [ find default-name=ether4 ] name=ether4_AP
/interface vlan
add interface=ether1_WAN name=vlan10_netcologne_data vlan-id=10
add interface=ether1_WAN name=vlan20_netcologne_voip vlan-id=20
add interface=bridge name=vlan100_intern vlan-id=100
add interface=bridge name=vlan200_guests vlan-id=200
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10_netcologne_data name=\
    PPPoE_Out use-peer-dns=yes user=nc-myusername@autoprov.netcologne.de
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_intern ranges=192.168.1.100-192.168.1.200
add name=dhcp_guests ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_intern disabled=no interface=vlan100_intern lease-time=\
    3d name=dhcp_intern
add address-pool=dhcp_guests disabled=no interface=vlan200_guests lease-time=\
    3d name=dhcp_guests
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_intern pvid=100
add bridge=bridge comment=defconf interface=ether3_guests pvid=200
add bridge=bridge comment=defconf interface=ether4_AP
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether2_intern \
    vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP untagged=ether3_guests \
    vlan-ids=200
/interface list member
add comment=defconf interface=ether1_WAN list=WAN
add interface=vlan100_intern list=LAN
add interface=vlan200_guests list=LAN
add interface=bridge list=LAN
/ip address
add address=192.168.1.1 interface=vlan100_intern network=192.168.1.0
add address=192.168.2.1 interface=vlan200_guests network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=lan gateway=\
    192.168.1.1 ntp-server=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 domain=guests gateway=\
    192.168.2.1 ntp-server=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1_WAN \
    protocol=icmp
add action=drop chain=input comment="block everything else" in-interface=\
    ether1_WAN
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT form WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.1.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

client:~$ ifconfig enp0s31f6
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.148  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::cc8b:d84b:12e8:fe0f  prefixlen 64  scopeid 0x20<link>
        ether e8:6a:64:e7:ad:77  txqueuelen 1000  (Ethernet)
        RX packets 288070  bytes 279155714 (279.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 227385  bytes 19457310 (19.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xec200000-ec220000  


client:~$ route
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    20100  0        0 enp0s31f6
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp0s31f6
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s31f6


client:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) Bytes Daten.
^Z
[3]+  Angehalten              ping 192.168.1.1

anav · Tue Oct 26, 2021 4:27 pm

(1) Add this.....
/interface list member
add comment=defconf interface=ether1_WAN list=WAN
add interface=PPPoE_Out list=WAN
add interface=vlan100_intern list=LAN
add interface=vlan200_guests list=LAN
add interface=bridge list=LAN

(2) Change this from
add action=accept chain=input comment="allow ICMP" in-interface=ether1_WAN \
protocol=icmp
TO
add action=accept chain=input comment="allow ICMP" protocol=icmp

If for some strange reason you want to block LAN to Router Ping, no reason to really it would be
add action=accept chain=input comment="allow ICMP" protocol=icmp in-interface-list=WAN

(3) Modfy this to look like
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

(4) Modify this to look like
add action=drop chain=forward comment=\
"drop access to clients behind NAT form WAN" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

(5) Set this to none. In the clear mac not really going to be used and not secure.
/tool mac-server
set allowed-interface-list=none

(6) Not an error but something I would change is your drop all rule, why are you not dropping all Traffic including LAN to router, and not just WAN to router.
There is no need for LAN users to have full access to the router.
It should be drop all period.
But to do this USE CAUTION. You must make an allow rule for admin access FIRST!! otherwise you will lock yourself out of the router.
You must also allow DNS traffic for udp/tcp for LAN users, in-interface-list=LAN.

(7) Suggestion:. To provide you with access to the router via ether10 in case the bridge every burps on you. Just plug in a laptop, give your laptop an IP of 192.168.45.3 or .5 etc......... and you will be able to access the router for configuration from winbox on the laptop. After setting it up be sure to test it.

a. Change name of ether10 TO ether10-emerg
b. Remove ether10 from the bridge
c. give ether10-emerg an IP address, lets say 192.168.45.2
d. add ether10-emerg to the LAN Interface as a member
e. add ether10-emerg to an allow to router list (if changing input chain rules to only the admin with full access)

(8) What is interesting and not related to issues is that you have NTP servers identified on your DHCP Network settings.
I do not believe they are necessary or accurate.
If you have the NTP package on the router, then under System/ NTP Client you add the servers your router will use for source (as a client).
Under NTP Server all you need to do is select the check boxes of "ENABLED" and "MANYCAST"

THen in firewall rules you have to ensure that LAN users have access to the NTP Server that the router is running, which should look like this.........if you have changed from default and have a drop all else rule as the last rule in the input chain:
add action=accept chain=input comment="Allow NTP service" connection-state=new dst-port=123 in-interface-list=LAN \
protocol=udp src-address-list=NTPserver

The source adddress list I use to narrow down access and identify only those devices that require NTP (AP or switch or Server etc........)

Thats it, there is no requirement to add NTP servers to DHCP networks from my experience.

ConnyMercier · Wed Oct 27, 2021 2:04 am

@anav, i am sorry i didn't see your Post before posting my answer !
I imported the Config on my RB4001 and saw the /32 addresses
After that PING will work !

Guten Morgen,

You still have a small Error in your "/IP Address" configuration.

This is the proper way to allocate your IP-Addresses

/ip address
add address=192.168.1.1/24 interface=vlan100_intern network=192.168.1.0
add address=192.168.2.1/24 interface=vlan200_guests network=192.168.2.0

After making the changes, PING will Work !

anav · Wed Oct 27, 2021 3:45 am

Good pickup I glossed over that part of the config.

lenox89 · Wed Oct 27, 2021 10:32 am

Good morning everyone.

@Anav:
1,2,3,4,5: I have adopted these changes in full. Thank you very much!

6: It´s currently not implemented, as the deployment is in the home. I hope for less effort with the administration of the firewall. I would probably do this differently in the company. I think this is acceptable?

7: Implemented and tested. Thanks for sharing this idea!

8: Oh, I didn't know that. Yes exactly, I just want to "provide" a trustful NTP time to the clients. Now it should be implemented, testing is pending.

@ConnyMercier
I found the error with the /24 on the IP address yesterday as well, was going to post this and then saw Anav's long post

. Sorry, I thought I would include this just now, but it dragged on a bit. Now everything should be fixed and ping is also working fine.

Outstanding are now two more points:
1) Integration of a Voip Dect station. To do this, I added ether5 to the provider's VOIP vlan. The provider specifies DHCP, so I guess I still have to set up a DHCP client on the Fritzbox. How does it look here actually with the firewall? We added the PPPoE to the WAN list, but the PPPoE client works in vlan 10 and voip is done over vlan 20. Does the firewall interfere at this point? Here is the mentioned location:

/interface list member
add comment=defconf interface=PPPoE_Out list=WAN

2) Currently I do not receive an IPv6 WAN address. In the future I would like to be reachable from outside via VPN. But I think this is beyond the scope of this post and is a separate topic.

The current state of the configuration is attached again. I have also adapted the overview image in the first post.

/interface bridge
add admin-mac=2C:C8:1B:B1:3A:82 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_intern
set [ find default-name=ether3 ] name=ether3_guests
set [ find default-name=ether4 ] name=ether4_AP
set [ find default-name=ether5 ] name=ether5_VOIP
set [ find default-name=ether10 ] name=ether10_emerg
/interface vlan
add interface=ether1_WAN name=vlan10_netcologne_data vlan-id=10
add interface=ether1_WAN name=vlan20_netcologne_voip vlan-id=20
add interface=bridge name=vlan100_intern vlan-id=100
add interface=bridge name=vlan200_guests vlan-id=200
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10_netcologne_data name=\
    PPPoE_Out use-peer-dns=yes user=nc-myusername@autoprov.netcologne.de
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_intern ranges=192.168.1.100-192.168.1.200
add name=dhcp_guests ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_intern disabled=no interface=vlan100_intern lease-time=\
    3d name=dhcp_intern
add address-pool=dhcp_guests disabled=no interface=vlan200_guests lease-time=\
    3d name=dhcp_guests
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_intern pvid=100
add bridge=bridge comment=defconf interface=ether3_guests pvid=200
add bridge=bridge comment=defconf interface=ether4_AP
add bridge=bridge comment=defconf interface=ether5_VOIP pvid=20
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4_AP vlan-ids=200
/interface list member
add comment=defconf interface=PPPoE_Out list=WAN
add interface=vlan100_intern list=LAN
add interface=vlan200_guests list=LAN
add interface=bridge list=LAN
add interface=ether10_emerg list=LAN
/ip address
add address=192.168.1.1/24 interface=vlan100_intern network=192.168.1.0
add address=192.168.2.1/24 interface=vlan200_guests network=192.168.2.0
add address=192.168.10.1/24 interface=ether10_emerg network=192.168.10.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=home.lan gateway=\
    192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 domain=home.guests gateway=\
    192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=lisa.home.lan
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=drop chain=input comment="block everything else" \
    in-interface-list=WAN
add action=drop chain=input comment="drop guests to intern" dst-address=\
    192.168.1.0/24 src-address=192.168.2.0/24
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT form WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop guests to intern" dst-address=\
    192.168.1.0/24 src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.1.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.104
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

b9_no_sensitive.rsc

anav · Wed Oct 27, 2021 1:49 pm

The VOIP connection and vlan provided by the ISP has noithing to do with the WAN/internet, connection at least I dont think so, they are on diff lans..........

All you should need to to is carry vlan20 on eth5 and the DECT will reach out and request dhcp to the ISP voip server .....

I would try first

a. removing ether5 from the bridge
b. add interface=ether5 name=vlan20_netcologne_voip vlan-id=20

and see what happens! Is this enough, what is is missing?

anav · Wed Oct 27, 2021 1:51 pm

8: Oh, I didn't know that. Yes exactly, I just want to "provide" a trustful NTP time to the clients. Now it should be implemented, testing is pending.

This is true, but my perspective is not unsuspecting innocent family members, its foreign actors that gain access to home computers due to mistakes by family members etc.....)

lenox89 · Thu Oct 28, 2021 11:39 am

Thanks for the suggestions. I have adopted them so far. I am looking forward to see if this will work. I still need to figure out how to configure the VOIP/Dect station (the old FrizBox for now) so that it gets an IP address from the ISP for VOIP, as well as that I have parallel access to the web interface for administrative purposes.

I decided last evening to put the setup consisting of router, switch, access points and client into operation. The whole action took about two hours, as I locked myself out of the switch in the meantime. Also the manual adding of the DNS A-entries took some time. Anyway, everything is working now. At maximum throughput to the ISP (250/50) Mbit/s the CPU usage goes up to about 3% with FastTrack enabled. So it will be time for some IPSec soon

. Attached is a photo of the cable pile (I'll make it clean in short).

I would like to take this opportunity to thank you once again for your support. Really great here! If necessary, I can contribute something in the area of hardware. I myself come from the R&D high frequency technology and have to do there with antennas. Anyway, this thread now provides a typical example topology incl. working configuration which may help other beginners.

hardware.jpg

ConnyMercier · Thu Oct 28, 2021 12:12 pm

It's quite a nice Home-Network Setup!

Am i correct ?
Mikrotik for Routing & Switch
Unifi for WLAN
RaspberryPi as Unifi-Cloudkey

If i am correct, its another wake-up call for mikrotik, to make better Wifi-AP =)

Possible solution for your Fritz.Box:
You could have another VLAN in your network and connect it to the LAN of the Fritz.box
This time insteed of a DHCP-Server on the VLAN you use the DHCP-Client on the RB4011.

After that you can access the fritz.box from any computer via the Web-Brower (http://192.168.178.1)**

Exemple DHCP-Client configuration:

/ip dhcp-client
add add-default-route=no disabled=no interface=bridge_vlan123 use-peer-dns=no use-peer-ntp=no

lenox89 · Thu Oct 28, 2021 3:36 pm

Yes, you are right

.

The Raspberry PI 4 is booting from a small SSD. It contains the "hass.io" distribution with homeassistant. There are different addons running like the ubiquiti controller for the wifi APs, Zigbee Home Automation and zigbee2mqtt for my 802.15.4 zigbee network and so on. I am satisfied with it. The project is active and well maintained. The maintenance is very comfortable due to the integrated possibility of snapshops. Below are a few links. If you have any questions, please feel free to contact me

.

https://www.argon40.com/argon-one-m-2-c ... -pi-4.html
https://www.home-assistant.io/getting-started
https://community.home-assistant.io/t/h ... ller/56297
https://www.home-assistant.io/integrations/zha/

Your suggestion with the DHCP client on the router is interesting. But the IP address range would then be that of the ISP VOIP DHCP server and not that of the Fritzbox? Alternatively, I can try to connect the FritzBox with another LAN port running a DHCP client into the internal network (VLAN 100 - untagged). Maybe it also makes sense to go to the suggested VOIP DECT station from Gigaset.

ConnyMercier · Fri Oct 29, 2021 12:17 am

If your old Router is still working, why buy a new VOIP-DECT and throw the Fritz.Box away =)
Having sayed that,
After my Fritz.Box died, i switched to the free version of 3CX and installed it on a RaspberryPi4
VOIP DECT station from Gigaset ist great if you don't need a classic Phone system.

Fritz.Box Setup:
I think you will need to connect the fritz.Box with 2 cables.
Connection 1: Mikrotik <-> Ether1 on Fritz.Box for the VOIP
Connection 2: Mikrotik <-> Ether2 on Fritz.Box for the Access

You will need to configure the Fritz.box to use Ether1 as WAN insteed of VDSL
LAN will then be restricted to ether 2,3 and 4.

Like @anav suggested,
simply bridge the WAN "VLAN20" with "Connection 1: Mikrotik <-> Ether1 on Fritz.Box for the VOIP"
If you want you can use VLAN or like @anav posted without.
The Fritz.Box will do the rest ! (Firewall, DHCP-Client, VOIP, etc..)

Connection 2: Mikrotik <-> Ether2 on Fritz.Box for the Access
Set a new VLAN on you mirkotik and this time insteed of a DHCP-Server on the VLAN,
use the DHCP-Client on the RB4011.

lenox89 · Fri Oct 29, 2021 11:58 am

In the old setup, the Fritzbox was in PPPoE client + SIP profile mode (AVM designation: VDSL with external modem on LAN 1). At LAN2-4 the clients. In this mode, the PPPoE client would be active on LAN 1, which is no longer desired in the new setup.

Alternatively, it can be configured: Internet via LAN 1, connection type IP client (DHCP client)). I think in this mode no separate DHCP client is active for SIP anymore, which is desired. Here I must probably evaluate the configuration options of the Fritzbox further.

I like the approach with the Gigaset VOIP-DECT station a bit more, because it is a little more slim. However, the problem with the configuration in parallel operation also exists here. I find it somewhat unsatisfying to have to rely on the DHCP server from the ISP VOIP to get administrative access to the VOIP station.

I have already extended the VLAN according to your suggestions. Thank you both a lot for this!

Alternatively, I'm also eyeing the idea of replacing the DECT phone with a WLAN phone. WLAN coverage is available throughout the house, unlike DECT coverage. Unfortunately, the market for this is very limited (e.g. PHILIPS VP5500). I wonder why this is so.

PS: 3CX looks interesting, but I have to finish the site first (at least currently the phone does not work)

lenox89 · Sat Nov 20, 2021 10:23 pm

Hello together,

a bit late, but I would like to give some feedback regarding the VoIP connection.

Unfortunately, connecting the Fritzbox with DHCP client in VLAN20 did not work right away. The phone connection did not work, I did not investigate the issue further). However, simply connecting the Fritzbox to the internal LAN worked. The Fritzbox did not have an ISP configured in this configuration (setting: Internet via existing router). In this configuration, calling and being called works without problems. The Fritzbox probably keeps a connection to the SIP server of the provider open. The advantage is that I can still access the web interface of the Fritzbox.

RouterOS - Firewall - Connections

seen reply	assured	confirmed	fasttrack	srcnat
Src. Address		192.168.1.134:5060
Dst. Address		172.17.66.118:5060
Reply Src. Address		172.17.66.118:5060
Reply Dst. Address		89.0.41.149:5060
Protocol		17 (udp)

RB4011iGS Beginner Configuration incl. VLAN (intern/guests/VoIP)

RB4011iGS Beginner Configuration incl. VLAN (intern/guests/VoIP)

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: Vlan Configuration - Knots in head

Re: RB4011iGS Beginner Configuration incl. VLAN (intern/guests/VoIP)

Re: Vlan Configuration - Knots in head

Re: RB4011iGS Beginner Configuration incl. VLAN (intern/guests/VoIP)

Re: RB4011iGS Beginner Configuration incl. VLAN (intern/guests/VoIP)

Re: RB4011iGS Beginner Configuration incl. VLAN (intern/guests/VoIP)

Re: RB4011iGS Beginner Configuration incl. VLAN (intern/guests/VoIP)

Re: RB4011iGS Beginner Configuration incl. VLAN (intern/guests/VoIP)

Re: RB4011iGS Beginner Configuration incl. VLAN (intern/guests/VoIP)

Who is online