Community discussions

MikroTik App
 
User avatar
ChicoDeGoma
just joined
Topic Author
Posts: 8
Joined: Sat May 14, 2022 1:00 am

Understanding VLANs Better

Sat May 14, 2022 2:34 am

Greetings, I'm a recent lurker around here who has done his part of reading but I think I need help to stop hitting my head on the wall. I'm looking forward to learning since I lack a lot of networking basics.

So, as I've seen on this forum, I will try to explain my use case, what I've done, and will post part of my config afterwards, my hardware is the Mikrotik cAP ac (RBcAPGi-5acD2nD)
  • My use case is that I got this AP so I could have better wifi and wanted to set up 2 wireless VLANs since I wanted to install some IoT.
  • Currently I have a PFSENSE router that has been serving me well, I've set up some VLANs to a proxmox server I've had and had almost no issues, so I set up some new VLANs, with their correspondient DHCP services.
  • I've been basing myself on this post and the following examples:1 2. I think I'm on the right track, to pass said VLANs to the AP in a trunk port then split them.

Then, as far as I know, I have 3 ports in use and a bridge:
  • eth1, poe in
  • wlan1, currently 2Ghz
  • wlan2, currently 5Ghz
  • bridge, which would have all the previous ports inside

The IPs and tags configured on PFSENSE goes like this:
  • 192.168.50.0, tag 5, meant for wlan2, 5Ghz wifi
  • 192.168.60.0, tag 6, meant for wlan1, 2.4Ghz wifi
  • 192.168.70.0, tag 7, meant for eth1, management?

Now comes where I kind of miss myself, as far as I've understood, I would need to set up eth1 as a trunk port, since it comes via wire from the pfsense, then both wlan* should be access ports, since the devices don't have to know they're into a vlan.

My issue comes in various forms, one of them is when I managed to get wifi properly but when I did some packet capture not everything was being tagged.
Then it is the obvious issue of winbox not being able to connect when I activate vlan-filtering=yes in the brigde as last step before testing, but I guess that would come from the MK firewall side since I'm wiping it 100% to avoid unknown issues.
DNS servers are setup in the 192.168.xx.1 of each VLAN on the IP -> DNS menu

Here's the export, "ElBridge" is how I named the bridge to always be aware what I'm changing.
/interface vlan
add interface=ElBridge name=LaVlan5 vlan-id=5
add interface=ElBridge name=LaVlan6 vlan-id=6
add interface=ElBridge name=LaVlan7 vlan-id=7

/interface list
add name=LAN

/interface vlan
add interface=ElBridge name=LaVlan5 vlan-id=5
add interface=ElBridge name=LaVlan6 vlan-id=6
add interface=ElBridge name=LaVlan7 vlan-id=7

#(Below, I've tried assigning pvids and without assinging them, so I pasted last try it with the assignment)
#(I've also tried to play around with only-tagged and untagged-and-priority but so far no luck)
/interface bridge port
add bridge=ElBridge interface=ether2
add bridge=ElBridge interface=wlan1 pvid=6
add bridge=ElBridge interface=wlan2 pvid=5
add bridge=ElBridge interface=ether1 pvid=7

/interface bridge vlan
add bridge=ElBridge tagged=wlan2,ElBridge,ether1 vlan-ids=5
add bridge=ElBridge tagged=wlan1,ElBridge,ether1 vlan-ids=6
add bridge=ElBridge tagged=ElBridge,ether1 vlan-ids=7

#(This was an attemp to get winbox to access based on other posts from this forum)
/interface list member 
add interface=ElBridge list=LAN
add interface=ether1 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=LaVlan7 list=LAN

#(Again, last line was another attemp to get winbox to access)
/ip address
add address=192.168.50.2/24 interface=LaVlan5 network=192.168.50.0
add address=192.168.60.2/24 interface=LaVlan6 network=192.168.60.0
add address=192.168.70.2/24 interface=LaVlan7 network=192.168.70.0
add address=192.168.70.3/24 interface=ElBridge network=192.168.70.0

/ip dns
set allow-remote-requests=yes servers=192.168.50.1,192.168.60.1,192.168.70.1 verify-doh-cert=yes
Everything else is almost default, or they're settings I believe it will only clutter the code? I can paste it full with hide-sensitive if needed tho.

Anyway, this got long for my first post lol, I'm more focused on understand it properly than to make it work by seer copypasting., I would love to get the grasp and the inner workings, so I'm ready to go back and forward all the times I need to fully understand it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Understanding VLANs Better

Sat May 14, 2022 4:08 pm

Check out the example I have here, its from my capac and is exactly what you are doing
viewtopic.php?t=182276 scroll down to EXAMPLE (ANY RoS) DEVICE SETUP

As you can see you dont need much on the config.
- create bridge
- create managment vlan ( the others are not required but can be identified solely for you to know whats on the device)
- create /interface bridge ports
- create /interface bridge vlans
etc.....
 
User avatar
ChicoDeGoma
just joined
Topic Author
Posts: 8
Joined: Sat May 14, 2022 1:00 am

Re: Understanding VLANs Better

Mon May 16, 2022 9:03 am

Didn't answer because I thought I could take a look and a try sooner but seems like I won't be able to, so I will in the near future.

Meanwhile, as far as I've understood, seems like I don't have to be assigning any kind of IP to my VLAN unless I want to access to them, like I would do with a management VLAN? Feels like I was overdoing it and making it wrong in the process.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Understanding VLANs Better

Mon May 16, 2022 2:51 pm

Correct in this mode, the CAPAC is basically just moving vlans around like a switch and thus dont have to be created/identified as the they will just be moved according to /interface bridge port and /interface bridge vlan settings. I still like to identify them just to have them documented for reference purposes.....
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Understanding VLANs Better

Mon May 16, 2022 3:05 pm

For my understanding: "somewhere" IP settings/services need to be provided on some router, right ?
Otherwise there is no need to have those VLANs ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Understanding VLANs Better

Mon May 16, 2022 3:49 pm

Not sure what you are getting at Holvoe, but yes the vlans identified somewhere (main router) for sure.
On the capac acting as it should be used ( a wifi/switch - without the abomination of capsman ;-PP ), there is no need to create vlans to attach to the bridge except for
the 'BASE' or management vlan which the capac will get its IP address from (set statically for example).

The sheer beauty about RoS is that you can go as minimally as possible OR add full blown firewall rules etc......... Depends upon the requirements etc..
 
User avatar
ChicoDeGoma
just joined
Topic Author
Posts: 8
Joined: Sat May 14, 2022 1:00 am

Re: Understanding VLANs Better

Fri May 27, 2022 8:14 am

Hey there folks, sorry for the late reply, works always gets in the middle of everything.

So, after trying a lot of stuff, I decided to try to learn this in another way, even if I don't like it like this, because I don't like just copy pasting (this the title of my topic)

First I followed anav advice, and checked his posts, and decided to tweak pcunitep AP conf to my needs.
It worked first try, but leaves me uneasy because I don't understand the whole process (beside reading the configuration, of course)

So, first of all, my actual configuration:
# may/27/2022 06:32:59 by RouterOS 6.49.6
# software id = 2E9P-E4AA
#
# model = RBcAPGi-5acD2nD
/interface bridge
add name=ElBridge protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik2 wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik5 wireless-protocol=\
    802.11 wps-mode=disabled
/interface vlan
add interface=ElBridge name=LaVlan7 vlan-id=7
/interface list
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
/interface bridge port
add bridge=ElBridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=6
add bridge=ElBridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=5
add bridge=ElBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=ElBridge tagged=ElBridge,ether1 vlan-ids=7
add bridge=ElBridge tagged=ether1 vlan-ids=5
add bridge=ElBridge tagged=ether1 vlan-ids=6
/interface list member
add interface=LaVlan7 list=MGMT
/interface wireless access-list
add mac-address=7C:2A:DB:06:0A:A2
/ip address
add address=192.168.70.3/24 interface=LaVlan7 network=192.168.70.0
/ip dns
set allow-remote-requests=yes servers=192.168.70.1 verify-doh-cert=yes
/ip hotspot service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=192.168.70.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=8192 strong-crypto=yes
/system clock
set time-zone-name=Europe/Madrid
/system ntp client
set enabled=yes primary-ntp=216.40.34.37 secondary-ntp=216.40.34.37
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Just in case I put something I shouldn't.

Now, allow me to ask, and correct me all you can if necessary please:
  • If I go to /interface bridge host I see a lot of interfaces with VIDs they should not have. Is this intended? Are this the same as the PVIDs I've put in my conf?
  • As far as I understood, I thought I want tagged traffic from router to ap, and untagged from ap to devices but as far as I'm seeing on wireshark, I'm seeing mixed tagged traffic, but as wireshark shows me a lot of [RST] connections, I don't really know what to think. How could I filter this better to know if everything is working as it should?
  • Redacted this because I realize this was a configuration thing, sorry.
  • What would be the best security practices router-side for this setup? I'm not asking for pfsense settings, just in case, I just would like to know what rules should I have on it to guarantee safety and isolation between vlans.
Finally, sorry this post got so long and cluttered, I've tried to add all the info I could think to help ask better questions. Thank you guys for your time.
Last edited by ChicoDeGoma on Fri May 27, 2022 8:33 am, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Understanding VLANs Better

Fri May 27, 2022 8:25 am

Re: tagged / untagged

Tagged = trunk ports
Untagged = access ports.
Access ports can be ether from AP to router, but can also be the separate wifi ports ( hence the ether port will become tagged).
If you check /interface bridge vlan and make all columns visible, you will probably see that the separate wlan ports are currently untagged, automatically.

Also experimenting a lot lately using vlans (finished my setup recently) and that's how I understood it.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Understanding VLANs Better

Fri May 27, 2022 8:42 am

Re: /interface bridge host
Check with MAC address or interface column to determine which host it is. That might explain where it comes from.

E.g. in my case I see a lot of occurrences of the bridge MAC address using all possible IDs. Which is logical.
Same for trunk port, all possible ids in line with my config.
On the access ports I only see one vid.
 
User avatar
ChicoDeGoma
just joined
Topic Author
Posts: 8
Joined: Sat May 14, 2022 1:00 am

Re: Understanding VLANs Better

Fri May 27, 2022 8:43 am

Okay, so, taking in consideration the usecase I have:
I want to use both bands of the capac:
The 5Ghz band will be used by my phone and tablet
The 2Ghz band will be used by IoT appliance
For said bands and usecase, I wanted to set up separated and isolated VLANs so they won't talk through each other, and possible denying internet access to the 2Ghz from the router.
So, how would I need the access ports? Because on my mind I only want them to have internet and zero management or configuration options, and as secure as possible (I have MAC access list and a long password, but I know those are basics).
--------------------------------------------------------------------------------
Had to edit because I didn't see the previous post while typing my last one
--------------------------------------------------------------------------------
Check with MAC address or interface column to determine which host it is. That might explain where it comes from.
E.g. in my case I see a lot of occurrences of the bridge MAC address using all possible IDs. Which is logical.
Same for trunk port, all possible ids in line with my config.
On the access ports I only see one vid.
So, in my case I also see the Wireless MACs with VID 5 and 6 both, which would be the opposite of what I want, wouldn't it?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Understanding VLANs Better

Fri May 27, 2022 8:47 am

You got them ok.

Your wlan1 (2Ghz) is on vlan6.
Wlan2 (5GHz) is on vlan5.

Just need to add firewall rules on the router (conceptual)
1- allow access to router for IP services (DNS, DHCP,...)
2- allow internet for all (VLAN to WAN)
3- drop all else for VLAN5 and 6 so they only get IP services and WAN, nothing else.

I have more or less the same setup using Hex as router with trunk to hAP AC3 as AP (and TP Link Deco P7 on Hex untagged ether port using same vlan as regular wifi channels on hAP).
3 wifi channels: 1 with 2.4Ghz and 1 with 5GHz for regular access, 1 with 2.4Ghz slave channel for IOT which can ONLY access internet and nothing else.
Firewall rules are set on router, not on AP.
Last edited by holvoetn on Fri May 27, 2022 9:01 am, edited 2 times in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Understanding VLANs Better

Fri May 27, 2022 8:57 am

--------------------------------------------------------------------------------
Had to edit because I didn't see the previous post while typing my last one
--------------------------------------------------------------------------------
Check with MAC address or interface column to determine which host it is. That might explain where it comes from.
E.g. in my case I see a lot of occurrences of the bridge MAC address using all possible IDs. Which is logical.
Same for trunk port, all possible ids in line with my config.
On the access ports I only see one vid.
So, in my case I also see the Wireless MACs with VID 5 and 6 both, which would be the opposite of what I want, wouldn't it?
Ah, you got your router in pfsense, I was referring to my Hex router.
On your MT-AP bridge it's normal you see them all (I think since I see the same here on my hAP AC3 bridge).
 
User avatar
ChicoDeGoma
just joined
Topic Author
Posts: 8
Joined: Sat May 14, 2022 1:00 am

Re: Understanding VLANs Better

Fri May 27, 2022 9:32 am

So, I've checked some things, starting from above:
If you check /interface bridge vlan and make all columns visible, you will probably see that the separate wlan ports are currently untagged, automatically.
That's not what it shows from my side:
/interface bridge vlan> print
Flags: X - disabled, D - dynamic 
 #   BRIDGE        VLAN-IDS  CURRENT-TAGGED        CURRENT-UNTAGGED       
 0   ElBridge      7         ElBridge             
                             ether1               
 1   ElBridge      5         ether1               
 2   ElBridge      6         ether1               
 3 D ElBridge      1                               ElBridge
  
Export shows me this:
/interface bridge vlan
add bridge=ElBridge tagged=ElBridge,ether1 vlan-ids=7
add bridge=ElBridge tagged=ether1 vlan-ids=5
add bridge=ElBridge tagged=ether1 vlan-ids=6


Now, for:
On the access ports I only see one vid.
Although, typing the post I see you added:
On your MT-AP bridge it's normal you see them all
Just to help the cause, I've took and edited the output from /interface bridge hosts because MACs.
/interface bridge host> print
#       MAC-ADDRESS     VID     ON-INTERFACE    BRIDGE          AGE
0 DL    ether1                  ether1          ElBridge        
1 DL    2GhzMac                 ElBridge        ElBridge                        
2 DL    5GhzMac                 wlan2           ElBridge                
3 DL    2GhzMac         1       ElBridge        ElBridge                
4 D     PfsenseNIC      5       ether1          ElBridge        6s      
5 D     Phone           5       wlan2           ElBridge        6s      
6 DL    ether1          5       ether1          ElBridge        
7 DL    5GhzMac         5       wlan2           ElBridge        
8 DL    ether1          6       ether1          ElBridge        
9 D     PfsenseNIC      7       ether1          ElBridge        3s      
10 DL   ether1          7       ether1          ElBridge        
11 DL   2GhzMac         7       ElBridge        ElBridge                
What I don't really understand, is why the 2Ghz Mac, has VID 1 and 7. I can guess 1 is the default VID which I never changed (something I wanted to ask further down the lane) but the 7 is the management lan, it shouldn't be exposed on the wlan ports, right? Although it says is on the bridge, but still sounds weird to me.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Understanding VLANs Better

Fri May 27, 2022 9:50 am

Just need to add firewall rules on the router (conceptual)
1- allow access to router for IP services (DNS, DHCP,...)
2- allow internet for all (VLAN to WAN)
3- drop all else for VLAN5 and 6 so they only get IP services and WAN, nothing else.
To clarify (not sure how it goes in pfSense but this is how it should be on a Tik)
1 = input
2,3 = forward
 
User avatar
ChicoDeGoma
just joined
Topic Author
Posts: 8
Joined: Sat May 14, 2022 1:00 am

Re: Understanding VLANs Better

Fri May 27, 2022 11:56 am

I know this is more of a PFSENSE topic, but just to get the thread going, what I'm gonna do on the router is to block all private addresses, then allow my own router DNS, and with that it should block any attem of communicating among other LANs or VLANs.
------------------------------------------------------------------------------------------
On the current topic, tho, I feel like I should change the default PVID for the bridge but I don't really know how I should do it (I don't mean command line or GUI)
I have no default VLAN or VLAN tag 1 on my router, but still makes me kinda uneasy.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Understanding VLANs Better

Fri May 27, 2022 12:17 pm

To stop default vlan1, use filtering on /interface bridge
/interface bridge set ElBridge frame-types=admit-only-vlan-tagged
 
User avatar
ChicoDeGoma
just joined
Topic Author
Posts: 8
Joined: Sat May 14, 2022 1:00 am

Re: Understanding VLANs Better

Fri May 27, 2022 2:15 pm

Seems like your advice worked like a charm, zero issues at the moment.

At router level, I only allow DNS, then I block all RFC 1918 and allow all out, it is working perfectly too.
Weirdly I didn't have to alter my DHCP reserves or allow them, even being in the 192.168.x.x range.

What test or pcap do anyone recommend to test this is not misconfigured?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Understanding VLANs Better

Fri May 27, 2022 2:27 pm

Glad you got it sorted out.

What I did (and I did it quite recently):
connect a device to each of the configured Wifi VLANs, check the obtained IP address is correct.
Check if what you are supposed to reach, can be reached (E.g. I have allowed access to a printer and my iperf3 server in VLAN2 from all VLANs, nothing else in VLAN2, no NAS, no VM Farm, nada).
Check if internet access works.
See as well what you are not supposed to reach, fails.
Repeat for every VLAN.

I also did a port scan from every VLAN network to the rest of the network (on Android I used Network Scanner, on PC Advanced IP Scanner or Port Scanner).
E.g. from my IOT network: everything should fail. No access possible whatsoever. Only internet.
 
User avatar
ChicoDeGoma
just joined
Topic Author
Posts: 8
Joined: Sat May 14, 2022 1:00 am

Re: Understanding VLANs Better

Fri May 27, 2022 3:30 pm

So far so good, that first paragraph is what I did before reconfiguring all my firewall.
I'm supposed to reach SMB from my phone, and internet, played with the rules that allowed me not to and configured them to block anything else.

I actually redid all my firewall with, what I think they are, way better rules, only time will tell.
For Vlan2 (IoT) I just copied Vlan1 rules (but the SMB one) and disabled the one who allows to reach internet.

I will be trying to get tasmota starting this week, so I get some athom plugs going into Vlan2.

Who is online

Users browsing this forum: No registered users and 43 guests