Community discussions

MikroTik App
 
plexorange
just joined
Topic Author
Posts: 4
Joined: Mon Jul 04, 2022 10:34 am

Issues with VLAN setup

Mon Jul 04, 2022 10:49 am

This should be a straight out of the examples setup, can't get it to work and completely stumped at this point.
Using a RB3011 routerboard.
I'm setting up a "router on a stick" type setup.

I started from a default setup, removed some of the ports from the default bridge and created a new bridge called "bridge1"
I tried to keep the existing settings as much as possible for ref/so I don't have to deal with accidentally taking out my connection.
I'm new to routerOS and tried reading through the wiki. This setup feels copied off an example, but it doesn't seem to work.

Issue: I can't get DHCP to work on bridge1, using static IP doesn't seem to work either. I'm not using the switch chip, this is deliberate.
Any idea what I'm missing?

# jan/02/1970 05:34:10 by RouterOS 7.2.3
# software id = E78J-UB21
#
# model = RB3011UiAS
# serial number = xxxxxxxxxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:C1:6A:A1 auto-mac=no comment=defconf name=bridge
add name=bridge1 pvid=6 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=VLAN6 vlan-id=6
add interface=bridge1 name=VLAN11 vlan-id=11
add interface=bridge1 name=VLAN21 vlan-id=21
add interface=bridge1 name=VLAN31 vlan-id=31
add interface=bridge1 name=VLAN41 vlan-id=41
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=LAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=DHCP_POOL21 ranges=192.168.21.16-192.168.21.254
add name=DHCP_POOL11 ranges=192.168.11.16-192.168.11.254
add name=DHCP_POOL6 ranges=192.168.6.16-192.168.6.254
add name=DHCP_POOL31 ranges=192.168.31.16-192.168.31.254
add name=DHCP_POOL41 ranges=192.168.41.16-192.168.41.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=DHCP_POOL6 interface=VLAN6 name=DHCP6
add address-pool=DHCP_POOL41 interface=VLAN41 name=DHCP41
add address-pool=DHCP_POOL21 interface=VLAN21 name=DHCP21
add address-pool=DHCP_POOL31 interface=VLAN31 name=DHCP31
add address-pool=DHCP_POOL11 interface=VLAN11 name=DHCP11
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=6
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=11
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=41
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether3 vlan-ids=6
add bridge=bridge1 tagged=ether2 untagged=ether4 vlan-ids=11
add bridge=bridge1 tagged=ether2 untagged=ether5 vlan-ids=41
add bridge=bridge1 tagged=ether2 vlan-ids=31
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=LAN2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.6.1/24 interface=VLAN6 network=192.168.6.0
add address=192.168.11.1/24 interface=VLAN11 network=192.168.11.0
add address=192.168.21.1/24 interface=VLAN21 network=192.168.21.0
add address=192.168.31.1/24 interface=VLAN31 network=192.168.31.0
add address=192.168.41.1/24 interface=VLAN41 network=192.168.41.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.6.0/24 dns-server=192.168.6.1 gateway=192.168.6.1
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
add address=192.168.21.0/24 dns-server=192.168.21.1 gateway=192.168.21.1
add address=192.168.31.0/24 dns-server=192.168.31.1 gateway=192.168.31.1
add address=192.168.41.0/24 dns-server=192.168.41.1 gateway=192.168.41.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.6.1 name=router.lan2
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Test rule, allow access from bridge1" in-interface=bridge1 src-address=0.0.0.0
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Issues with VLAN setup

Mon Jul 04, 2022 4:21 pm

If you want to use VLAN interface for VLAN X, you need VLAN X listed as tagged on parent bridge in "/interface bridge vlan". You do have that for VLAN 6, which is exactly the one where you don't need it, but not for others where you do.

As for VLAN 6, slightly confusing thing is that bridge itself can be access port (untagged member of VLAN). That's what it's pvid=6 does. So you can either use that and in "/interface bridge vlan" list bridge1 as untagged for VLAN 6, or you can keep default pvid=1 for bridge1 and use the same config for VLAN 6 as for other VLANs.
 
plexorange
just joined
Topic Author
Posts: 4
Joined: Mon Jul 04, 2022 10:34 am

Re: Issues with VLAN setup

Mon Jul 04, 2022 7:04 pm

Thanks for the response.

I reassigned bridge1 as untagged for VLAN6, but the first part of your response I'm really struggling to get.

The configuration for VLAN 6 doesn't seem any different than the other ones
VLANs are tagged on the parent bridge in "/interface bridge vlan"

This is from the original config:
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether3 vlan-ids=6
add bridge=bridge1 tagged=ether2 untagged=ether4 vlan-ids=11
add bridge=bridge1 tagged=ether2 untagged=ether5 vlan-ids=41
add bridge=bridge1 tagged=ether2 vlan-ids=31
Or do you mean something like this: (This seems crazy... but then again I'm literally going crazy at this point)
/interface vlan
add interface=bridge1 name=VLAN6 vlan-id=6
add interface=bridge1 name=VLAN11 vlan-id=11
add interface=bridge1 name=VLAN21 vlan-id=21
add interface=bridge1 name=VLAN31 vlan-id=31
add interface=bridge1 name=VLAN41 vlan-id=41

/interface bridge port
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge1 interface=ether2 pvid=6
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=6
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=11
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=41
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=VLAN6 pvid=6
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=VLAN11 pvid=11
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=VLAN31 pvid=31
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=VLAN41 pvid=41
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=VLAN21 pvid=21

/interface bridge vlan
add bridge=bridge1 tagged=ether2,VLAN6 untagged=ether3,bridge1 vlan-ids=6
add bridge=bridge1 tagged=ether2,VLAN11 untagged=ether4 vlan-ids=11
add bridge=bridge1 tagged=ether2,VLAN41 untagged=ether5 vlan-ids=41
add bridge=bridge1 tagged=ether2,VLAN31 vlan-ids=31
add bridge=bridge tagged=VLAN21,ether2 vlan-ids=21
What's the point of this? https://help.mikrotik.com/docs/display/ ... einterface
This claims setting a dhcp-server on a vlan interface assigned to a bridge should work.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issues with VLAN setup  [SOLVED]

Mon Jul 04, 2022 8:34 pm

Well you have two choices.......
There is no need for two bridges and having a subnet LAN without a vlan.
In otherwords the way I would approach this is make the lan .88 simply another vlan88 and then have one bridge and distribute vlans accordingly
access, trunk or not normally used hybrid.

However lets go with the mess you have of two bridges, one simply to distribute the LAN and one for the other vlans....

(1) DO NOT ASSIGN PVIDs to bridge definitions unless you are an advanced user and know what you are doing........vice copying someone elses config so first step is....
add name=bridge1 vlan-filtering=no ( change vlan filtering to yes as the last step ). As sob noted, leave it at the default of 1, and dont mess with it!!

(2) Looking at bridge port settings, I see ethernet interfaces 6 thru spf1 all being served the basic LAN .88
I see ether2-5 being served by the vlan centric bridge with ether2 being a trunk port and 3,4,5 being access ports

(3) Looking at bridge vlans..... just missing adding the bridge to the tagged entries...
/interface bridge vlan
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether3 vlan-ids=6
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether4 vlan-ids=11
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether5 vlan-ids=41
add bridge=bridge1 tagged=ether2,bridge1 vlan-ids=31

(4) Your Interface list members seems not complete and one entry is bogus
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=LAN2


Suggesting
add interface=bridge list=LAN
add interface=vlan11 list=LAN2
add interface=vlan21 list=LAN2
add interface=vlan31 list=LAN2
add interface=vlan41 list=LAN2

(or if you meant it the other way around regarding what is LAN and what is LAN2 ?? - who knows what you were thinking )
(personally they should all be on the same LAN list, and if you need one specific for the vlans then it would look like so....
add interface=bridge list=LAN
add interface=vlan11 list=LAN
add interface=vlan21 list=LAN
add interface=vlan31 list=LAN
add interface=vlan41 list=LAN
add interface=vlan11 list=LAN2
add interface=vlan21 list=LAN2
add interface=vlan31 list=LAN2
add interface=vlan41 list=LAN2

NOTE: After reviewing your rules I dont see any purpose to having a second list (LAN2) yet, but maybe in the future??? In any case they should all be at least identified to the LAN list.

(5) See changes to make your fw rules better. Get rid of silly test rules.......... If not using capsman get rid of that rule as well........

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment= in-interface-list=LAN *****
add action=drop chain=input comment="drop all else"

***** In reality only the admin needs FULL access to the router and users typically only to DNS services and thus I prefer the following three rules......
add action=accept chain=input in-interface-list=LAN src-address=IPof_Admin_PC { or src-address-list=authorized, where authorized is a firewall address list of IPs for admin desktop, admin laptop, admin ipad, admin smartphone etc...
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp

FORWARD CHAIN+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Last rule can be better prefer the following three clearer and more secure and forward looking rules.....

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state= dstnat
add action=drop chain=forward comment="drop all else"

(6) See the change below, mac server is not encrypted/protected should be set to none.
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
plexorange
just joined
Topic Author
Posts: 4
Joined: Mon Jul 04, 2022 10:34 am

Re: Issues with VLAN setup

Tue Jul 05, 2022 2:35 am

Thanks for posting that config and for the info about the mac server.

For some reason I was thinking there could only be one bridge1 entry in /bridge interface vlan, and the other vlans could communicate with it because they had ether2 tagged and ether2 has access to bridge1.

DHCP is working. I added bridge1 as tagged to each entry in /interface bridge vlan. I'll relook at the PVID/default vlan id for the bridge.

The settings related to LAN .88 and the bridge was just a stub/temporary setting. Anything related to bridge/LAN .88 is getting thrown out. Currently unit isn't protecting anything and is still behind a router.

Who is online

Users browsing this forum: Bolendox and 33 guests