I am new to the MikroTik world and generally in networking and I want to create some VLANs along side a trunk port and access port.
We will only touch the main MikroTik (hEX S) and not the switch or other devices.
The result I want to achieve is to create four VLANs in my MikroTik router and trunk all of them to one port so my Unifi switch can use them.
I also want an access port for only one of the VLANs to be able to access that network directly from the router.
My setup is as follows:
Bridges
1. bridge_main: A bridge with minimal configuration
- It has no VLANs
- It has a DHCP server attached
- The addresses are 10.0.0.1/23
- It is assigned to ether5 (to connect to the mikrotik without caring for the rest of the setup, like a fail-safe) ports.
- All VLANs are assigned to it
- VLAN Filtering is enabled
- It is assigned to ether2 as a trunk port and for testing each VLAN to ether4 as an access port for (this case) vlan10_iot
1. vlan10_iot
- ID is 10
- It has a DHCP server attached
- The addresses are 10.0.10.1/24
- It is attached to bridge_shared
3. vlan30_home: With similar configuration as above
4. vlan40_guest: With similar configuration as above
The address of the router is 10.0.0.1 (which falls inside the bridge_main dhcp server range).
This was the abstract part, the actual configuration is:
Code: Select all
/interface bridge # Create the bridges
add admin-mac=08:55:31:DA:F6:E0 auto-mac=no name=bridge_main
add name=bridge_shared vlan-filtering=yes
/interface vlan # Create the VLANs and and assign them to the bridge_shared
add interface=bridge_shared name=vlan10_iot vlan-id=10
add interface=bridge_shared name=vlan20_security vlan-id=20
add interface=bridge_shared name=vlan30_home vlan-id=30
add interface=bridge_shared name=vlan40_guest vlan-id=40
/interface list # Not sure where these two are used, they come with the default config
add name=WAN
add name=LAN
/ip pool # The ip pools for main bridge and VLANs
add name=pool_main ranges=10.0.0.2-10.0.0.254 # Range is cut sort on purpose here, I want DHCP to only assign in this range all the 10.0.1.2 - 10.0.1.254 will be static
add name=pool_vlan10 ranges=10.0.10.2-10.0.10.254
add name=pool_vlan20 ranges=10.0.20.2-10.0.20.254
add name=pool_vlan30 ranges=10.0.30.2-10.0.30.254
add name=pool_vlan40 ranges=10.0.40.2-10.0.40.254
/ip dhcp-server # The DHCP servers, they are assigned to bridge_main and to each VLAN
add address-pool=pool_main disabled=no interface=bridge_main name=dhcp_main
add address-pool=pool_vlan10 disabled=no interface=vlan10_iot name=dhcp_vlan10
add address-pool=pool_vlan20 disabled=no interface=vlan20_security name=dhcp_vlan20
add address-pool=pool_vlan30 disabled=no interface=vlan30_home name=dhcp_vlan30
add address-pool=pool_vlan40 disabled=no interface=vlan40_guest name=dhcp_vlan40
/interface bridge port # Assigned bridges to ports
add bridge=bridge_shared interface=ether2 # The trunk port
add bridge=bridge_shared interface=ether4 # An access port used for testing each VLAN on its own.
add bridge=bridge_main interface=ether5
/interface bridge vlan # Tag VLANs to the bridge_shared and ether2 (the trunk port) and untag only one to the ether4
add bridge=bridge_shared tagged=bridge_shared,ether2 untagged=ether4 vlan-ids=10
add bridge=bridge_shared tagged=bridge_shared,ether2 vlan-ids=20
add bridge=bridge_shared tagged=bridge_shared,ether2 vlan-ids=30
add bridge=bridge_shared tagged=bridge_shared,ether2 vlan-ids=40
/interface list member # Again no sure what this does, it come with the default config
add interface=bridge_main list=LAN
add interface=ether1 list=WAN
/ip address # The ip addresses assigned to each VLAN and bridge_main
add address=10.0.0.1/23 interface=bridge_main network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10_iot network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20_security network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30_home network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40_guest network=10.0.40.0
/ip dhcp-server lease # Some static leases for the devices I want to assign only in vlan10_iot (they are not currently assigned there)
add address=10.0.0.2 comment="Switch - Unifi Flex Mini" mac-address=F4:92:BF:A3:BB:F2 server=dhcp_main # A unifi switch
add address=10.0.0.3 client-id=ff:1:1e:53:e4:0:1:0:1:28:80:89:f9:e4:5f:1:1e:53:e4 comment="Raspberry Pi 4 Model B" mac-address=E4:5F:01:1E:53:E4 server=dhcp_main # A raspberry pi (runs docker servers)
add address=10.0.0.4 client-id=1:60:22:32:f0:97:89 comment=U6-Pro mac-address=60:22:32:F0:97:89 server=dhcp_main # A unifi access point
/ip dhcp-server network # The networks for each DHCP server
add address=10.0.0.0/23 gateway=10.0.0.1 netmask=23
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=10.0.40.0/24 gateway=10.0.40.1 dns-server=1.1.1.1,1.0.0.1
/ip dns # Some DNS records
set allow-remote-requests=yes use-doh-server=https://dns.nextdns.io/******/Mikrotik verify-doh-cert=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
The problem I have is that the trunk/access ports do not work. When I connect a device to the access port it will not be assigned an ip address and do not have access to the internet.
I searched a lot on this forum and other sites but the problem remains. I even tried to follow some YouTube videos.
Some of the requirements I have and would like to keep (if possible and they are not the source of the problem) are:
1. The DHCP for each VLAN is assigned to the VLAN. What I mean is that I don't want to assign the dhcp and vlan to a new bridge only for this vlan.
2. All VLANs are assigned to only one bridge which is then assigned to different trunk/access ports.
3. Keep the bridge_main as a separate bridge used for accessing the router (ether5)
4. Keep it simple, so If I want to change or assign more trunk/access ports to the router it will be easy to do (like only assigning the bridge and adding one more tag).
5. Keep the naming conventions: for a bridge the name will start with "bridge_", for a vlan it will start with "vlanXX_", a dhcp will start with "dhcp_" etc.
I am familiar with the terminology, so no need to explain that part (except If I did something stupid above). If possible I want very verbose responses that explain what they I have to do, because I am new to this area.
Thank you everyone.