Community discussions

MikroTik App
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

My VLAN final setup

Tue Nov 08, 2022 6:12 pm

Hi,
I came up with my VLAN final setup eventually
Here is the diagram. Everything is set up on a VM workstation virtual environment:

Image

the router setup:
# oct/22/2022 13:30:41 by RouterOS 7.5
# software id = 
#
/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=TRUNK
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=Blue_VLAN vlan-id=30
add interface=BR1 name=Green_VLAN vlan-id=10
add interface=BR1 name=Red_VLAN vlan-id=20
/disk
set sata1 disabled=no
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=Green_POOL ranges=10.0.10.2-10.0.10.254
add name=Red_POOL ranges=10.0.20.2-10.0.20.254
add name=Blue_POOL ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=Green_POOL interface=Green_VLAN name=Green_DHCP
add address-pool=Red_POOL interface=Red_VLAN name=Red_DHCP
add address-pool=Blue_POOL interface=Blue_VLAN name=Blue_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=30
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 untagged=ether4 vlan-ids=99
add bridge=BR1 tagged=BR1,ether1 untagged=ether2 vlan-ids=30
add bridge=BR1 tagged=BR1,ether1 untagged=ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,ether1 vlan-ids=20
/interface list member
add interface=ether5 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=Blue_VLAN list=VLAN
add interface=Green_VLAN list=VLAN
add interface=Red_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=10.0.10.1/24 interface=Green_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=Red_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=Blue_VLAN network=10.0.30.0
add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
/ip dhcp-client
add interface=ether5 use-peer-dns=no
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.99.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.99.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=192.168.99.1 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input in-interface-list=WAN src-address=192.168.3.100
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="Allow DNS services" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow DNS services" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow Green_VLAN" in-interface=\
    Green_VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface-list=\
    VLAN
add action=drop chain=input comment="drop all else" log=yes log-prefix=\
    drop_in
add action=drop chain=forward comment=Drop log=yes log-prefix=drop_forw
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool romon
set enabled=yes

The switch/AP setup:
# oct/25/2022 16:21:13 by RouterOS 7.5
# software id = 
#
/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=TRUNK
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
/disk
set sata1 disabled=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=20
/interface bridge vlan
add bridge=BR1 tagged=ether1 untagged=ether2 vlan-ids=30
add bridge=BR1 tagged=ether1 untagged=ether3 vlan-ids=10
add bridge=BR1 tagged=ether1 untagged=ether4,ether5 vlan-ids=20
add bridge=BR1 tagged=ether1,BR1 vlan-ids=99
/ip address
add address=192.168.99.2/24 interface=BASE_VLAN network=192.168.99.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add interface=ether1
/ip route
add distance=1 gateway=192.168.99.1
/system identity
set name=switch-AP
/tool romon
set enabled=yes
I enabled acces from the WAN port just for my physical PC in order to connect via Winbox to the virtual Mk router.
I then created a virtual Windows pc in VMworkstation to check every port in the switch/AP, in which I installed winbox too, so that the acces via WAN wouldn't be necessary anymore.
As far as I've understood everything works properly. However, any suggestions would be very welcome.
Thanks
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: My VLAN final setup

Wed Nov 09, 2022 5:09 am

Your diagram "image" is not viewable.

It would be better to use the "Attachments" feature, upload then "insert inline".
 
JoshDi
newbie
Posts: 37
Joined: Fri May 21, 2021 4:49 pm

Re: My VLAN final setup

Wed Nov 09, 2022 5:38 am

I can see his network diagram inline...
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: My VLAN final setup

Wed Nov 09, 2022 11:54 am

Your diagram "image" is not viewable.

It would be better to use the "Attachments" feature, upload then "insert inline".
I don't know. I can't see it regularly in all browsers on my pc
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: My VLAN final setup

Wed Nov 09, 2022 12:22 pm

Do not use 3rd party image hosting for monetizing or not, use "attachments" tab on post edit and add image here.

It is perfectly useless to bother forum users with other sites, when already on this forum you can put images and files of any kind.
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: My VLAN final setup

Wed Nov 09, 2022 12:27 pm

Do not use 3rd party image hosting for monetizing or not, use "attachments" tab on post edit and add image here.

It is perfectly useless to bother forum users with other sites, when already on this forum you can put images and files of any kind.
Monetizing? Really?
Anyway, I had problems with uploading images here so I turned to this kind of services which I use regularly on other forums too.
I'll give the attachments method another try. It actually bothers me using these services because it takes more times, but I can't do without many times.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My VLAN final setup

Wed Nov 09, 2022 1:13 pm

I dont use bridges where, on the bridge itself, vlan filtering is set to only allow vlan tags, so not qualified to comment on config.
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: My VLAN final setup

Wed Nov 09, 2022 1:27 pm

I dont use bridges where, on the bridge itself, vlan filtering is set to only allow vlan tags, so not qualified to comment on config.
you don't use this setting?
add frame-types=admit-only-vlan-tagged name=BR1 protocol-mode=none \
    vlan-filtering=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: My VLAN final setup

Wed Nov 09, 2022 4:20 pm

NOPE. the only changes i make to deafult are
a. possibly change bridge name
b. set vlan filtering=yes after the config is mostly done.

I use interface bridge ports to set ingress filtering and frame types for vlans, depending if port/wlan is Trunk, Access,, or Hybrid.
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: My VLAN final setup

Wed Nov 09, 2022 7:53 pm

NOPE. the only changes i make to deafult are
a. possibly change bridge name
b. set vlan filtering=yes after the config is mostly done.

I use interface bridge ports to set ingress filtering and frame types for vlans, depending if port/wlan is Trunk, Access,, or Hybrid.
Yes, I think that you told me that once already.
To be honest, even though I managed to set Vlans up and make them work eventually, it doesn't mean that I've understood everthing about it. That "Bridge-tagged" stuff is still rather unclear to me (and yes I already read the article linked in the main topics about VLANs, more than one time actually).
I'm going to set Zerotier or just Wireguard on my virtual environment, if possible, and make them work with VLANs and see what happens and which problems I'll probably run across, just for learning purpose.
But before of that, I need to know if I got everything right so far.
Thanks
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: My VLAN final setup

Fri Nov 11, 2022 9:43 pm

I don't know. I can't see it regularly in all browsers on my pc
I can see it now, and the link looks similar to the way it was when I first looked. All I saw was a small "icon" and it had something like "image" on it. When I tried pasting the link into the browser, I got a message about logging in. That's when I left my post.

Sometimes the images in pcunite's Using RouterOS to VLAN your network do the same thing. I am not sure what has changed.

Oddly if you use the MikroTik local attachment method to post images, you can't see them unless you are logged into the forum.

So each way has advantages and disadvantages.

Who is online

Users browsing this forum: AkosGergely, araqiel, GoogleOther [Bot], Marc1963, miks and 84 guests