Lose access to router when configuring vLAN's

sooperdoopa · Thu Nov 23, 2023 10:26 am

I'm having a lot of issues creating vLAN's. I've followed several tutorials and on all occasions, I have lost access to the router interface, sometimes by doing some fairly simple tasks like adding an address list. Wonder if someone could take a look over my config and let me know if there are any glaring issues...

/interface bridge
add admin-mac=4C:5E:0C:1E:44:2D auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=vlan10 max-mtu=1500 \
    name=pppoe-out1 use-peer-dns=yes user=user@blank
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add name=DHCP-Juniors
/ip pool
add name=dhcp ranges=10.10.10.100-10.10.10.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=vlan10 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=10.10.10.1/24 comment=defconf interface=bridge network=10.10.10.0
/ip arp
add address=10.10.10.40 interface=bridge mac-address=58:50:ED:1B:F7:1E
add address=10.10.10.41 interface=bridge mac-address=00:12:31:62:96:54
add address=10.10.10.30 comment="Downstairs AP" interface=bridge mac-address=\
    80:2A:A8:43:A8:C6
add address=10.10.10.31 comment="Garage AP" interface=bridge mac-address=\
    80:2A:A8:86:29:4C
add address=10.10.10.10 comment=QNAP interface=bridge mac-address=\
    00:08:9B:EE:69:AA
add address=10.10.10.50 comment="Smartplug - Garage" interface=bridge \
    mac-address=10:52:1C:FB:AC:E9
add address=10.10.10.51 interface=bridge mac-address=10:52:1C:FB:DF:43
add address=10.10.10.52 interface=bridge mac-address=10:52:1C:FB:1E:CB
add address=10.10.10.53 interface=bridge mac-address=F4:CF:A2:29:CC:E1
add address=10.10.10.42 interface=bridge mac-address=00:12:31:67:A6:0A
add address=10.10.10.43 interface=bridge mac-address=F0:00:00:98:B0:D2
add address=10.10.10.32 comment="Upstairs AP" interface=bridge mac-address=\
    24:5A:4C:11:89:3C
/ip dhcp-client
add disabled=no interface=vlan10
/ip dhcp-server lease
add address=10.10.10.51 mac-address=10:52:1C:FB:DF:43 server=defconf
add address=10.10.10.50 mac-address=10:52:1C:FB:AC:E9 server=defconf
add address=10.10.10.59 mac-address=54:60:09:DA:E2:D8 server=defconf
add address=10.10.10.53 mac-address=F4:CF:A2:29:CC:E1 server=defconf
add address=10.10.10.52 mac-address=10:52:1C:FB:1E:CB server=defconf
add address=10.10.10.54 comment="Temp Sensor 1" mac-address=10:D5:61:D5:AC:A1 \
    server=defconf
add address=10.10.10.56 mac-address=84:CC:A8:8A:02:83 server=defconf
add address=10.10.10.101 client-id=1:f2:7:f7:1b:6a:9a mac-address=\
    F2:07:F7:1B:6A:9A server=defconf
add address=10.10.10.20 client-id=1:0:15:5d:a:6e:3 comment=\
    "Home Assistant (DR)" mac-address=00:15:5D:0A:6E:03 server=defconf
add address=10.10.10.57 comment="Garage Door Opener" mac-address=\
    3C:61:05:89:4A:92 server=defconf
add address=10.10.10.100 client-id=1:ce:e6:62:e3:1:9a mac-address=\
    CE:E6:62:E3:01:9A server=defconf
add address=10.10.10.55 mac-address=EC:0B:AE:98:CC:C1 server=defconf
add address=10.10.10.60 client-id=1:78:c4:e:b2:9c:2e mac-address=\
    78:C4:0E:B2:9C:2E server=defconf
add address=10.10.10.44 client-id=1:0:ec:6b:c9:7b:8e comment="Cam - Front" \
    mac-address=00:EC:6B:C9:7B:8E server=defconf
add address=10.10.10.62 mac-address=60:8A:10:7B:15:E5 server=defconf
add address=10.10.10.63 mac-address=98:CD:AC:1E:7D:F7 server=defconf
add address=10.10.10.90 client-id=1:de:95:81:dc:ae:7d comment=\
    "Galaxy-Tab-A8 - Benji" mac-address=DE:95:81:DC:AE:7D server=defconf
add address=10.10.10.91 client-id=1:5e:90:26:be:9d:fe comment=\
    "Galaxy-Tab-A8 - Leo" mac-address=5E:90:26:BE:9D:FE server=defconf
add address=10.10.10.92 client-id=1:50:1a:c5:4:c2:de mac-address=\
    50:1A:C5:04:C2:DE server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 comment=defconf dns-server=10.10.10.1 gateway=\
    10.10.10.1 netmask=24
add address=192.168.1.0/24 dns-server=10.10.10.1 gateway=192.168.1.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.10.1 name=router
add address=10.10.10.10 comment=QNAP
add address=10.10.10.43 name=cam-garage
add address=10.10.10.42 name=cam-driveway
add address=10.10.10.40 name=cam-entrance
add address=10.10.10.41 name=cam-laundry
add address=10.10.10.10 name=plex.direct
add address=10.10.10.10 comment=QNAP
add address=10.10.10.12 comment=Unifi name=unifi
add address=10.10.10.20 disabled=yes
/ip firewall address-list
add address=10.10.10.40-10.10.10.49 comment="Cameras - no internet" list=\
    Cameras
add address=10.10.10.50-10.10.10.69 comment="Smarts - no internet" list=\
    Smarts
add address=10.10.10.70-10.10.10.79 comment="Smarts - Other (internet)" list=\
    "Smarts - other"
add address=10.10.10.92 comment="Surface Pro 2" list=No-Internet
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Cameras - no internet" out-interface=\
    pppoe-out1 src-address-list=Cameras
add action=drop chain=forward comment="Surface pro 2" disabled=yes \
    out-interface=pppoe-out1 src-address-list=No-Internet
add action=drop chain=forward comment="Smarts - no internet" disabled=yes \
    out-interface=pppoe-out1 src-address-list=Smarts
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-out1 src-address=10.10.10.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set time-interval=hour
/system clock
set time-zone-name=Pacific/Auckland
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

templlama · Thu Nov 23, 2023 2:36 pm

The only vlan I see is the one for the pppoe connection?

I do agree that using vlans and bridge vlan filtering can be a challenging ordeal.
What I recommend is (besides generous use of SAFEMODE) is to take an unused port lets say 5 and take it OFF the bridge.
Give it an IP address and basically done. Then do all your configuring attached to this port and it should be far smoother sailing.
For an explanation ---> viewtopic.php?t=181718

mkx · Thu Nov 23, 2023 3:55 pm

What I recommend is (besides generous use of SAFEMODE) is to take an unused port lets say 5 and take it OFF the bridge.

And absolutely add it to LAN interface list in case one needs winbox MAC connectivity - default config limits this kind of connectivity to LAN interface list.
If done this properly, one doesn't even need to set IP address on ether5, winbox is your friend.

sooperdoopa · Wed Nov 29, 2023 10:43 am

What I recommend is (besides generous use of SAFEMODE) is to take an unused port lets say 5 and take it OFF the bridge.
And absolutely add it to LAN interface list in case one needs winbox MAC connectivity - default config limits this kind of connectivity to LAN interface list.
If done this properly, one doesn't even need to set IP address on ether5, winbox is your friend.

Very useful info! Thanks very much. I managed to configure it through Winbox without losing access to the router (avoiding wrath from my family when the internet was unavailable!)

anav · Wed Nov 29, 2023 2:36 pm

viewtopic.php?t=181718

Lose access to router when configuring vLAN's

Lose access to router when configuring vLAN's

Re: Lose access to router when configuring vLAN's

Re: Lose access to router when configuring vLAN's

Re: Lose access to router when configuring vLAN's

Re: Lose access to router when configuring vLAN's

Who is online