Hi!
I'm trying to set up a couple of VLANs on my new hEX RB750Gr3. I'm a complete amateur, but am trying to learn. I've no include any config in this post as I'm not sure what to include or how, but if you let me know what you need and how to get it i will.
I'm trying to setup two VLANs:
VLAN 77 - 192.168.77.0 - main network- ports 2,3,4 - main home network connected to an AP and pi-hole
VLAN 66 - 192.168.66.0 - spynet - port 5 - IOT network, connected to a switch and dedicated AP, isolated from main but using the pi-hole as DNS.
Firewall is the default setup by the wizard, no isolation setup yet.
I've used various guides and mostly figured out the vlan setup (i think), but something is messed up and i can't find out what. Both networks are supposed to be identically set up (exept the subnets and related stuff), but are not behaving as they should.
Spynet has internet access but not router access, which is fine, but the main network has no internet. I've used ports 3 and 4 for testing the main network, with port 3 set to PVID 1 and port 4 set to PVID 77. If i connect to port 3 i have winbox access, if i connect to port 4 i do not, and none of them have internet access. Port 5 is setup with PVID 66 and the corresponding subnet but is otherwise identical to port 4.
Any ideas as to why I have internet on one VLAN but not the other?
Re: Need help setting up VLANs
Read the article on VLANS first by pcunite at PARA C. - viewtopic.php?t=182373
Read the section on firewall rules - para B
Read the section on firewall rules - para B
Re: Need help setting up VLANs
Adding to the suggestions already made by anav, most likely because you did not allow input from that VLAN to your router for IP services in your firewall rules and/or forward chain WAN access for that VLAN.Any ideas as to why I have internet on one VLAN but not the other?
But to be sure, we will need to have a look at your config unless you're able to figure it out on your own with the pointers given by anav.
I recently VLANified my complete home network using Hex as core (and 2 times AC3 as AP).
It can be a daunting process at first but once you learn how to solve each of the road blocks you encounter (and you will hit some, trust me), it is pretty rewarding once your see everything flowing as intended.
Re: Need help setting up VLANs
There is nothing wrong with using vlans, as they will give you much more fiexibility in changing what each port is used for in the furture, but your specific requirements don't need them, assuming each AP you have is dedicated to a specific SSID and subnet.I'm trying to setup two VLANs:
VLAN 77 - 192.168.77.0 - main network- ports 2,3,4 - main home network connected to an AP and pi-hole
VLAN 66 - 192.168.66.0 - spynet - port 5 - IOT network, connected to a switch and dedicated AP, isolated from main but using the pi-hole as DNS.
Where vlans are needed is when you want to have more than one subnet, but each subnet having more than one port. E.g. if you had the following situation:
VLAN 77 192.168.77.0/24 ports 2,3
VLAN 66 192.168.66.0/24 ports 4,5
Or when you have a single port that is a member of two vlans, for example "smart" APs that are vlan-aware and can have multiple SSIDs, each connected to a different vlan.
For example:
VLAN 77 192.168.77.0/24 port 2 (untagged PC), port 3 untagged pihole, port 4,5 (AP main SSID tagged or untagged depending on AP and setup)
VLAN 66 192.168.66.0/24 port 4,5 (tagged spynet SSID
Given the specs you posted, you could have 2,3,4 connected to bridge with ip address (of bridge) 192.168.77.x/24, and remove 5 from bridge as a dedicated port with address 192.168.66.x/24)
Post your config. See this.
Re: Need help setting up VLANs
Thanks! I know i don't really need vlans for this, and i have a working config without them, but the principals of vlans seem a little easier to understand and they allow more options if i want to change something later. I plan to get in to some smart home stuff in the near future, so I'm trying to set it up for whatever that may need.
I'll look into the firewall stuff some more. The guide posted by anav is mostly what i have been using but, but I'm not understanding the firewall system well enough to get it working yet. Are you missing a link to a firewall guide? That guide seems to assume a certain knowledge of firewalls, and just following the steps has not gotten me anywhere yet. I've tried many times, but either get nothing or screw it up and have to reset... If someone can post the exact rule(s) i need (and where to put them in the default firewall) to get winbox access from vlan 77 that would be really helpful!
Here is the config, it's probably a bit messy so please let me know of any errors.
The disabled firewall rules are some of my experiments, but have not worked or are unnecessary to get the basics working (I think).
(disregard the vlan 102 stuff, that is to get the internet from the trunk from my isp and is working fine)
I'll look into the firewall stuff some more. The guide posted by anav is mostly what i have been using but, but I'm not understanding the firewall system well enough to get it working yet. Are you missing a link to a firewall guide? That guide seems to assume a certain knowledge of firewalls, and just following the steps has not gotten me anywhere yet. I've tried many times, but either get nothing or screw it up and have to reset... If someone can post the exact rule(s) i need (and where to put them in the default firewall) to get winbox access from vlan 77 that would be really helpful!
Here is the config, it's probably a bit messy so please let me know of any errors.
Code: Select all
/interface bridge
add admin-mac=DC:2C:6E:B2:08:A9 auto-mac=no comment=defconf name=bridge
add name="bridge 1" protocol-mode=none vlan-filtering=yes
/interface vlan
add interface="bridge 1" name="main vlan" vlan-id=77
add interface="bridge 1" name="spynet vlan" vlan-id=66
add interface=ether1 name="vlan altibox" vlan-id=102
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="VLAN list" include=all name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=bridge name=defconf
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add comment=Main name="main pool" ranges=192.168.77.20-192.168.77.254
add comment=Spynet name="spynet pool" ranges=192.168.66.20-192.168.66.254
/ip dhcp-server
add address-pool="main pool" disabled=no interface="main vlan" name=\
"main dhcp"
add address-pool="spynet pool" disabled=no interface="spynet vlan" name=\
"spynet dhcp"
/interface bridge port
add bridge="bridge 1" comment=defconf interface=ether2 pvid=77
add bridge="bridge 1" comment=defconf interface=ether3
add bridge="bridge 1" comment=defconf interface=ether4 pvid=77
add bridge="bridge 1" comment=defconf interface=ether5 pvid=66
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge="bridge 1" tagged="bridge 1" vlan-ids=66
add bridge="bridge 1" tagged="bridge 1" vlan-ids=77
/interface list member
add comment=defconf interface="bridge 1" list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="main vlan" interface="main vlan" list=VLAN
add comment="spynet vlan" interface="spynet vlan" list=VLAN
/ip address
add address=192.168.77.1/24 comment=defconf disabled=yes interface=ether2 \
network=192.168.77.0
add address=192.168.77.1/24 comment=Main interface="main vlan" network=\
192.168.77.0
add address=192.168.66.1/24 comment=Spynet interface="spynet vlan" network=\
192.168.66.0
/ip dhcp-client
add comment=defconf disabled=no interface="vlan altibox" use-peer-dns=no
/ip dhcp-server lease
add address=192.168.77.2 client-id=1:c0:6:c3:e0:2b:b1 mac-address=\
C0:06:C3:E0:2B:B1 server=defconf
add address=192.168.77.11 mac-address=E4:5F:01:92:78:0A server=defconf
add address=192.168.77.9 mac-address=A0:E4:CB:24:60:19 server=defconf
/ip dhcp-server network
add address=192.168.66.0/24 comment="spynet dhcp" dns-server=192.168.77.11 \
gateway=192.168.66.1 netmask=24
add address=192.168.77.0/24 comment="main dhcp" dns-server=192.168.77.11 \
gateway=192.168.77.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.77.11
/ip dns static
add address=192.168.77.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow main wlan" in-interface=\
"main vlan"
add action=accept chain=forward comment="VLAN internet access only" \
connection-state=new disabled=yes in-interface-list=VLAN \
out-interface-list=WAN
add action=accept chain=forward comment="Allow spynet to pi-hole" \
connection-state=new disabled=yes dst-address=192.168.77.11 dst-port=53 \
in-interface="spynet vlan" protocol=tcp
add action=accept chain=forward comment="Allow spynet to pi-hole" \
connection-state=new disabled=yes dst-address=192.168.77.11 dst-port=53 \
in-interface="spynet vlan" protocol=udp
add action=accept chain=forward comment="accept main to spynet" \
connection-state=established,new connection-type="" disabled=yes \
in-interface="main vlan" out-interface="spynet vlan"
add action=accept chain=forward comment="Allow spynet internet" \
connection-state=established,new disabled=yes in-interface="spynet vlan" \
out-interface-list=WAN
add action=drop chain=forward comment="drop spynet to main" disabled=yes \
in-interface="spynet vlan" out-interface="main vlan"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface="vlan altibox"
/system clock
set time-zone-name=Europe/Oslo
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN(disregard the vlan 102 stuff, that is to get the internet from the trunk from my isp and is working fine)
Re: Need help setting up VLANs
I think you are the first person I ever remember saying that vlans were easier to understand. But that's not a bad thing.Thanks! I know i don't really need vlans for this, and i have a working config without them, but the principals of vlans seem a little easier to understand and they allow more options if i want to change something later. I plan to get in to some smart home stuff in the near future, so I'm trying to set it up for whatever that may need.
Do look at the MikroTik documentation referenced in paragraph C of the link posted by anav. That is the best reference documention that currently exists as far as I know.
Disclaimer: I am an novice with ROS. I have never used v6 (other that to upgrade to 7.2) and my only MikroTik ROS experience is with a hEX S in a LAB situation with some Ubiquiti ER-X and various dumb (Trendnet, TP-Link, even a bottom of the barrel Tenda) and vlan-aware switches (MikroTik CSS106-5G-1S, NetGear 908E, TP-Link TL-SG108E) and my primary playing was with vlans.
Here are the things I noticed in your config:
ether3 is using vlan 1 by default (since you did not specify the pvid)
/interface bridge port
add bridge="bridge 1" comment=defconf interface=ether2 pvid=77
add bridge="bridge 1" comment=defconf interface=ether3
add bridge="bridge 1" comment=defconf interface=ether4 pvid=77
add bridge="bridge 1" comment=defconf interface=ether5 pvid=66
Your /interface bridge vlan section doesn't have any ports included.
/interface bridge vlan
add bridge="bridge 1" tagged="bridge 1" vlan-ids=66
add bridge="bridge 1" tagged="bridge 1" vlan-ids=77
Assuming your original specification where ports 2,3,4 were for vlan 77 (and I assumed as access ports), and port 5 was an access port for vlan 66, I would have expected this:
/interface bridge vlan
add bridge="bridge 1" tagged="bridge 1" untagged=ethe5 vlan-ids=66
add bridge="bridge 1" tagged="bridge 1" untagged=ether2,ether3,ether4 vlan-ids=77
Although if the pvid is specified on the /interface bridge port, I think it implicitly added the untagged for the vlan on those ports. You can see if you use /export verbose. I prefer to be explicit in the config, as it makes it plain when reading the config. After you get things working, you may also want to consider adding frame-types to the /interface bridge port section. If these are really access ports, e.g.
/interface bridge port add bridge="bridge 1" comment=defconf interface=ether5 frame-types=admit-only-untagged-and-priority-tagged pvid=66
When I was playing, I used the default firewall and just associated my new vlans with the LAN list. I suggest you do the same; at least until you get things working. Note the following in the firewall filter:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
That's dropping traffic that reaches that part of the chain that is from any interface that isn't associated with LAN
So I would get rid of the bold line
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="VLAN list" include=all name=VLAN
And change
/interface list member
add comment=defconf interface="bridge 1" list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="main vlan" interface="main vlan" list=VLAN
add comment="spynet vlan" interface="spynet vlan" list=VLAN
to
/interface list member
add comment=defconf interface="bridge 1" list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="main vlan" interface="main vlan" list=LAN
add comment="spynet vlan" interface="spynet vlan" list=LAN
Last edited by Buckeye on Mon May 30, 2022 11:56 am, edited 1 time in total.
Re: Need help setting up VLANs
Although if the pvid is specified on the /interface bridge port, I think it implicitly added the untagged for the vlan on those ports. You can see if you use /export verbose.
export verbose doesn't show any implicit configuration and adding port as untagged due to pvid setting is implicit configuration. You can see such ports if your run print command which actually shows running state (and the reason for that state, either explicit configuration or implicit or dynamic) is not clearly shown in some cases.
The problem with OPs config is that ether3 doesn't have pvid set (so it's not implicitly set as access port for any VLAN) neither is it set as tagged member of any VLANs. Which makes it implicit access port of VLAN=1 (that's default setting) and ether3 could communicate with "bridge 1" interface as it doesn't have PVID set either.
Re: Need help setting up VLANs
I also seem to be missing DHCP server settings for each of the VLANs.
Only default is present on bridge.
Only default is present on bridge.
Re: Need help setting up VLANs
Easier to understand how they are defined and supposed to work, not easy at all to set up. Bridges and port isolation and stuff just feels less concrete and defined, but are easier to make work for sure.
I think you are the first person I ever remember saying that vlans were easier to understand. But that's not a bad thing.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
That's dropping traffic that reaches that part of the chain that is from any interface that isn't associated with LAN
So I would get rid of the bold line
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="VLAN list" include=all name=VLAN
And change
/interface list member
add comment=defconf interface="bridge 1" list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="main vlan" interface="main vlan" list=VLAN
add comment="spynet vlan" interface="spynet vlan" list=VLAN
to
/interface list member
add comment=defconf interface="bridge 1" list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="main vlan" interface="main vlan" list=LAN
add comment="spynet vlan" interface="spynet vlan" list=LAN
Thanks, this solved the internet connectivity issue on VLAN 77. I also added the untagged ports as you suggested, seems like a good idea.
port 3 is left at PVID=1 for testing so i can access winbox while experimenting. If set to 77 i get locked out of winbox and have to do a factory reset and reupload a backup every time i change something that does not work...
Re: Need help setting up VLANs
port 3 is left at PVID=1 for testing so i can access winbox while experimenting. If set to 77 i get locked out of winbox and have to do a factory reset and reupload a backup every time i change something that does not work...
Good thinking.
However when you get forward, MAC connectivity is configured under /tools mac-server and by default MAC connections are allowed through interfaces members of LAN interface list.
Another advice: use safe mode ... can't find proper manual for it, so here's forum link. Essentially, when safe mode is enabled and management connection drops, router rolls back any changes made since enabling safe mode. There are two gotchas: undo buffer has its limits and you have to disable safe mode after you're happy with changes and before disconnecting on purpose. Even log-out is considered broken management connection when in safe mode.
Last edited by mkx on Mon May 30, 2022 12:27 pm, edited 1 time in total.
Re: Need help setting up VLANs
bridge is the default one that is not used, i have just not removed it yet. bridge 1 is the one in use, and both dhcp severs are present and working as far as i an tell.I also seem to be missing DHCP server settings for each of the VLANs.
Only default is present on bridge.
Re: Need help setting up VLANs
Meaning your DHCP servers are defined on another device ? Ok then.bridge is the default one that is not used, i have just not removed it yet. bridge 1 is the one in use, and both dhcp severs are present and working as far as i an tell.I also seem to be missing DHCP server settings for each of the VLANs.
Only default is present on bridge.
Re: Need help setting up VLANs
No, they are on the mikrotik and i thought they where set up correctly. I can't really see anything wrong with them, so i might be missing something?Meaning your DHCP servers are defined on another device ? Ok then.
Re: Need help setting up VLANs
No, they are on the mikrotik and i thought they where set up correctly. I can't really see anything wrong with them, so i might be missing something?Meaning your DHCP servers are defined on another device ? Ok then.
You only have single configuration line (that I found quickly) relevant to running DHCP server:
Code: Select all
/ip dhcp-server
add interface=bridge name=defconf
Keep in mind that DHCP server is configured to run off an untagged interface (and bridge is both "switch like" entity and interface which allows ROS interact with traffic over bridge), it doesn't mean that DHCP will automagically hook to every possible traffic path crossing bridge (the switch like entity).
The rest is DHCP server related configuration and seems fine. But without a line configuring DHCP server to run on every relevant interface (e.g. "main vlan" or "spynet vlan") DHCP server will not be answering requests on those interfaces.
Last edited by mkx on Mon May 30, 2022 2:39 pm, edited 1 time in total.
Re: Need help setting up VLANs
Post your latest config please, and I will have a look.............
Re: Need help setting up VLANs
Here is the latest config:
In the winbox gui i have three dhcp servers: defconf (disabled), main dhcp and spynet dhcp, the last two running of their respective vlan inerfaces. I'll see if i can post a screenshot if needed.
Code: Select all
/interface bridge
add admin-mac=DC:2C:6E:B2:08:A9 auto-mac=no comment=defconf name=bridge
add name="bridge 1" protocol-mode=none vlan-filtering=yes
/interface vlan
add interface="bridge 1" name="main vlan" vlan-id=77
add interface="bridge 1" name="spynet vlan" vlan-id=66
add interface=ether1 name="vlan altibox" vlan-id=102
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=bridge name=defconf
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add comment=Main name="main pool" ranges=192.168.77.20-192.168.77.254
add comment=Spynet name="spynet pool" ranges=192.168.66.20-192.168.66.254
/ip dhcp-server
add address-pool="main pool" disabled=no interface="main vlan" name=\
"main dhcp"
add address-pool="spynet pool" disabled=no interface="spynet vlan" name=\
"spynet dhcp"
/interface bridge port
add bridge="bridge 1" comment=defconf interface=ether2 pvid=77
add bridge="bridge 1" comment=defconf interface=ether3
add bridge="bridge 1" comment=defconf interface=ether4 pvid=77
add bridge="bridge 1" comment=defconf interface=ether5 pvid=66
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge="bridge 1" tagged="bridge 1" untagged=ether5 vlan-ids=66
add bridge="bridge 1" tagged="bridge 1" untagged=ether2,ether3,ether4 \
vlan-ids=77
/interface list member
add comment=defconf interface="bridge 1" list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="main vlan" interface="main vlan" list=LAN
add comment="spynet vlan" interface="spynet vlan" list=LAN
/ip address
add address=192.168.77.1/24 comment=defconf disabled=yes interface=ether2 \
network=192.168.77.0
add address=192.168.77.1/24 comment=Main interface="main vlan" network=\
192.168.77.0
add address=192.168.66.1/24 comment=Spynet interface="spynet vlan" network=\
192.168.66.0
/ip dhcp-client
add comment=defconf disabled=no interface="vlan altibox" use-peer-dns=no
/ip dhcp-server lease
add address=192.168.77.3 client-id=1:c0:6:c3:e0:2b:b1 mac-address=\
C0:06:C3:E0:2B:B1 server="main dhcp"
add address=192.168.77.11 mac-address=E4:5F:01:92:78:0A server="main dhcp"
add address=192.168.77.9 mac-address=A0:E4:CB:24:60:19 server="main dhcp"
/ip dhcp-server network
add address=192.168.66.0/24 comment="spynet dhcp" dns-server=192.168.77.11 \
gateway=192.168.66.1 netmask=24
add address=192.168.77.0/24 comment="main dhcp" dns-server=192.168.77.11 \
gateway=192.168.77.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.77.11
/ip dns static
add address=192.168.77.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow main wlan" in-interface=\
"main vlan"
add action=accept chain=forward comment="VLAN internet access only" \
connection-state=new disabled=yes in-interface-list=*2000012 \
out-interface-list=WAN
add action=accept chain=forward comment="Allow spynet to pi-hole" \
connection-state=new disabled=yes dst-address=192.168.77.11 dst-port=53 \
in-interface="spynet vlan" protocol=tcp
add action=accept chain=forward comment="Allow spynet to pi-hole" \
connection-state=new disabled=yes dst-address=192.168.77.11 dst-port=53 \
in-interface="spynet vlan" protocol=udp
add action=accept chain=forward comment="accept main to spynet" \
connection-state=established,new connection-type="" disabled=yes \
in-interface="main vlan" out-interface="spynet vlan"
add action=accept chain=forward comment="Allow spynet internet" \
connection-state=established,new disabled=yes in-interface="spynet vlan" \
out-interface-list=WAN
add action=drop chain=forward comment="drop spynet to main" disabled=yes \
in-interface="spynet vlan" out-interface="main vlan"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface="vlan altibox"
/system clock
set time-zone-name=Europe/Oslo
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Need help setting up VLANs
Can you press f5 in winbox on the screen with dhcp ?
They are not in your export so I doubt they are running.
They are not in your export so I doubt they are running.
Re: Need help setting up VLANs
How can i tell if they are running? They are there and f5 changes nothing, but i might be missing a status indicator or something?Can you press f5 in winbox on the screen with dhcp ?
They are not in your export so I doubt they are running.
I got the firewall rule to allow winbox access sort of working, i now have winbox access from both vlans... Any hints on the right rules to isolate spynet from everything except the pi-hole and internet?
Re: Need help setting up VLANs
Terminal
IP
DHCP-server
print
Should show you the running servers.
- allow input access to router from spynet
- drop all input from spynet
- allow forward access to pi-hole from spynet
- allow forward access to WAN
- drop all forward from spynet
IP
DHCP-server
Should show you the running servers.
Conceptually:I got the firewall rule to allow winbox access sort of working, i now have winbox access from both vlans... Any hints on the right rules to isolate spynet from everything except the pi-hole and internet?
- allow input access to router from spynet
- drop all input from spynet
- allow forward access to pi-hole from spynet
- allow forward access to WAN
- drop all forward from spynet
Re: Need help setting up VLANs
Code: Select all
Flags: D - dynamic, X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 X defconf *6 *1 10m
1 main dhcp main vlan main pool 10m
2 spynet... spynet vlan spynet pool 10m
Re: Need help setting up VLANs
I'm getting closer...
I started setting up the firewall. As far as i can tell i have spynet isolated from the main network, but it still has access to winbox and stuff, so i need to fix that... But how is it working? The rule to allow access should only be for main vlan?
This is my current firewall:
I started setting up the firewall. As far as i can tell i have spynet isolated from the main network, but it still has access to winbox and stuff, so i need to fix that... But how is it working? The rule to allow access should only be for main vlan?
This is my current firewall:
Code: Select all
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow main vlan full access" \
in-interface="main vlan"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="allow spynet to pihole" \
connection-state=new dst-address=192.168.77.11 dst-port=53 in-interface=\
"spynet vlan" protocol=tcp
add action=accept chain=forward comment="allow spynet to pihole" \
connection-state=new dst-address=192.168.77.11 dst-port=53 in-interface=\
"spynet vlan" protocol=udp
add action=accept chain=forward comment="Allow main to spynet" in-interface=\
"main vlan" out-interface="spynet vlan"
add action=drop chain=forward comment="Deny spynet to main" in-interface=\
"spynet vlan" out-interface="main vlan"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface="vlan altibox"Who is online
Users browsing this forum: Amazon [Bot], GoogleOther [Bot] and 42 guests