I've got VLAN10 (192.168.10.0/24) on eth2 and eth3, and VLAN20 (192.168.20.0/24) on eth4 and eth5.
How can I "connect" these two VLANS with the WAN port eth1 that has the IP 192.168.1.20 (in my test setup)?

Your request is ambiguous - do you mean that you want to put both vlan10 and vlan20 as tagged vlans on the wan interface, or that you want to allow Internet access for devices that are connected to vlans 10 and 20? I'm going to assume the latter, and say that all you really need to do is make sure the router knows that the default GW lies across the WAN network, and that the router should do MASQUERADE srcnat on all traffic that is going out-interface=wan...

So in simple terms, this means to make sure there's a rule in the firewall > nat menu, srcnat chain, with action=masquerade, and the only criteria is out-interface=ether1-gateway (or whatever the name of your WAN interface might be)

Yes, sorry, I did mean for the two VLAN's to gain access to the internet.
Adding the masquerade rule indeed did do the job, so THANK YOU for your help!

A follow up question to extend my (little) understanding about VLANs:

I did setup the the VLAN according to the instructions in the Vlans on Mikrotik environment chapter. However, that example does use one interface port as a trunk port for both VLANs, which AFAIK is only required if I want to connect to another switch/router that handles the same VLANs.
What if I only have ONE router, and assign its ports to (lets say) 2 different VLANs - making sure that the machines (attached to these VLAN ports) inside their respective VLAN can't interact with each other. So all of them are "access ports". How would I set that up with RouterOS?

...is what puzzles me. I need to add the VLAN to a physical port, which means that port is then a "tagged VLAN port" (which is required for trunking). How can I setup the VLAN without that step (or an alternative step)?

In your configuration, simply use the IP firewall filter rules (in the forward chain) to block vlan10 <--> vlan20 access.

e.g.: I think you've got a slight misconception about what a VLAN is vs. routing / firewalling.
All of your requested functionality has to do with layer 3 (IP addressing / routing), but you're asking the questions relative to VLANs. Yes, VLANs can come into play here, but they don't do exactly what I think you think they do. Put simply, all a VLAN does is break a switch into several logical switches so that ports in vlanX cannot communicate with ports in vlanY.
Suppose you went to the store and bought two 5-port dumb switches. You could put a sticker on each one (vlanX and vlanY) and as long as you don't plug them into each other, then this is the same exact thing as having a 10-port switch with ports 1-5 being set to vlan X, and ports 6-10 being set to vlan Y.

Okay - back to the two dumb switches example. Any devices plugged into switch X may communicate with each other, share files, printer services, play games, whatever. You don't even have to use IP protocol - you could use whatever protocol(s) you want - the switch doesn't care - it just looks at MAC addresses and nothing else. But the switch is an island. If you plugged more switches into it, then you'd have more devices that could talk to each other by MAC address, but it would just be a "bigger island." If you plug a router into the switch, though, then the router becomes a gateway to other networks. The router participates in IP protocol, and so anything on the switch that knows how to "speak IP" can use the router as a gateway to talk to IP addresses which are not in the local network. This includes the IP addresses of hosts plugged into switch Y. So suppose the router is plugged into both switch X and switch Y, then as long as hosts in X and hosts in Y know to use the router as the gateway, they can now communicate.

Configuring VLAN on the switch ports in the Mikrotik is basically grouping the ports into logical switches, the same way as if it were two physically separate switches. When you allow vlans 10 and 20 to reach the cpu interface, then that's how you're "connecting" the router to the switch (instead of plugging a physical cable into a physical switch). In the "router" part of the configuration, the Mikrotik requires that you put the vlan sub-interfaces onto whatever switch master port you've configured. So even though you may have ether2-master set up to have vlan interfaces on it, the Switch menu overrides this behavior at the switch layer, so the physical port ether2 can be isolated into whatever VLAN you like. The trunk interface from the switch's perspective is the CPU port of the switch. The Router refers to this link as "ether2" because that's the "master" port of the switch.

So once you've done this, realize that any communication between vlans must go through the router as a router, and not directly between switch ports via some set of rules.

I know this has been long, but sometimes it helps to have a solid understanding of "what's going on under the hood."

I highly appreciate that you take the extra effort to explain what is going on under the hood! It's really helpful, and I guess I did understand what you said for the most part.

But I am not quite there yet... This is clear: it means any traffic coming from a "vlan10" port, not heading for the gateway-port, is rejected.

Ok nice. But as you said, my understanding of VLAN and routing is not clear yet - couldn't I do the same thing, and replace "vlan10" with (say) "ether3"? Ok, the consequence would be that ether3 could only communicate with ether1, and NOT with ether4, which might be designated as part of vlan10. So the VLAN is just a group of ports - which is exactly what you said.

And I get that. But does that mean that VLAN's dont inherently make sure that traffic within a VLAN stays VLAN-exclusive? I thought that was one of the major reasons and goals of VLAN's to make sure their traffic stays private?

I know you gave your firewall rule as an answer to my question, "how do I set up VLAN access ports ONLY - without a trunk port". So I guess under an "ordinary" VLAN setup, the firewall rule would not be necessary. It's just another means how to achieve my goal.

My goal being: I have one router with many ports on them, and some of them I want to group to a VLAN, while giving them access to the internet (and of course making sure that VLAN traffic stays private within their respective VLAN)

The part that confuses me is: why do I need to use a "trunk port"? It's usually only required to connect several routers/switches, that are supposed to handle the same VLANs.

This is a trunk port (in my understanding), and it seems to be the only way to "create" a "vlan" ("vlan-10" to be precise) - it needs to be assigned to a physical port (ether1).

To setup the "access ports" of the VLAN, a bridge needs to be created, which connects the desired interface ports with the VLAN: After that step, ether3 is a "vlan access port" (which is untagged)

Even your firewall rule refers to "vlan-10". How can I setup "vlan-10" without setting it up as a trunk port? I guess this is my main question at the moment. If I know how to do that, I guess my understanding of what VLAN is and does, will grow.

Code: Select all

/ip firewall filter
add chain=forward in-interface=vlan10 out-interface=!ether1-gateway action=reject

This is clear: it means any traffic coming from a "vlan10" port, not heading for the gateway-port, is rejected.

Ok nice. But as you said, my understanding of VLAN and routing is not clear yet - couldn't I do the same thing, and replace "vlan10" with (say) "ether3"? Ok, the consequence would be that ether3 could only communicate with ether1, and NOT with ether4, which might be designated as part of vlan10. So the VLAN is just a group of ports - which is exactly what you said.

No, you would replace vlan10 with the name of the bridge interface that is bridging the individual ports together into a vlan... Remember that IP firewall only refers to IP interfaces. When you make a bridge, it's the bridge interface itself that is the Mikrotik's "connection" into the VLAN you created. So that's why you put IP services on the bridge interface itself (such as DHCP server) and firewall rules. If you make a firewall rule that matches in-interface=ether3, then the rule won't ever match any packets because the IP layer of the router receives these packets via the bridge interface. (if you enable use-ip-firewall=yes on the bridge, then the bridge will check the firewall rules while forwarding ethernet frames across the bridge as well, but this is a 'special' case, and has performance penalties, etc)

And I get that. But does that mean that VLAN's dont inherently make sure that traffic within a VLAN stays VLAN-exclusive? I thought that was one of the major reasons and goals of VLAN's to make sure their traffic stays private?

It is a goal, and it does what it says it does - it isolates hosts in vlan10 from hosts in vlan20 . . . at layer 2 (ethernet layer). This means that broadcasts from hosts in vlan10 will not reach hosts in vlan20 (e.g. no DHCP requests, no ARP requests, no auto-discovery protocols like UPnP, etc).

However, since the Mikrotik is also a ROUTER, then if hosts in vlan10 send IP packets whose destination are in vlan20, then the router functionality will quite happily forward the IP packets between the two vlans. That's the very reason that they invented routers - to connect networks together. (hence the name "internet" - inter-network protocol.) It's this forwarding behavior that is being limited by the firewall rule. And since the router is connected to vlan10 via the bridge10 interface, then the firewall rule must refer to the bridge interface.

Now, if you're using the on-board hardware-based switch to do the VLAN separation, then the "ether1-master" interface is the router's logical connection into the HW switch. Therefore, you are indeed trunking between the router and the switch. Thus, you must put vlan interfaces on "ether1-master" in order to send traffic into the switch with the correct vlan tag on them. Note that the HW switch can then strip the vlan tags and send a particular vlan's traffic to the real ether1 interface and prevent the other vlans from existing on ether1. It's a tad confusing, but it makes sense once you look at the block diagram for your router.

I know you gave your firewall rule as an answer to my question, "how do I set up VLAN access ports ONLY - without a trunk port". So I guess under an "ordinary" VLAN setup, the firewall rule would not be necessary. It's just another means how to achieve my goal.

My goal being: I have one router with many ports on them, and some of them I want to group to a VLAN, while giving them access to the internet (and of course making sure that VLAN traffic stays private within their respective VLAN)

The part that confuses me is: why do I need to use a "trunk port"? It's usually only required to connect several routers/switches, that are supposed to handle the same VLANs.

I mentioned the trunk port because I was assuming that you were using the HW switch. If you're just creating some bridges and connecting ports A, B, C to bridge1 and D, E, F to bridge2, then it's a touch misleading to use the term 'vlan' to refer to this, because the bridges aren't really doing any kind of vlan tagging. Each vlan is a virtual switch, and all connected ports may communicate with each other. It's not incorrect to use the term vlan, but it's misleading because you can make lots of bridges and never use a single vlan identifier anywhere.


TL;DR version:
Make bridge10 and bridge20
Put IP addresses on bridge10 and bridge20, dhcp service, etc.
Connect the desired physical ethernet interfaces to the desired bridges
Limit IP forwarding between the bridges using firewall rules.

I want to thank you for sharing your time and insight, and helping me make things understand better! I know I still have a LOT left to learn about these matters though...

So in my "special case" I don't really need the VLAN functionality, but I just go with grouping a bunch of physical interfaces by creating a (ordinary) bridge, assign a subnet to it (including DHCP), and make sure its traffic stays private by setting up the aforementioned firewall rules. Thanks a lot again!

Correct.

That's how it's done.

Furthermore:
If one of the LAN segments is expected to do a lot of internal traffic (storage server?) then you could use HW switching for that LAN and bridging for the other. HW switching can go wire speed and place no burden on the CPU. The only difference in this is that you will remove some Ethernet interfaces from the bridge, and set their master port to be an interface that is still connected to the bridge. If all ports are on the same HW switch and you don't want to include WiFi on this LAN, then you can just use the master interface itself and not need a bridge - meaning for example, ether2-master gets the IP, DHCP server, and firewall settings (instead of a bridge interface). The other interface group can still be a bridge.

Got it, thank you very much!

Now, using this firewall rule to keep its traffic separate from others, is clear. However, what do I do if I had 2 WAN gateway interfaces (one backup/fallback in case the first fails), and I wanted the "private lan" to be able to use both? What firewall rule would I use then (specifically for the parameter "out-interface")?

That way I make sure that traffic from "br-lan10" stays within "lan10" and still has access to any WAN ports there may be.

Thanks again ZeroByte!

No problem. I'm glad to see you're starting to get the hang of it.
Another nice feature that is working in the latest 6.36.RCxx version of ROS is interface groups.
Just like IP address-list functionality, you can define a list of interfaces and make firewall rules match the groups.

So for example, you could make an interface group called WAN and then set your two WAN interfaces as members of that group.
This way, you can make a unified policy for all interfaces in that group.

out-interface-group=WAN action=accept  <---- allows you to simply use one rule to cover everything in the group

Currently, the interface group feature is only available via the command line interface, but it should be finding its way into Winbox / Webfig - probably not long after 6.36 is released.

Just like IP address-list functionality, you can define a list of interfaces and make firewall rules match the groups.

Oh, that is interesting! I might need that in the future

I was very happy to see this feature. One thing about Adtran's operating system (a near-clone of Cisco IOS) that I really like is its zone-based firewall policy structure.
It is very logical to define a security policy for a zone, and then declare that interfaces X, Y, and Z are in this policy zone.
This was always clunky in ROS IP Firewalls and required a custom chain with a jump rule into the chain for each interface with that policy.
Now you can do it with a single rule.