DISCLAIMER - You have to manually add every VLAN to every CAP where you want the CAP to have access to the particular VLAN. This becomes a serious issues when you have lots of VLANs of CAPs. A script to maintain this is recommended then!
If you understand VLANS and want to skip to the good part, jump to the next post that deals with RADIUS and CAPsMAN.
Purpose
There is not a lot of clear information about how to accomplish this. There are bits and pieces for this on different places, but it seems as if there are a lot of things that are being assumed; and that make things very complicated to figure out. I figured that it is easier to understand things when people who are just figuring things out are trying to explain it. Usually newbies don't think you are an idiot if you don't know something basic. Also, there are a couple of good tutorials in this fourm (VLANs and Wireguard) and that is the most useful thing on the forum. I want to do the same thing for the ones trying to get RADIUS authentication on their wifi routers!
Disclaimer
* This is working on ROS7. DO NOT TRY ON ROS6
* I will not explain how to install the package for your ROS7 User Manager installation since there are plenty of easy examples how to accomplish that.
* This is coming from someone who does this as a hobby. I am a manager for an institution that has NOTHING to do with computers. Needles to say I am a novice but not an idiot. So take this tutorial with a grain of salt.
* I wrote this for my own and used Markdown. This forum doesn't have a way to display tables in a nice way.
* For the sake of this experiment, I will show most of the configuration. This should help you set up your own VLANs if you want; but it is not a tutorial on VLANs. I found it surprising that there are a couple of good tutorials on VLANs here. Check them out.
* I don't have spell check on this program. English is not my first language either. If you notice something, let me know and I will correct it.
* I WILL NOT TALK ABOUT FIREWALLS OR NAT HERE. NOR WILL I BE TALKING EXTENSIBLY ABOUT CAPSMAN. THAT MAY BE A PLACE WHERE YOUR CONFIGURATION BRAKES BUT I AM NOT THE ONE TO TALK ABOUT THAT!
A problem many beginners have is that they learn by trial and error. Someone told me "Newbies learn by messing thigns up." If you are stuck somewhere, it may be better for you to start from the beginning and follow some simple examples. Once you have something working, then try something else.
Initial BRIDGE and VLAN SET-UP
IF YOU UNDERSTAND THIS SECTION, JUMP TO THE RADIUS SECTION, but you may need this as a reference to what I will do later on. It will take you 2 min to read. It may be helpful!
VLAN Descriptions
| VLAN NAME | VLAN ID | SUMMARY | VLAN DESCRIPTION |
| --------- | ------- | ---------- | ------------------------------------------------------------ |
| VLAN100 | 100 | WORK | This VLAN will be used for work. The NAS will be included here since we use SMB to connect to some of the folders inside the NAS.|
| VLAN300 | 300 | GUESTS | Guest VLAN. It isolates people from our work and security VLANs|
BRIDGE and VLANS
The first think you need set up is the bridge. This is where you will be putting all the VLANs. Notice that it is not filtering anything since you want to first set up everything.
Code: Select all
/interface bridge
add add-dhcp-option82=yes comment="VLAN bridge" dhcp-snooping=yes frame-types=admit-only-vlan-tagged igmp-snooping=yes name=br-VLANs protocol-mode=none vlan-filtering=no
/interface vlan
add comment=Work interface=br-VLANs name=VLAN100 vlan-id=100
add comment=Guests interface=br-VLANs name=VLAN300 vlan-id=300
DHCP
First we will add our VLAN address. Since this router will be the one providing DHCP and all the other routes, this router would have to have an address added here and also, later on, you need to make sure that the br-VLANs is added to every VLAN this router is providing DHCP and routing for.
| VLAN NAME | VLAN ID | SUMMARY | IP Range |
| --------- | ------- | ---------- | ----------------------------- |
| VLAN100 | 100 | WORK | 192.168.100.100-192.168.100.200 |
| VLAN300 | 300 | GUESTS | 192.168.30.100-192.168.30.200 |
Code: Select all
/ip address
add address=192.168.100.1/24 interface=VLAN100 network=192.168.100.0
add address=192.168.300.1/24 interface=VLAN300 network=192.168.300.0
/ip pool
add name=WorkPool ranges=192.168.100.100-192.168.100.200
add name=GuestsPool ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=WorkPool disabled=no interface=VLAN100 lease-time=3h name=dchpWork add-arp=yes
add address-pool=GuestsPool disabled=no interface=VLAN300 lease-time=2h name=dhcpGuests add-arp=yes
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
The real VLAN configuration takes place below,
Trunks and others
This is where something can get complicated. Not because it is hard, but you need to reference things. It is helpful to keep some tables in mind as we move forward.
Like one can see below, the ports have to be added to the VLAN bridge. If the port is a "Trunk" then there is no need to specify the "pvid". If the port happens to be a single untagged line, or a Hybrid port, you need to specify the pvid of the untagged port here. It is important to look at the reference table if you are getting confused.
Acess Port
| Interface | Interface SUMMARY | Interface VLAN(S) |
| ---------- | ------------------------------ | ---------------------------------- |
| sfp+1 | => Main switch trunk | 100, 300 |
| sfp+2 | => Secondary switch trunk | 100, 300 |
| sfp+3 | => Sample computer | 100 |
| sfp+4 | => Sample computer | 300 |
| sfp+5 | => Front Office's fiber trunk | 100, 300 |
| ether1 | <= Wan | |
Sometimes it is easier to organize things by VLAN. If you don't know what an untagged port is, try to google it. My simple explanation is that those are the ports that carry a single VLAN. Ports or interfaces that carry several VLANs are called tagged interfaces or TRUNKS.
| VLAN Name | VLAN SUMMARY | Untagged Interfaces | Tagged Interfaces |
| --------- | ------------- | ------------------- | --------------------------------- |
| VLAN100 | WORK | sfp+3 | sfp+1, sfp+2, sfp+5 |
| VLAN300 | GUESTS | sfp+4 | sfp+1, sfp+2, sfp+5 |
Ingress Behavior
Ingress is what happens when packages come into the router.
To make everything easy we are going to start with the untagged ports. We will start by VLAN number. I used to add these by interface number, but I now find it easier to do it by VLAN id.
Untagged ports
Code: Select all
# Access Ports
/interface bridge port
# VLAN100 - Work
add bridge=br-VLANs interface=sfp+3 pvid=100
# VLAN300 - Guest
add bridge=br-VLANs interface=sfp+4 pvid=300
Trunk Ports - Tagged
These are the tagged ports or the trunk ports. We need to also add the ingress behavior, but it is not necessary to add the pvid since the default is 1.
Code: Select all
add bridge=br-VLANs interface=sfp+1
add bridge=br-VLANs interface=sfp+2
add bridge=br-VLANs interface=sfp+5
The next thing we need to update is the actual VLAN table. Here we will declare which ports carry what and how. Usually the tagged VLANs are those that will be part of a trunk and the untagged ports are those to which we will connect other devices or computers that are not VLAN capable.
** NOTE: We used to add the untagged interfaces here, but it is NOT NECESSARY since Mikrotik does this automatically in the new RouterOS versions. The only ports that we will be adding are the trunk (or untagged) ports.**
Egress Behavior - Trunk ports
Code: Select all
/interface bridge vlan
add bridge=br-VLANs comment="Work VLAN" tagged=br-VLANs,sfp+1,sfp+2,sfp+5 vlan-ids=100
add bridge=br-VLANs comment="Guest VLAN" tagged=br-VLANs,sfp+1,sfp+2,sfp+5 vlan-ids=300
As mentioned somewhere above, once the VLANs setup is finished, we proceed to enable the bridge VLAN-filtering. This is specially useful for ingress-filtering. We will also enable "*igmp-snooping*" which controls multicast streams and prevents multicast flooding and it is implemented in RouterOS starting with version 6.41. Notice below that to add some security, we are also adding the frame-type option.
VLAN Security
We will make sure that every port in our switch can only admit untagged packets and priority tagged. This will be applied to EVERY untagged port. We are just updating the settings so this is just to finish this in an easy way.
Code: Select all
/interface bridge port
# Untagged Ports
set [find interface=sfp+3] ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
set [find interface=sfp+4] ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
# Tagged Ports
set [find interface=sfp+1] frame-types=admit-only-vlan-tagged
set [find interface=sfp+2] frame-types=admit-only-vlan-tagged
set [find interface=sfp+5] frame-types=admit-only-vlan-tagged
# FINISH VLAN CONFIG
/interface/bridge
set [find name=br-VLANs] vlan-filtering=yes