Community discussions

MikroTik App
 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Separated VLANs

Sat Jul 30, 2022 5:44 pm

Hi,
I would like to create two separate VLANs to separate the traffic on two subnets.

Currently ether1 is the WAN port and ether2-ether5 and wlan1-wlan2 are in the same LAN subnet.
I would like to create one LAN subnet with ether2-ether4 and wlan1-wlan2 and one second subnet with ether5.
The IP address of the first subnet (192.168.1.0/24) does not change and the new LAN subnet gets a new IP address and range (10.10.1.1/24). There must be a DHCP server on the second subnet.

It is important that the two subnets do not see each other and that there is no traffic between them.
Would VLAN be the solution? How should the current configuration be transformed?

Could someone help me?

Thank you for your help
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Separated VLANs

Sat Jul 30, 2022 6:23 pm

Have a very good look at this great topic:
viewtopic.php?t=143620

And...yes, VLAN Is a very decent way.
 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Re: Separated VLANs

Sat Jul 30, 2022 7:32 pm

Dear erlinden,

thank you for your advice, I read it.
My problem is that the working configuration should be modified and I am looking for help with this. I hope someone will be able to tell me what needs to be changed step by step.
If you could help me with this, I would be very happy.

Thanks for your help
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Separated VLANs

Sat Jul 30, 2022 10:16 pm

Do make bridge LAN1 of ether2-ether4 interfaces, assign/move current IP, DHCP server etc to it
Do make the second bridge LAN2 and assign the remaining interfaces to it and create new DHCP server, assign IP etc.
To block traffic between LAN1 and LAN2 you just need to create drop rule for forward like this:
/ip firewall filter
add action=drop chain=forward dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=192.168.10.0/24
or you may use in the configuration "in" and "out" interfaces for this.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Separated VLANs

Sun Jul 31, 2022 4:04 am

It is important that the two subnets do not see each other and that there is no traffic between them.
Would VLAN be the solution?
You do need two subnets, each on different logical interfaces (each on separate broadcast domain). But you also need firewall rules to block traffic between the two subnets to prevent traffic from being routed.

So VLAN would be one solution. And it is the most general solution, but vlans are another layer of abstraction, and with that comes more complexity.

As stated, you could just need to remove the ether5 ethernet port from the bridge and assign it its own ip address in another subnet. That may be easier for a novice to understand and would be identical in behavior for most things (for example if you had a single non-vlan aware device connected to ether5, whether that was single host, or a dumb ethernet switch with many hosts attached.

The advantage of using vlans is the extra layer of abstraction, as it removes the routed interface from a specific hardware port. Instead, you associate the physical ports with the vlan(s) you want that physical port to be able to pass traffic for. This becomes important if you want to connect a vlan-aware device that needs access to mulitple vlans, for example, a wifi access point with mulitiple SSIDs, or a connection to another vlan-aware switch on the other end of a long single trunk cable. Another reason would be it you wanted two ports in each vlan, instead of 1 and 3.
My problem is that the working configuration should be modified and I am looking for help with this. I hope someone will be able to tell me what needs to be changed step by step.
If you could help me with this, I would be very happy.
Spoon feeding is not generally the level of help you will get on a forum. You are expected to put some effort in yourself.

As far as I know, the link already provided is closest thing to a "recipe book" for common use cases. You will have to read it and try to understand it, and after you have read it and gotten stuck, then come back with the specific questions that you need help with.

And when asking questions, we expect you to provide us with actionable information. You didn't even specify what type of router you have, of what version of firmware you are using, and it there is other equipment involved (like downstream switches or access points, and what your requirements are). A sanitized configuration export is the absolute minimum needed (and leave the model type and router os but remove the Serial number (I also like to remove the Software ID which I think is unique to the router's license)

# jul/30/2022 20:55:59 by RouterOS 7.4 <- leave this, it is important because it shows version and timestamp (in case you post your config multiple times, this can be used to find the correct one),
# software id = **remove** (I am not sure this needs removed, but I do)
#
# model = RB760iGS <- leave this, as it shows us what hardware you are using.
# serial number = **remove** (this is used if you save your config in the cloud)

See Getting Answers and How to Report Bugs Effectively
@anav's NEW USER POSTING FOR ASSISTANCE
Last edited by Buckeye on Thu Aug 04, 2022 9:47 pm, edited 2 times in total.
 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Re: Separated VLANs

Sun Jul 31, 2022 4:18 pm

Thank you very much for the helpful answers and help.

My problem is that I have to make changes on a working device and I don't want to make a mistake because then we can't work. I have to be careful. That's why I'm asking for help...

@BartoszP Thanks for your suggestion, it helps a lot.
@Buckeye Thank you for the detailed information and sorry that I did not write more precise details the first time. I thought that the helpful forum members would ask for the information they considered necessary.
It's really no problem to remove the ether5 from the bridge and set it up.
The problem is booking ether2, ether3 and ether4 in a separate VPN due to the existing configuration, because it has to be set in many places and if I screw it up, nothing works. I want to avoid that.

The type of router is hap ac2, I work with it. What I have done so far.
To be safe, I made a backup of the config.
This morning I borrowed the same router from a friend for testing.
I updated this test router to the latest firmware because mine was already updated.
I uploaded the configuration of my own router to the test router.
I removed ether5 from the bridge, it got a new IP address from another IP address range and I also created a DHCP server for this range.

The next step will be to configure VLANs and firewall rules.

What do you recommend that I pay attention to so that there are no problems?

Thank you for your helps.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Separated VLANs

Wed Aug 03, 2022 3:27 am

 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Re: Separated VLANs

Thu Aug 04, 2022 8:41 pm

Unfortunately, I was unsuccessful. After creating the VLANs, DHCP did not work and I could not connect to the router using Winbox or ssh.

I used this forum comment created by @pcunite:
viewtopic.php?t=143620&sid=95e9dd579219 ... 7f3ef7e810
I used the Router-Switch-AP (all in one) RouterSwitchAP.rsc file.

Since I was not successful, I decided to upload the RouterSwitchAP.rsc file created by @pcunite to the hap ac2 test router and test it.
Unfortunately, the situation has not changed, there is no DHCP and neither Wnbox nor ssh connection to the router is possible.

Therefore, I performed the setting without applying the last line (/interface bridge set BR1 vlan-filtering=yes) and apparently everything is correct in the config according to the contents of the rsc file.
Of course, I set false data for the WAN port and also set DHCP for BASE_VLAN. DHCP still doesn't work on the individual VLANs and if I set vlan-filtering=yes to bridge, I can't connect to the router.

I have attached the test config that I modified.

Thanks for your help.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Separated VLANs

Thu Aug 04, 2022 9:10 pm

Please provide the normal config file, not whatever you hve provided. /export
 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Re: Separated VLANs

Thu Aug 04, 2022 10:00 pm

Excuse me @anav and thank you for your help. I hope you thought this format.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Separated VLANs

Fri Aug 05, 2022 12:37 am

(1) The IP address for your WAN is incorrect.
from:
add address=192.168.100.0/24 interface=ether1 network=192.168.100.0
TO:
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0

(2) This makes no sense, can you figure out why :-)
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN


Answer: The Second one is redundant as it is covered by the first rule. What it should indicate to you is the question why did I give everyone on VLAN access to the router?

TO:
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN dst-port=53 protocol=tcp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN dst-port=53 protocol=udp

add action=drop chain=input

If there are many on the base vlan consider adding src-address-list to the rule with dst-port=winboxport protocol=tcp with only the admin device IPs on the address list.

(3) Since your wanip seems static fixed, the better form for the Source Nat Rule
from
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN

TO:
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=192.168.100.1

(4) Missing firewall rules FIXED:
/ip firewall filter
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN  dst-port=53  protocol=tcp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN  dst-port=53  protocol=udp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="Allow Estab, Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=srcnat chain=srcnat  in-interface=ether1  to-addresses=192.168.100.1
(5) The Mac server alone is not a secure access method and should be set to none.
/tool mac-server
set allowed-interface-list=NONE
Last edited by anav on Fri Aug 05, 2022 1:24 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Separated VLANs

Fri Aug 05, 2022 12:42 am

Finally a personal beef is leaving out /interface bridge vlans

I use it as a crosscheck with the /interface bridge ports to ensure intentions are correctly applied.
Often its easy to spot errors in intentions when both can be matched up!!
Makes it easier to read overall.

/interface bridge vlans
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,wlan1 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether4,wlan3 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=wlan4 vlan-ids=99
 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Re: Separated VLANs

Fri Aug 05, 2022 1:12 am

@anav Thank you very much for your comments and suggestions. I will try how it works because I want to understand it on a working configuration. After that, I can modify the live router with vlans...

The WAN port setting is fixed because I connected it behind my own router... In the end, it will be pppoe.

Do the following lines appear twice in the firewall rules?

/ip firewall filter
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

I noticed that not everything from @pcunite's RouterSwitchAP.rsc file was loaded during the import. I have now compared the import and export and see this. The following seem to have been omitted during the import, at least I can't find them in the export:

# ingress behavior
/interface bridge port

# Blue VLAN
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=wlan1 pvid=10

# Green VLAN
add bridge=BR1 interface=ether4 pvid=20
add bridge=BR1 interface=wlan2 pvid=20

# BASE_VLAN
add bridge=BR1 interface=wlan3 pvid=99

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]

This is really so, what could be the reason for this?

Thanks and Regards
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Separated VLANs

Fri Aug 05, 2022 1:18 am

No idea, I dont implement his config verbatim, I do it on winbox
working my way through the config.

What I get from pcunite is one bridge, create vlans with interface bridge
Provide subnet setup; for each vlan,
Assign /interface bridge ports and bridge vlans
Setup firewall rules
Setup routing
activate vlan filtering.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Separated VLANs

Fri Aug 05, 2022 1:26 am

I noticed that not everything from @pcunite's RouterSwitchAP.rsc file was loaded during the import ... what could be the reason for this?
Did you follow the insturctions at the top (from the RouterSwitchAP_mod.rcs file you loaded)

# Notes: Start with a reset (/system reset-configuration)
 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Re: Separated VLANs

Fri Aug 05, 2022 11:31 am

@Buckeye Yes, of course.

@anav
Do the following lines appear twice in the firewall rules?

/ip firewall filter
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

Thank you for your help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Separated VLANs

Fri Aug 05, 2022 1:23 pm

Hi Steve, my bad, copy and paste error, they do not, the second set is suppose to be forward chain ( one should keep chains together so it makes sense easy to read) Fixed above.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Separated VLANs

Fri Aug 05, 2022 2:53 pm

I noticed that not everything from @pcunite's RouterSwitchAP.rsc file was loaded during the import. ... This is really so, what could be the reason for this?
Then perhaps try this method Cloning MikroTik Routers, Quick and Easy by Steve Discher referenced in this thread: importing and exporting config files But do read post #20 by @Sob
 
User avatar
rumahnetmks
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Mon Dec 21, 2020 10:00 am

Re: Separated VLANs

Fri Aug 05, 2022 3:47 pm

Hmm. First sorry for my noobness, but I think I will share my noobness experience..

I'm usually using PCUnite template too and found sometime error when exporting to new router (like I set my hAP-AC3 and RB4011iGS+5HacQ2HnD-IN before), even I have follow all procedure there like Start with a reset (/system reset-configuration).

What I do is follow the template, change all properties like address etc according to my network needs. Then paste it through winbox terminal one by one...

PLUS and for this section
# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]
I found I must enter it fill information there just like for real network we need, to become like @anav comment before :
/interface bridge vlans
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,wlan1 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether4,wlan3 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=wlan4 vlan-ids=99
CMIIW. Sry for my noobness.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Separated VLANs

Fri Aug 05, 2022 6:42 pm

Concur, his article can be confusing in that regard.
Does this make sense to you......
My advice is not to config/copy PCUNITES formats, its stilted and confusing. Instead simply using winbox, work through the Configuration Steps logically.

FIRST though, take one etherport and configure it so that it is accessible off the bridge to avoid getting locked out!!. SEE PARA A. above!!!
Add Bridge (or modify default Bridge as required)
Add VLANS with the parent interface being the Bridge
Create Subnet Structure for each VLAN (and likely modify the default subnet to be one of the VLANs)
Construct /interface bridge ports ( etherports and WLANs as applicable )
Construct /interface bridge vlans ( tagged and untagged **** Should match up with /interface bridge ports as a cross-check )
Make Changes to LAN Interface List ( remove bridge and add all vlans typically)
Add Management/Base Interface List & applicable members (Base Vlan and off bridge etherport for example)
Adjust Firewall Rules as necessary (Base List to Input, LAN List to input for DNS only, etc..)
Go to CLI and run export and see if any errors crop up.
Turn on bridge vlan filtering.
 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Re: Separated VLANs

Fri Aug 05, 2022 9:25 pm

I am happy to report that I managed to get the router working with VLANs. It works and I get a DHCP IP address on all ports.

@Buckeye
Thank you for your advice and link they were useful.

@rumahnetmks
You weren't noobness... :) What you wrote was helpful.

@anav
Thank you for your help and advice. It was very useful and helped a lot.

The next step will be to investigate and understand the operation more precisely. After that, the configuration of the currently working router must be modified in a test environment, and if this is also successful, it can go live.

Thank you all for your help so far. I'll report back as soon as I get around to continuing.

Thanks and Regards
 
barkingdoggy
just joined
Posts: 18
Joined: Mon Jul 04, 2022 7:48 pm

Re: Separated VLANs

Mon Aug 08, 2022 4:30 pm

Please post the /export config you got to work. What insights can you share? Thanks.
 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Re: Separated VLANs

Sun Aug 21, 2022 8:36 pm

Hi,
First of all, thank you all for your help so far.

After I managed to make the VLAN configuration work with your help, I tried to change the configuration of my own router to work with VLANs. Basically, the problems were solved and the router works with VLANs. I have only one problem that I haven't been able to solve for days and I would probably need a fresh set of eyes to solve it.

I should connect to the router via VPN from a laptop or mobile phone. I set up a L2TP/IPSec VPN for this purpose in the same way as the previous configuration with which it worked before. Now it doesn't work with VLAN config. I'm confused and can't see what I'm doing wrong anymore...

Could someone help me?

I am attaching the router config...

Thank you for your help.
You do not have the required permissions to view the files attached to this post.
Last edited by steve800 on Mon Aug 22, 2022 11:06 pm, edited 1 time in total.
 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Re: Separated VLANs

Sun Aug 21, 2022 8:48 pm

Sorry, I forgot to describe the problem.

The laptop or mobile phone can connect to the router with L2TP/IPSec VPN, it receives an IP address from the BLUE_POOL, but it cannot connect and ping the devices in the BLUE network.

What could be the problem?

Thank you for your help.
 
steve800
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Dec 30, 2019 10:36 pm

Re: Separated VLANs

Mon Aug 22, 2022 5:02 pm

I changed APR value from enabled to proxy-arp under Interfaces, Interface BLUE_VLAN. Now L2TP/IPSec connection works fine.

Who is online

Users browsing this forum: No registered users and 35 guests