Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Set up AP with VLAN's on an RB2011

Post Reply
 
JamesDunn
newbie
Topic Author
Posts: 28
Joined: Mon Apr 25, 2016 7:22 pm

Set up AP with VLAN's on an RB2011

Wed Apr 05, 2023 5:15 pm

Hi,

I'm trying to set up VLAN's on an RB2011 connected to a Zyxel NWA1123ACv3. So far I've got the VLAN's set up on the ether5 interface and a DHCP server configured for each of them.
However none of the AP's SSID's can pass internet. I also cannot ping the VLAN's gateway from the client device connected to the AP. IP addresses are being assigned though.

Here's my config:
Code: Select all
# apr/05/2023 15:02:28 by RouterOS 7.8
# software id = T6ZD-3KQV
#
# model = RB2011UiAS
# serial number = 69BB0503E956
/interface bridge
add admin-mac=E4:8D:8C:7C:87:10 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether5 name=VLAN-PRIVATE vlan-id=20
add interface=ether5 name=VLAN-PUBLIC vlan-id=10
add interface=ether5 name=VLAN-STREAMS vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool2 ranges=10.0.20.2-10.0.20.254
add name=dhcp_pool3 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=VLAN-PUBLIC lease-time=2h name=dhcp1
add address-pool=dhcp_pool2 interface=VLAN-PRIVATE lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 interface=VLAN-STREAMS lease-time=8h name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge tagged=ether5 vlan-ids=10
add bridge=bridge tagged=ether5 vlan-ids=20
add bridge=bridge tagged=ether5 vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN-PUBLIC list=LAN
add interface=VLAN-PRIVATE list=LAN
add interface=VLAN-STREAMS list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.0.10.1 interface=VLAN-PUBLIC network=10.0.10.0
add address=10.0.20.1 interface=VLAN-PRIVATE network=10.0.20.0
add address=10.0.30.1 interface=VLAN-STREAMS network=10.0.30.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=8.8.8.8 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=8.8.8.8 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=8.8.8.8 gateway=10.0.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow Winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=1044
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19324
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Set up AP with VLAN's on an RB2011

Wed Apr 05, 2023 5:19 pm

(1) DANGER = your firewall rules are very insecure.

You are permitting direct internet access to your winbox and ssh ports.......
Change to
add action=accept chain=input comment="allow Winbox" dst-port=8291 protocol=tcp in-interface-list=LAN
add action=accept chain=input comment="allow SSH" dst-port=22 protocol=tcp in-interface-list=LAN

OR even easier JUST DELETE BOTH RULES!

Since, later on in the input chain you block all not coming from LAN, so all your LAN traffic to the router will work!

(2) Why is ether5 part of the bridge ??

(3) Since the vlans have no difference in their setup you can combine into one rule.
/interface bridge vlan
add bridge=bridge tagged=ether5 vlan-ids=10,20,30

(4) The problem with your forward chain is that you introduced different subnets which I am assuming you want separation between but you kept the default rules which allow all traffic basically at L3 within the LAN
The typical move is to replace this rule with three rules.......
From:
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
TO:
add chain=forward action=accept comment="internet" in-interface-list=LAN out-interface-list=WAN { allow lan to WAN traffic }
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat { allow port forwarding if required otherwise disable or remove }
add chain=forward action=drop comment="drop all else" { drop all other lan to lan, lan to wan and wan to lan traffic = good security }

Note: If you want to allow any other traffic ensure you put it BEFORE the drop rule!

(5) Since mac-server, by itself, is not a secure method to access router....
From
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
TO:
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
JamesDunn
newbie
Topic Author
Posts: 28
Joined: Mon Apr 25, 2016 7:22 pm

Re: Set up AP with VLAN's on an RB2011

Wed Apr 05, 2023 6:57 pm

Thanks for the feedback! I'm made those changes in the firewall as suggested, but I'm still not getting internet access via the AP / VLAN's. The ether3 port works though.

Also:
(1) This router is not in production whilst I am working on it. I am using the WAN interface for administration so that I don't lock myself out when I make changes to ether3. I will definitely secure this before deployment

(2) Not sure! I've removed it.

(3) Nice, thanks. That's cleaner

(4) I've remvoed the "defconf: drop all from WAN not DSTNATed" and added those 3 lines instead, but I still can't ping the VLAN gateway or the internet

(5) Similarly to point 1, I will make sure I tighten up this security after I get things working. Thanks for the heads up


What else could be the problem with internet access via the VLANs?
Top
 
JamesDunn
newbie
Topic Author
Posts: 28
Joined: Mon Apr 25, 2016 7:22 pm

Re: Set up AP with VLAN's on an RB2011

Wed Apr 05, 2023 7:06 pm

I tried adding the LAN to my bridge, which got internet access via the AP's SSID's, but this is circumventing the VLANs and gives me an address in the 192.168.88.0 range.
So could it be still be a firewall issue?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19324
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Set up AP with VLAN's on an RB2011

Wed Apr 05, 2023 8:19 pm

No it means the Access points are either not capable of reading vlan tags or was not setup yet.

Typically one has to change the managment vlan to the trusted or managmgent vlan used in the network.

For example if you have three vlans, home, guest, iot, the home vlan is the trusted one.
The AP should get an IP address from this subnet.

YOu may need to change the managment vlan setting in the zyxel to vlan home for example.
(native vlans stays at 1).
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19324
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Set up AP with VLAN's on an RB2011

Wed Apr 05, 2023 8:40 pm

Assuming a stand alone setup.
What is the difference between your bridge Subnet and your private subnet??

My recommendation is that you remove the lan subnet altogether and just use the private subnet for everything but the guest/public and streams.
If indeed private is just you the admin and the LAN .88 is the rest off the household thats a different matter.

I just see the point of separate bridge subnet, once I go vlans ALL subnets are vlans and much easier to deal with, config and firewall rule.

++++++++++++++++++++++++++++++++++++++++++++++++

Once you decide on plan and network structure its simply a matter of setting up the zyxel appropriately....
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1847
Joined: Sat May 05, 2018 11:55 am

Re: Set up AP with VLAN's on an RB2011

Wed Apr 05, 2023 9:16 pm

As ether5 is a member of a bridge the VLAN setup is incorrect. If the VLANs are only going to be accessed via ether5 then remove the bridge port. However, if the VLANs are also going to be accessed via other interfaces the setup needs correcting:
/interface vlan
add interface=ether5bridge name=VLAN-PRIVATE vlan-id=20
add interface=ether5bridge name=VLAN-PUBLIC vlan-id=10
add interface=ether5bridge name=VLAN-STREAMS vlan-id=30
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether5 vlan-ids=30
Top
 
JamesDunn
newbie
Topic Author
Posts: 28
Joined: Mon Apr 25, 2016 7:22 pm

Re: Set up AP with VLAN's on an RB2011

Thu Apr 06, 2023 1:54 am

Thanks for the advice. I've removed the 192.168.88.0/24 subnet which was just left over from the default config and I've created a separate MGMT VLAN.
I've also created VLAN bridges so that I could assign ether3 to the MGMT VLAN. However ether3 now has the same problem that it can't access the internet. It could access it before using the 192.168.88 subnet, but for some reason the VLAN's won't connect. I can't ping the MGMT gateway from my laptop via ether3, but I can access the Zyxel AP at 10.0.40.2 from the laptop. The Zyxel AP has been configured to use management VLAN 40. All the AP's seem to work and I get an IP from the right subnet when connecting to the relevant SSID, there's just no internet access!
Code: Select all
# apr/05/2023 23:43:08 by RouterOS 7.8
# software id = T6ZD-3KQV
#
# model = RB2011UiAS
# serial number = 69BB0503E956
/interface bridge
add name=BR-VLAN-MGMT
add name=BR-VLAN-PRIVATE
add name=BR-VLAN-PUBLIC
add name=BR-VLAN-STREAMS
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether5 name=VLAN-MGMT vlan-id=40
add interface=ether5 name=VLAN-PRIVATE vlan-id=20
add interface=ether5 name=VLAN-PUBLIC vlan-id=10
add interface=ether5 name=VLAN-STREAMS vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool2 ranges=10.0.20.2-10.0.20.254
add name=dhcp_pool3 ranges=10.0.30.2-10.0.30.254
add name=dhcp_pool4 ranges=10.0.40.3-10.0.40.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=BR-VLAN-PUBLIC lease-time=2h name=dhcp1
add address-pool=dhcp_pool2 interface=BR-VLAN-PRIVATE lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 interface=BR-VLAN-STREAMS lease-time=8h name=dhcp3
add address-pool=dhcp_pool4 interface=BR-VLAN-MGMT lease-time=1d name=dhcp4
/port
set 0 name=serial0
/interface bridge port
add bridge=BR-VLAN-MGMT interface=ether3
add bridge=BR-VLAN-PUBLIC interface=VLAN-PUBLIC
add bridge=BR-VLAN-PRIVATE interface=VLAN-PRIVATE
add bridge=BR-VLAN-STREAMS interface=VLAN-STREAMS
add bridge=BR-VLAN-MGMT interface=VLAN-MGMT
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=VLAN-PUBLIC list=LAN
add interface=VLAN-PRIVATE list=LAN
add interface=VLAN-STREAMS list=LAN
add interface=VLAN-MGMT list=LAN
/ip address
add address=10.0.10.1 interface=BR-VLAN-PUBLIC network=10.0.10.0
add address=10.0.20.1 interface=BR-VLAN-PRIVATE network=10.0.20.0
add address=10.0.30.1 interface=BR-VLAN-STREAMS network=10.0.30.0
add address=10.0.40.1 interface=BR-VLAN-MGMT network=10.0.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=8.8.8.8 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=8.8.8.8 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=8.8.8.8 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=8.8.8.8 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow Winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" dst-port=1822 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=1822
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1847
Joined: Sat May 05, 2018 11:55 am

Re: Set up AP with VLAN's on an RB2011

Thu Apr 06, 2023 2:58 am

Multiple bridges are a bad idea, see https://help.mikrotik.com/docs/display/ ... figuration as to why, and viewtopic.php?t=143620 for a primer on VLANs on a Mikrotik
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19324
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Set up AP with VLAN's on an RB2011

Thu Apr 06, 2023 4:21 pm

Of course it doesnt work!
ONe Bridge, all vlans, and you WRONGLY configured
/interface bridge ports
/interface bridge vlans ( totally missing )

ex. vlans are not bridge ports normally................
and never activated vlan filtering on the bridge itself.

+++++++++++++++++++++++++++++++
BASE ON ETHER5 being the port carrying the vLANS, 2 and 3 will be untagged on the private vlan, ether4 will be the management vlan.....
Code: Select all
# apr/05/2023 23:43:08 by RouterOS 7.8
# software id = T6ZD-3KQV
#
# model = RB2011UiAS
# serial number = { removed for security }
/interface bridge
add name=BR  vlan-filtering=yes  { set when all other bridge and vlan settings are in place }
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BR name=VLAN-MGMT vlan-id=40
add interface=BR name=VLAN-PRIVATE vlan-id=20
add interface=BR name=VLAN-PUBLIC vlan-id=10
add interface=BR name=VLAN-STREAMS vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool2 ranges=10.0.20.2-10.0.20.254
add name=dhcp_pool3 ranges=10.0.30.2-10.0.30.254
add name=dhcp_pool4 ranges=10.0.40.3-10.0.40.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN-PUBLIC lease-time=2h name=dhcp1
add address-pool=dhcp_pool2 interface=VLAN-PRIVATE lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 interface=VLAN-STREAMS lease-time=8h name=dhcp3
add address-pool=dhcp_pool4 interface=VLAN-MGMT lease-time=1d name=dhcp4
/port
set 0 name=serial0
/interface bridge port
add bridge=BR ingress filtering=yes  frame-types=admit-priority-and-untagged interface=ether2 pvid=20
add bridge=BR ingress filtering=yes  frame-types=admit-priority-and-untagged interface=ether3 pvid=20
add bridge=BR ingress filtering=yes  frame-types=admit-priority-and-untagged interface=ether4 pvid=40
add bridge=BR ingress filtering=yes  frame-types=admit-only-vlan-tagged interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlans
add bridge=BR  tagged=BR,ether5  untagged=ether2,ether3   vlan-ids=20
add bridge=BR  tagged=BR,ether5  untagged=ether4   vlan-ids=40
add bridge=BR  tagged=BR,ether5  vlan-ids=10,30
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=VLAN-PUBLIC list=LAN
add interface=VLAN-PRIVATE list=LAN
add interface=VLAN-STREAMS list=LAN
add interface=VLAN-MGMT list=LAN
add interface=VLAN-MGMT list=MGMT
/ip address
add address=10.0.10.1 interface=VLAN-PUBLIC network=10.0.10.0
add address=10.0.20.1 interface=VLAN-PRIVATE network=10.0.20.0
add address=10.0.30.1 interface=VLAN-STREAMS network=10.0.30.0
add address=10.0.40.1 interface=VLAN-MGMT network=10.0.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=8.8.8.8 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=8.8.8.8 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=8.8.8.8 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=8.8.8.8 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow Winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" dst-port=1822 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=1822
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Top
 
JamesDunn
newbie
Topic Author
Posts: 28
Joined: Mon Apr 25, 2016 7:22 pm

Re: Set up AP with VLAN's on an RB2011

Wed Apr 12, 2023 3:21 pm

Of course it doesnt work!
ONe Bridge, all vlans, and you WRONGLY configured
/interface bridge ports
/interface bridge vlans ( totally missing )

Thanks for your help so far, I've having another crack at this today. I've reset the RB2011 to blank / no configuration and I've copied the code you posted over, with some minor alterations to the VLAN id's / names.

DHCP is now working for all SSID's from the AP via the trunk on ether2. However there is no internet connection on any of them. I can ping 8.8.8.8 from the RB2011 terminal though.
The access MGMT port is working with DHCP on ether10, but again there's no internet connection and I can't ping 8.8.8.8.

So I assume it is some sort of routing problem or firewall issue on the RB2011?
Code: Select all
# apr/12/2023 13:18:01 by RouterOS 7.8
# software id = T6ZD-3KQV
#
# model = RB2011UiAS
# serial number = **************
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge name=BOOTH_VLAN vlan-id=20
add interface=bridge name=MGMT_VLAN vlan-id=10
add interface=bridge name=PUBLIC_VLAN vlan-id=40
add interface=bridge name=STAFF_VLAN vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_MGMT ranges=10.0.10.10-10.0.10.254
add name=dhcp_pool_BOOTH ranges=10.0.20.10-10.0.20.254
add name=dhcp_pool_STAFF ranges=10.0.30.10-10.0.30.254
add name=dhcp_pool_PUBLIC ranges=10.0.40.2-10.0.40.254
/ip dhcp-server
add address-pool=dhcp_pool_MGMT interface=MGMT_VLAN lease-time=1d name=dhcp_MGMT
add address-pool=dhcp_pool_BOOTH interface=BOOTH_VLAN lease-time=8h name=dhcp_BOOTH
add address-pool=dhcp_pool_STAFF interface=STAFF_VLAN lease-time=1d name=dhcp_STAFF
add address-pool=dhcp_pool_PUBLIC interface=PUBLIC_VLAN lease-time=2h name=dhcp_PUBLIC
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether10 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=20,30,40
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=PUBLIC_VLAN list=LAN
add interface=STAFF_VLAN list=LAN
add interface=BOOTH_VLAN list=LAN
add interface=MGMT_VLAN list=LAN
add interface=MGMT_VLAN list=MGMT
/ip address
add address=10.0.10.1 interface=MGMT_VLAN network=10.0.10.0
add address=10.0.20.1 interface=BOOTH_VLAN network=10.0.20.0
add address=10.0.30.1 interface=STAFF_VLAN network=10.0.30.0
add address=10.0.40.1 interface=PUBLIC_VLAN network=10.0.40.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=8.8.8.8 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=8.8.8.8 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=8.8.8.8 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=8.8.8.8 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow SSH" dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
Top
 
JamesDunn
newbie
Topic Author
Posts: 28
Joined: Mon Apr 25, 2016 7:22 pm

Re: Set up AP with VLAN's on an RB2011

Wed Apr 12, 2023 3:34 pm

Aha, I managed to find the solution viewtopic.php?t=177892#p874953 !

I needed to specifically set the CIDR on the VLAN addresses otherwise it defaults to /32
Top
Post Reply

Who is online

Users browsing this forum: Thechriss and 70 guests
  4. RouterOS
  5. Beginner Basics