Community discussions

MikroTik App
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

VLAN configuration check for RB4011

Mon Jan 16, 2023 6:00 pm

Hello everyone,
I've spent several weeks already trying to wrap my head around this as I'm not exactly a network expert. I do understand how VLAN work but I am unsure really if I got this right.

What I want is essentially having all VLANs including default served through the SFP-SFPPlus1 Uplink as wifi is only provided via external Access point. Between the RB4011 and the Access Point there's a Switch involved since we don't have an optical link on the Access Point. We have Internet coming in on Ether1 (DHCP) and Ether2 is serving the default VLAN (both on default bridge). Ether 3 to Ether10 all serve one VLAN (VLAN 60), all other VLANs are served by the Switch and the Access Point via SFP-SFPPlus1.

According to Access Point Vendor (Aruba) I should have a hybrid trunk setup as they don't seem to like having a tagged only trunk so I guess from the RB to the intermediate switch I should go with a hybrid port too instead of tagging everything and then on the Switch to AP connection go with a hybrid port.

Picture of Network Layout:
Image

I'm using default configuration on the RB4011 with RouterOS v7.6 so I would add this code to the router

/interface bridge
add name=bridge-vlan20 comment="VLAN20 bridge"
add name=bridge-vlan30 comment="VLAN30 bridge"
add name=bridge-vlan40 comment="VLAN40 bridge"
add name=bridge-vlan50 comment="VLAN50 bridge"
add name=bridge-vlan60 comment="VLAN60 bridge"
add name=bridge-vlan120 comment="VLAN120 bridge"
/interface vlan
add name=20 vlan-id=20 interface=bridge-vlan20 comment="VLAN20"
add name=30 vlan-id=30 interface=bridge-vlan30 comment="VLAN30"
add name=40 vlan-id=40 interface=bridge-vlan40 comment="VLAN40"
add name=50 vlan-id=50 interface=bridge-vlan50 comment="VLAN50"
add name=60 vlan-id=60 interface=bridge-vlan60 comment="VLAN60"
add name=120 vlan-id=120 interface=bridge-vlan120 comment="VLAN120"
/interface bridge port
add bridge=bridge-vlan60 interface=ether3 pvid=60
add bridge=bridge-vlan60 interface=ether4 pvid=60
add bridge=bridge-vlan60 interface=ether5 pvid=60
add bridge=bridge-vlan60 interface=ether6 pvid=60
add bridge=bridge-vlan60 interface=ether7 pvid=60
add bridge=bridge-vlan60 interface=ether8 pvid=60
add bridge=bridge-vlan60 interface=ether9 pvid=60
add bridge=bridge-vlan60 interface=ether10 pvid=60
/interface bridge vlan
add bridge=bridge-vlan20 tagged=sfp-sfpplus1 vlan-ids=20 comment="VLAN20 Bridge VLAN"
add bridge=bridge-vlan30 tagged=sfp-sfpplus1 vlan-ids=30 comment="VLAN30 Bridge VLAN"
add bridge=bridge-vlan40 tagged=sfp-sfpplus1 vlan-ids=40 comment="VLAN40 Bridge VLAN"
add bridge=bridge-vlan50 tagged=sfp-sfpplus1 vlan-ids=50 comment="VLAN50 Bridge VLAN"
add bridge=bridge-vlan60 tagged=sfp-sfpplus1 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=60 comment="VLAN60 Bridge VLAN"
add bridge=bridge-vlan90 tagged=sfp-sfpplus1 vlan-ids=120 comment="VLAN120 Bridge VLAN"
/ip address
add address=192.168.20.1/24 comment="VLAN20 Gateway & Network" interface=bridge-vlan20 network=192.168.20.0
add address=192.168.30.1/24 comment="VLAN30 Gateway & Network" interface=bridge-vlan30 network=192.168.30.0
add address=192.168.40.1/24 comment="VLAN40 Gateway & Network" interface=bridge-vlan40 network=192.168.40.0
add address=192.168.50.1/24 comment="VLAN50 Gateway & Network" interface=bridge-vlan50 network=192.168.50.0
add address=192.168.60.1/24 comment="VLAN60 Gateway & Network" interface=bridge-vlan60 network=192.168.60.0
add address=192.168.120.1/24 comment="VLAN120 Gateway & Network" interface=bridge-vlan90 network=192.168.120.0
/ip pool
add name=dhcp-pool-20FLAlexa ranges=192.168.20.2-192.168.20.250 comment="VLAN20 IP Pool"
add name=dhcp-pool-30Arlo ranges=192.168.30.2-192.168.30.250 comment="VLAN30 IP Pool"
add name=dhcp-pool-40Hue ranges=192.168.40.2-192.168.40.250 comment="VLAN40 IP Pool"
add name=dhcp-pool-50IoTRest ranges=192.168.50.2-192.168.50.250 comment="VLAN50 IP Pool"
add name=dhcp-pool-60FLSehr ranges=192.168.60.2-192.168.60.250 comment="VLAN60 IP Pool"
add name=dhcp-pool-120guest ranges=192.168.120.2-192.168.120.250 comment="VLAN120 IP Pool"
/ip dhcp-server
add address-pool=dhcp-pool-20 disabled=no interface=bridge-vlan20 lease-time=15m name=dhcp-vlan20 comment="VLAN20 DHCP Server"
add address-pool=dhcp-pool-30 disabled=no interface=bridge-vlan30 lease-time=15m name=dhcp-vlan30 comment="VLAN30 DHCP Server"
add address-pool=dhcp-pool-40 disabled=no interface=bridge-vlan40 lease-time=15m name=dhcp-vlan40 comment="VLAN40 DHCP Server"
add address-pool=dhcp-pool-50 disabled=no interface=bridge-vlan50 lease-time=15m name=dhcp-vlan50 comment="VLAN50 DHCP Server"
add address-pool=dhcp-pool-60 disable=no interface=bridge-vlan60 lease-time=15m name=dhcp-vlan60 comment="VLAN60 DHCP Server"
add address-pool=dhcp-pool-90 disabled=no interface=bridge-vlan120 lease-time=15m name=dhcp-vlan120 comment="VLAN120 DHCP Server"
/ip dhcp-server network
add address=192.168.20.0/24 comment="VLAN20 DHCP-Server Network" gateway=192.168.20.1 dns-server=1.1.1.1,1.0.0.1
add address=192.168.30.0/24 comment="VLAN30 DHCP-Server Network" gateway=192.168.30.1 dns-server=1.1.1.1,1.0.0.1
add address=192.168.40.0/24 comment="VLAN40 DHCP-Server Network" gateway=192.168.40.1 dns-server=1.1.1.1,1.0.0.1
add address=192.168.50.0/24 comment="VLAN50 DHCP-Server Network" gateway=192.168.50.1 dns-server=1.1.1.1,1.0.0.1
add address=192.168.60.0/24 comment="VLAN60 DHCP-Server Network" gateway=192.168.60.1 dns-server=1.1.1.1,1.0.0.1
add address=192.168.120.0/24 comment="VLAN120 DHCP-Server Network" gateway=192.168.120.1 dns-server=1.1.1.1,1.0.0.1

What I want to achieve is all VLANs have Internet Access and I want to have access to all VLANs from default / mgmt VLAN however the Firewall part seems rather less complicated to set up for me via Winbox than setting up these VLANs either via Winbox or script.
The idea basically is that VLAN 20 - 60 are different types of IoT Devices which might or might not need to see each other however base / mgmt VLAN should be able to access them all.

So, will this work or am I missing something? Unfortunately I can't test this right away as this is located externally without any remote access available to me.

I might be completely wrong on this one since there's so many HowTo's around and essentially each seems different, one says everything on one bridge, next says one bridge per VLAN...

Thanks in advance!
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 1:51 am

Or maybe this would be more like it as it's single bridge approach?
#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="router"


#######################################
# VLAN Overview
#######################################

# 20 = Alexa
# 30 = Arlo
# 40 = Hue
# 50 = IoT
# 60 = TV
# 120 = Guest
# 88 = BASE (MGMT)


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# BASE VLAN
# add bridge=BR1 interface=ether2 pvid=88
add bridge=BR1 interface=ether2

# TV VLAN

add bridge=BR1 interface=ether3 pvid=60
add bridge=BR1 interface=ether4 pvid=60
add bridge=BR1 interface=ether5 pvid=60
add bridge=BR1 interface=ether6 pvid=60
add bridge=BR1 interface=ether7 pvid=60
add bridge=BR1 interface=ether8 pvid=60
add bridge=BR1 interface=ether9 pvid=60
add bridge=BR1 interface=ether10 pvid=60

# egress behavior, handled automatically

#######################################
#
# -- Hybrid Ports --
#
#######################################
# ingress behavior
/interface bridge port

# add bridge=BR1 interface=sfp-sfpplus1 pvid=88
 add bridge=BR1 interface=sfp-sfpplus1

# egress behavior
/interface bridge vlan

# Change BASE VLAN ports Hybrid by setting a Alexa egress on them
set bridge=BR1 tagged=BR1,sfp-sfpplus1 [find vlan-ids=20]

# Change BASE VLAN ports Hybrid by setting an Arlo egress on them
set bridge=BR1 tagged=BR1,sfp-sfpplus1 [find vlan-ids=30]

# Change BASE VLAN ports Hybrid by setting a Hue egress on them
set bridge=BR1 tagged=BR1,sfp-sfpplus1 [find vlan-ids=40]

# Change BASE VLAN ports Hybrid by setting an IoT egress on them
set bridge=BR1 tagged=BR1,sfp-sfpplus1 [find vlan-ids=50]

# Change BASE VLAN ports Hybrid by setting a TV egress on them
set bridge=BR1 tagged=BR1,sfp-sfpplus1 [find vlan-ids=60]

# Change BASE VLAN ports Hybrid by setting a Guest egress on them
set bridge=BR1 tagged=BR1,sfp-sfpplus1 [find vlan-ids=120]

#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
#/interface vlan add interface=BR1 name=BASE_VLAN
#/ip address add address=192.168.88.1/24 interface=BASE_VLAN

#######################################
# IP Services
#######################################

# Alexa VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=Alexa_VLAN vlan-id=20
/ip address add interface=Alexa_VLAN address=192.168.20.1/24
/ip pool add name=Alexa_POOL ranges=192.168.20.2-192.168.20.250
/ip dhcp-server add address-pool=Alexa_POOL interface=Alexa_VLAN name=Alexa_DHCP disabled=no
/ip dhcp-server network add address=192.168.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.20.1

# Arlo VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=Arlo_VLAN vlan-id=30
/ip address add interface=Arlo_VLAN address=192.168.30.1/24
/ip pool add name=Arlo_POOL ranges=192.168.30.2-192.168.30.250
/ip dhcp-server add address-pool=Arlo_POOL interface=Arlo_VLAN name=Arlo_DHCP disabled=no
/ip dhcp-server network add address=192.168.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.30.1

# Hue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=Hue_VLAN vlan-id=40
/ip address add interface=Hue_VLAN address=192.168.40.1/24
/ip pool add name=Hue_POOL ranges=192.168.40.2-192.168.40.250
/ip dhcp-server add address-pool=Hue_POOL interface=Hue_VLAN name=Hue_DHCP disabled=no
/ip dhcp-server network add address=192.168.40.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.40.1

# IoT VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=IoT_VLAN vlan-id=50
/ip address add interface=IoT_VLAN address=192.168.50.1/24
/ip pool add name=IoT_POOL ranges=192.168.50.2-192.168.50.250
/ip dhcp-server add address-pool=IoT_POOL interface=IoT_VLAN name=IoT_DHCP disabled=no
/ip dhcp-server network add address=192.168.50.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.50.1

# TV VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=TV_VLAN vlan-id=60
/ip address add interface=TV_VLAN address=192.168.60.1/24
/ip pool add name=TV_POOL ranges=192.168.60.2-192.168.60.250
/ip dhcp-server add address-pool=TV_POOL interface=TV_VLAN name=TV_DHCP disabled=no
/ip dhcp-server network add address=192.168.60.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.60.1

# Guest VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=Guest_VLAN vlan-id=120
/ip address add interface=Guest_VLAN address=192.168.120.1/24
/ip pool add name=Guest_POOL ranges=192.168.120.2-192.168.120.250
/ip dhcp-server add address-pool=Guest_POOL interface=Guest_VLAN name=Guest_DHCP disabled=no
/ip dhcp-server network add address=192.168.120.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.120.1

#######################################
# Firewalling & NAT
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=Alexa_VLAN list=VLAN
add interface=Arlo_VLAN list=VLAN
add interface=Hue_VLAN list=VLAN
add interface=IoT_VLAN list=VLAN
add interface=TV_VLAN list=VLAN
add interface=BASE_VLAN list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter

##################
# INPUT CHAIN
##################

add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"

##################
# FORWARD CHAIN
##################

add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

# Allow BASE_VLAN to access all VLANS

add chain=forward action=accept connection-state=new in-interface-list=BASE out-interface-list=VLAN

# Allow Alexa to access Arlo

add chain=forward action=accept connection-state=new in-interface=Alexa_VLAN out-interface=Arlo_VLAN

add chain=forward action=drop comment="Drop"

##################
# NAT
##################

/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"

#######################################
# VLAN Security
#######################################

# Access Ports: Only allow untagged ingress packets
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether10]

# Hybrid: Allow ingress packets with or without tags (ingress-filtering ensures only the tags we specified)
set bridge=BR1 ingress-filtering=yes frame-types=admit-all [find interface=sfp-sfpplus1]

#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
# /interface list add name=BASE
# /interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
This is a copy from viewtopic.php?t=143620 with the exception that my hybrid port is on the router as I'm not sure if tagging PVID=1 would work down the chain on the Aruba AP. The Lancom Switch inbetween would have 2 Hybrid ports, too. SFP+ to RB4011 and RJ45 to Aruba AP, all other ports on the Lancom are access ports.

Another question relates to the firewall section: Allow Alexa to access Arlo: Is that the correct approach as in would it make sense to add Alexa_VLAN and Arlo_VLAN to another list like

/interface list add name=Alexa
/interface list add name=Arlo

/interface list member 
add interface=Alexa_VLAN list=Alexa
add interface=Arlo_VLAN list=Arlo


to me this feels wrong as both are members of VLAN list already?
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 2:42 am

If the only purpose of LanCom switch is as a media converter from optical to electrical to drive the WiFi, why are you not simply using a electrical interface in SFP-1? Or is there more being used in the LanCom switch? I was largely going by your drawing...

And I don't do bridges in RouterOS, so can't help you with that part.
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 3:15 am

There's more being used on the LanCom Switch, it provides PoE to the AP and other devices and has several Hue bridges and an Arlo base connected to it. I can't recall having anything else wired to the LanCom Switch but PoE with 2.5G link to the AP definitely is the most outstanding feature in use :wink: it used to be 2 APs with PoE but one is dead currently, we're still discussing if we actually need a replacement or not.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 4:09 am

No if the lancom switch as a managed switch can accept all tagged vlans coming in from the RB4011 both should be considered trunk ports. The port on the switch going to the Aruba would be a hybrid port.
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 11:02 am

So I would do something like this on the RB4011

# ingress behavior
/interface bridge port

# Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=sfp-sfpplus1

# egress behavior
/interface bridge vlan

# Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=30
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=40
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=50
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=60
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=120
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=1

is this the right approach?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 2:27 pm

/interface bridge port
add bridge=BR1 interface=sfp-sfpplus1 ingress-filtering=yes frame-types=admit-only-vlan-tagged
/interface bridge vlan
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=20,30,40,50,60,120


Which vlan is your management vlan?
THis predisposes your rb4011 has no other ethernet ports on the bridge using any of those vlans.........
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 2:36 pm

management vlan is 1, vlan 60 is on ether3 - ether 10 all other vlans just go to the trunk. Ether2 is on management vlan too.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 2:43 pm

Very annoying for so little context to be provided.
Using vlan1 for managment vlan is a bad idea IMHO..........

viewtopic.php?p=908118

What subnet is vlan1 ?
What else is it used for on the RB4011
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 2:58 pm

Subnet for VLAN 1 is 192.168.88.0/24. What it does is provide IPs and access to switch and AP management, aswell as the main user connects to this VLAN via Wifi.

As you see further above I have two completely different approaches how I would configure this because available info / tutorials / HowTo's are so inconsistent for RouterOS (maybe due to different SW versions?) that the last thing I want is if anything breaks I'm stuck locked out of the AP having to explain why it's broken (again) trying to figure out how to reset everything and start back at scratch. This RB4011 has been a pita for the last few months already, haven't met any other vendor that makes it so hard to get some simple VLANs up and running.

If I was aware of how much pita this would be I would've paid 10x the price for some other gear just to be done in minutes or hours not months.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 3:10 pm

Or you could have come here and solved it in days. ;-P
Provide the full config
/export file=anynameyouwish ( minus router serial # and any public WANIP information )
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 3:20 pm

I can't I'm not at the site and no remote access, it's really a default config with disabled WiFi that's currently running (and Wifi will stay disabled, had enough trouble with cAPs, 5 in a bin replaced by one AP that doesn't randomly lose signal strength or completely lose Wifi at own will), that's why I am posting what I would add to it once I am on site again instead of a full export which is really in my view as basic as it gets.

Don't get me wrong the RB4011 on Ethernet at least runs like forever which is exactly what I'm looking for but that Wifi and those cAPs we initially used are let's say in friendly words not my type of thing.

Picture perfect WiFi is what's #1 priority, we did start with a full RB4011 / cAP setup to stay with one vendor but we've moved on to something more ... professional when it comes to reliability. Everyone has it's own experiences but I won't ever let Mikrotik gear handle WiFi for me.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 7:53 pm

Hi there, yes the RB4011 is solid and shouldnt need replacing.
The capacs too bad didnt ask me first, would have told you would be better with tp link eap245 which I first started using to replace them and then 660HD.
But according to gotsprings who is the resident expert at real world useful wifi products (dealth with them all) cambium ( such as Cambium XV2-2) is where you should put your $$.

Right now I have just gotten an hapax3 and will see how it compares.....
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

Re: VLAN configuration check for RB4011

Tue Jan 17, 2023 9:51 pm

We replaced the cAPACs with Aruba AP-515, they're really reliable (unless dead, lol) and like up to 6 or 8 of them don't need a controller or any separate config to have them work together. I actually thought when we installed the second one (which is now dead) I'd have to do something to make them act together.
Took me 2 minutes staring at the dashboard until I realized that it's showing 2 APs already.
You can't imagine how much we didn't mind spending $$$ on the Arubas' instead of cAPAPs + RB4011 + trying to get all of it running with Capsman and having to reset the RB4011 once we removed the cAPACs again...
I mean the cAPAC which was bothering the most was wall mounted and only had to get through one simple wooden door + 5 m further, we're not talking like a 10+m Wifi run or anything, once you open that door from the inside you're looking straight at the AP so beam forming wise it should've been picture perfect for the cAPAC too but nope... clients drop wether it's cellphone or just a wifi enabled climate control unit (which hardly has any WiFi traffic unless you open the app and look at it there).

So back to my issue with not willingly giving up PVID=1 for mgmt LAN: I don't trust any configuration change on the RB4011 in regards to I might have to hard reset the Aruba because the config of the RB4011 is screwed. I've spent so much time with Winbox and CLI on the RB4011 in the past months, had this device even with me for a while and could verify VLAN60 is working untagged on Ether3 - Ether10, couldn't check SFP part of the config as we didn't have a SFP module for the Switch ready, configured Ether2 instead and everything died again, so it's reset with default configuration currently but WiFi disabled, no remote access and it can take me days or weeks to get back on site.
To me it's a rather simple setup really wrt the RB4011, Ether3 - Ether10 serve untagged VLAN60, ether1 gets the Internet connection in and SFP-SFPPlus1 should uplink VLAN20,30,40,50,60,120 to the switch (fine, I'm willing to set PVID=99 with 192.168.88.0/24 as mgmt vlan too at some point - but I need to be able to trust what I'm putting into CLI from a "makes sense" point first) Ether2 should be on mgmt vlan just in case I need wired access to the RB4011 on site.

All I can do right now is trying to prepare CLI input so hopefully it'll just go through once on site, then I can change RB4011 <-> Switch link to tagged, add another device on the switch with one of the other vlans untagged, if it connects to the internet and is accessible from the RB4011 side and only then I am willing to change mgmt vlan on the Aruba as reset means taking it off the wall (which isn't that bad), connecting it to the Switch directly to reset it and then fiddle it back into it's mounting place (this part is the ugly one).

If some firewall rules don't work I can argue for setting up remote access as long as mgmt WiFi works as intended, before it would be a bad idea to ask for that as we have countless hours on and offsite troubles with the RB4011 behind us and bringing in potential of disaster without being able to get my head chopped off directly is something I shouldn't ask for at this point. :lol:
 
gllenncross
just joined
Posts: 1
Joined: Mon Jan 23, 2023 10:56 am

Re: VLAN configuration check for RB4011

Mon Jan 23, 2023 11:06 am

Subnet for VLAN 1 is 192.168.88.0/24. What it does is provide IPs and access to switch and AP management, aswell as the main user connects to this VLAN via Wifi.

hellodear.in

tea tv apk
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

Re: VLAN configuration check for RB4011

Fri Feb 03, 2023 7:24 am

This is what's currently up and running. It seems to work as far as internet access on all wired ethernet ports wether it's on the RB4011 or the switch.
# feb/03/2023 06:15:30 by RouterOS 7.7
# software id =
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 
/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 vlan-filtering=yes
add admin-mac=74:4D:28:4B:24:62 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge secondary-frequency=auto ssid=MikroTik-4B246C \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-B39B25 wireless-protocol=802.11
/interface vlan
add interface=BR1 name=Arlo_VLAN vlan-id=30
add interface=BR1 name=BASE_VLAN vlan-id=188
add interface=BR1 name=FLAlexa_VLAN vlan-id=20
add interface=BR1 name=FLSehr_VLAN vlan-id=60
add interface=BR1 name=Gscht_VLAN vlan-id=120
add interface=BR1 name=Hue_VLAN vlan-id=40
add interface=BR1 name=IoTRest_VLAN vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=FLAlexa_POOL ranges=192.168.20.2-192.168.20.250
add name=Arlo_POOL ranges=192.168.30.2-192.168.30.250
add name=Hue_POOL ranges=192.168.40.2-192.168.40.250
add name=IoTRest_POOL ranges=192.168.50.2-192.168.50.250
add name=FLSehr_POOL ranges=192.168.60.2-192.168.60.250
add name=Gscht_POOL ranges=192.168.120.2-192.168.120.250
add name=BASE_POOL ranges=192.168.188.2-192.168.188.250
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=FLAlexa_POOL interface=FLAlexa_VLAN name=FLAlexa_DHCP
add address-pool=Arlo_POOL interface=Arlo_VLAN name=Arlo_DHCP
add address-pool=Hue_POOL interface=Hue_VLAN name=Hue_DHCP
add address-pool=IoTRest_POOL interface=IoTRest_VLAN name=IoTRest_DHCP
add address-pool=FLSehr_POOL interface=FLSehr_VLAN name=FLSehr_DHCP
add address-pool=Gscht_POOL interface=Gscht_VLAN name=Gscht_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=188
add bridge=BR1 comment=defconf interface=sfp-sfpplus1 pvid=188
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether7 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether8 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether9 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether10 pvid=60
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=30
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=40
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=50
add bridge=BR1 tagged=BR1,sfp-sfpplus1 untagged=ether5 vlan-ids=60
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=120
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=188
/interface list member
add comment=defconf interface=bridge list=BASE
add comment=defconf interface=ether1 list=WAN
add interface=FLAlexa_VLAN list=VLAN
add interface=Arlo_VLAN list=VLAN
add interface=Hue_VLAN list=VLAN
add interface=IoTRest_VLAN list=VLAN
add interface=FLSehr_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.20.1/24 interface=FLAlexa_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=Arlo_VLAN network=192.168.30.0
add address=192.168.40.1/24 interface=Hue_VLAN network=192.168.40.0
add address=192.168.50.1/24 interface=IoTRest_VLAN network=192.168.50.0
add address=192.168.60.1/24 interface=FLSehr_VLAN network=192.168.60.0
add address=192.168.120.1/24 interface=Gscht_VLAN network=192.168.120.0
add address=192.168.188.1/24 interface=BASE_VLAN network=192.168.188.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.60.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.120.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.120.1
add address=192.168.188.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=accept chain=input in-interface=bridge
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-state=new in-interface-list=BASE \
    out-interface-list=VLAN
add action=accept chain=forward connection-state=new in-interface=\
    FLAlexa_VLAN out-interface=Arlo_VLAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface-list=WAN
add action=accept chain=forward in-interface=bridge out-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip firewall service-port
set rtsp disabled=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=FLANr00ter
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

It works as far as base vlan (188) is concerned on the AP, too but it doesn't get IP's on the other WLAN SSIDs on the Aruba AP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration check for RB4011

Fri Feb 03, 2023 1:24 pm

You have a confused config.
Get rid of bridge doing dhcp.
Then you should note what the heck, I already have a base vlan why do I have the bridge as part of a BASE interface list.

Not sure what function the bridge subnet does but you would be far better off assigning it vlan5 for example and then you would be working with all vlans.
Then it gets real clear and real easy.

From rereading this thread, you dont have any hybrid ports required coming out of the RB4011, just a bunch of access ports to dumb devices and a couple of trunk ports to smart devices switches etc.

Therefore if 188 is truly your BASE VLAN, then all smart devices including the Arubas will get their IP address from this LAN and set statically.
the only requirement for hybrid port is from switch to aruba where the base vlan is untagged and the other vlans for wlans are tagged ( going into the aruba ).

Also remove ingress filtering from the bridge and put it on the /interface bridge port settings.
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

Re: VLAN configuration check for RB4011

Sat May 06, 2023 1:37 pm

My config just represents how far all kind of HowTo's have gotten me - confused.
Which as previously said I mostly blame on no info which ROS Version and HW said HowTo were referring to ;-)

anyways I have been trying to pick up on your advice as much as I could before everything broke to hell - again. First of all I know my FW rules are the #1 mess out there but I'm trying to figure out most rules ahead of removing that one rule that allows through most of the traffic currently, I promise I'll work on it but first things first, here's the current config:
# mar/30/2023 17:40:12 by RouterOS 7.8
# software id = PNTF-DUHH
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 
/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 vlan-filtering=yes
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge secondary-frequency=auto ssid=MikroTik-4B246C \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-B39B25 wireless-protocol=802.11
/interface vlan
add interface=BR1 name=Arlo_VLAN vlan-id=30
add interface=BR1 name=BASE_VLAN vlan-id=188
add interface=BR1 name=Alexa_VLAN vlan-id=20
add interface=BR1 name=Sehr_VLAN vlan-id=60
add interface=BR1 name=Gscht_VLAN vlan-id=120
add interface=BR1 name=Hue_VLAN vlan-id=40
add interface=BR1 name=IoTRest_VLAN vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Alexa_POOL ranges=192.168.20.2-192.168.20.250
add name=Arlo_POOL ranges=192.168.30.2-192.168.30.250
add name=Hue_POOL ranges=192.168.40.2-192.168.40.250
add name=IoTRest_POOL ranges=192.168.50.2-192.168.50.250
add name=Sehr_POOL ranges=192.168.60.2-192.168.60.250
add name=Gscht_POOL ranges=192.168.120.2-192.168.120.250
add name=BASE_POOL ranges=192.168.188.2-192.168.188.250
/ip dhcp-server
add add-arp=yes address-pool=Alexa_POOL interface=Alexa_VLAN name=\
    Alexa_DHCP
add add-arp=yes address-pool=Arlo_POOL interface=Arlo_VLAN name=Arlo_DHCP
add add-arp=yes address-pool=Hue_POOL interface=Hue_VLAN name=Hue_DHCP
add add-arp=yes address-pool=IoTRest_POOL interface=IoTRest_VLAN name=\
    IoTRest_DHCP
add add-arp=yes address-pool=Sehr_POOL interface=Sehr_VLAN name=\
    Sehr_DHCP
add add-arp=yes address-pool=Gscht_POOL interface=Gscht_VLAN name=Gscht_DHCP
add add-arp=yes address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=188
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether7 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether8 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether9 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether10 pvid=60
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 \
    pvid=188
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=30
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=40
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=50
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=60
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=120
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=188
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=Alexa_VLAN list=VLAN
add interface=Arlo_VLAN list=VLAN
add interface=Hue_VLAN list=VLAN
add interface=IoTRest_VLAN list=VLAN
add interface=Sehr_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.20.1/24 interface=Alexa_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=Arlo_VLAN network=192.168.30.0
add address=192.168.40.1/24 interface=Hue_VLAN network=192.168.40.0
add address=192.168.50.1/24 interface=IoTRest_VLAN network=192.168.50.0
add address=192.168.60.1/24 interface=Sehr_VLAN network=192.168.60.0
add address=192.168.120.1/24 interface=Gscht_VLAN network=192.168.120.0
add address=192.168.188.1/24 interface=BASE_VLAN network=192.168.188.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.60.1
add address=192.168.120.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.120.1
add address=192.168.188.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=accept chain=input in-interface=bridge
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-state=new in-interface-list=BASE \
    out-interface-list=VLAN
add action=accept chain=forward connection-state=new in-interface=\
    Alexa_VLAN out-interface=Arlo_VLAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface-list=WAN
add action=accept chain=forward in-interface=Alexa_VLAN out-interface=\
    Hue_VLAN
add action=accept chain=forward in-interface=IoTRest_VLAN out-interface=\
    Hue_VLAN
add action=accept chain=forward in-interface=IoTRest_VLAN out-interface=\
    Sehr_VLAN
add action=accept chain=forward in-interface=Hue_VLAN out-interface=BASE_VLAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface=Hue_VLAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface=\
    Sehr_VLAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface=\
    IoTRest_VLAN
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip firewall service-port
set rtsp disabled=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=r00ter
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
on the LanCom Switch Port 9 is the SFP+ Port which is the connection to the RB4011 via sfp-sfpplus1 interface. it's set up as Trunk port (C-Port) and Egress is set to Tag all traffic, base PVID is set to 188.
Ports 6 -8 are configured as Hybrid ports, S-Custom Port where S-Custom is set to 8100 and it's set to untag base PVID which is set to VLAN 188. Here are 2x Aruba AP515 and an AP505 connected which serve Wifi.
Ingress filtering is added on Port 6 -8 and it's added on Port 9 by trunk choice on the port type selection on the LanCom switch, too.

What I don't get is an DHCP offer on either the switch or the Access Points. I don't get any DHCP offer on anything that's connected via sfp-sfpplus1 except for the switch management interface, I do have VLAN accessibility on the switch as I can configure any access port / VLAN and if using proper manual IP settings I can at least access local resources but the gateway IP of the RB4011 seems unreachable most of the time regardless of in which VLAN I place my client.

I have tried a full config reset on the switch and left out any configuration afterwards asides getting a management interface running on VLAN 188 and above mentioned port configuration for uplink between switch and rb4011 and link between switch and Access Points but problem didn't change at all: No DHCP lease offer and destination unreachable / packet loss gateway when trying to ping it while on manual IP config. I did add my switch as DHCP Relay and pointed it to 192.168.188.1 and I do see on statistics that traffic in that regard does seem to happen without loss so I don't see how the switch would be blocking DHCP offers being sent via sfp-sfpplus1 and it has been working before so the only place I can imagine my screw up is the RB4011 config.

I blame my rb4011 for this but I can't see how this happened exactly so any pointers in my config to potentially get rid of this asap would be awesome.

I do have a big stack of open issues to chew through for the forseeable future too but currently it's we have no working Wifi at all which is most concerning and any help is appreciated.

I could imagine some issues being related to me trying to get IGMP / DHCP Snooping and relay to work across the switch and RB4011 but I've reset switch config completely and removed most of it on the RB4011 config, too in order to try to rule that out as reason for my troubles with DHCP offers and unreachable gateway if an offer actually was received.

Who is online

Users browsing this forum: Google [Bot], rolling and 27 guests