VLANs - different address on different ports

mikrotikshell · Sun Aug 29, 2021 11:48 am

Hello!
I'm new here, so, please, be tender

I have MT hEX router with (almost) default configuration. Want to do such:
1. on every ether ports (2-5) different VLANs (vlan_2 on ether_2 and so on)
2. want to offer on DHCP server different addresses for different ether/VLAN. For example 192.168.2.X on ether2 (vlan_2), For example 192.168.3.X on ether3 (vlan_3)
3. block access to Internet all devices connected to ether3 (vlan_3) - I don't want to my CCTV cameras send anything outside LAN

Thats all

Im stuck, so It will be really helpful to do such configuration..

mikrotik_vlan.png

Thanks in advance!

Sun Aug 29, 2021 4:20 pm

viewtopic.php?f=2&t=175475
viewtopic.php?f=23&t=143620

anav · Sun Aug 29, 2021 4:26 pm

THe problem is you are stating requirements based on configuration which is the wrong approach complicates matters and confuses you.
Ports have nothing to do with DHCP, unless you are attaching a subnet directly to a port.
IF using just vlans, then ports are transparent.

Read the article, and if you want help state a clear set of requirements based on what you want users/devices to be able to do or not od, WITHOUT any mention of config.
DOesnt matter if its 5,10,20 lines long, the clearer the requirement the better an optimized solution can be had.

viewtopic.php?f=23&t=143620

mikrotikshell · Sun Aug 29, 2021 5:32 pm

Thank you for quick support!

I've read "Using RouterOS to VLAN your network" but something goes wrong and lost my MT access, so must reset it. Now works fine, beginner problems

My idea is such:

MT_LAN.jpg

MT is connected to server which offer 192.168.0.50 via DHCP. I'd like to attach different LAN segment to MT.
- port eth2 for one PC, I'd like to offer this client IP from subnet 192.168.20.XX via DHCP from MT
- port eth3 will be attached to unmanaged switch, where IP Cams are connected. I'd like offer them IPs from subnet 192.168.30.XX via DHCP from MT
- port eth4 for one NAS, I'd like to offer this client IP from subnet 192.168.40.XX via DHCP from MT
- port eth5 will be attached to unmanaged switch, where will PC clients will be connected (192.168.50.10..100 via DHCP from MT), WiFi clients (192.168.50.101..200) and IoT/sensors (192.168.50.201..250)

PCs will be NATed

My idea is to use VLANS for separate subnets on MT and DHCP for subnets addressing. Does it can be done better/faster/less complicated?

Next. I'm planning to prepare different policies to each subnets/ranges (for example block internet access for IP cams, allow only PC clients access to NAS, block IoT clients access to IP Cams and so on).

mkx · Sun Aug 29, 2021 8:04 pm

If you'll have exactly as per your diagram, i.e. one LAN per port, each port different LAN, then you don't need VLANs at all. Simply remove all ports from bridge (then remove bridge), set appropriate IP address to each physical port and you're done. Add DHCP servers to interfaces you need (or configure DHCP relay if you want to have one central DHCP server not on router itself). The rest (firewall etc.) is usually not bound to interfaces but rather IP subnets. Ditto for routing.

k6ccc · Sun Aug 29, 2021 8:28 pm

@mikrotikshell What you are doing with your hEX is almost exactly what I am doing with mine except that I do have one port that is a VLAN trunk for a few additional LANs. The router is exclusively functioning as a router and all the switch functions are being handled in separate switches. Therefore there is no bridge set up in the router. My firewall requirements are a bit different than yours, but the basic functionality is similar. Each LAN or VLAN has a separate DHCP server and IP pool.

BTW (and I'm surprised that anav has not already requested this), if you are going to show us all or a part of your configuration, you are far batter off instead of posting screen captures, export the router configuration and post the resulting file. To do that (and I'm assuming you are using WebFig or Winbox), open a terminal window, type /export hide-sensitive file=any-filename-you-wish Then open the files section and download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.

mikrotikshell · Sun Aug 29, 2021 8:56 pm

If you'll have exactly as per your diagram, i.e. one LAN per port, each port different LAN, then you don't need VLANs at all. Simply remove all ports from bridge (then remove bridge), set appropriate IP address to each physical port and you're done. Add DHCP servers to interfaces you need (or configure DHCP relay if you want to have one central DHCP server not on router itself). The rest (firewall etc.) is usually not bound to interfaces but rather IP subnets. Ditto for routing.

Thanks for response.
Just for educational purpose: is this available without removing bridge and using VLANs? For example, when I'll want to different VLANS on single ethernet port?

mkx · Sun Aug 29, 2021 10:00 pm

You sure can keep bridge and use VLANs for port separation. If you haven't already, have a look at this tutorial. What is special in your case is that only single physical port will be untagged member of corresponding VLAN while bridge interface will be tagged member of all VLANs.

mikrotikshell · Sun Aug 29, 2021 10:39 pm

You sure can keep bridge and use VLANs for port separation. If you haven't already, have a look at this tutorial. What is special in your case is that only single physical port will be untagged member of corresponding VLAN while bridge interface will be tagged member of all VLANs.

Thank you very much. I've try to do such - think there is only bridge interface tagged member od VLANs (dont't know how to do that...)

/interface bridge
add admin-mac=XXXXXX auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface vlan
add interface=ether2 name=vlan-ether2-PC vlan-id=20
add interface=ether3 name=vlan-ether3-CAMS vlan-id=30
add interface=ether4 name=vlan-ether4-NAS vlan-id=40
add interface=ether5 name=vlan-ether5-LAN vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool4 ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan-ether2-PC name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan-ether3-CAMS name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=vlan-ether4-NAS name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=vlan-ether5-LAN name=dhcp4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.20.1/24 interface=bridge network=192.168.20.0
add address=192.168.30.1/24 interface=vlan-ether3-CAMS network=192.168.30.0
add address=192.168.40.1/24 interface=vlan-ether4-NAS network=192.168.40.0
add address=192.168.50.1/24 interface=vlan-ether5-LAN network=192.168.50.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

mkx · Sun Aug 29, 2021 11:26 pm

The config you posted has nothing to do with bridge vlan-filtering which is nicely explained by tutorial I mentioned in my previous post.

mikrotikshell · Mon Aug 30, 2021 12:16 am

The config you posted has nothing to do with bridge vlan-filtering which is nicely explained by tutorial I mentioned in my previous post.

Trying to understand bridges and VLANs... Is this have more sense?

/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

/interface bridge port
add bridge=BR1 interface=ether2 pvid=20
add bridge=BR1 interface=ether3 pvid=30
add bridge=BR1 interface=ether4 pvid=40
add bridge=BR1 interface=ether5 pvid=50

/interface bridge port
add bridge=BR1 interface=ether1

/interface bridge vlan
set bridge=BR1 tagged=ether1 [find vlan-ids=20]
set bridge=BR1 tagged=ether1 [find vlan-ids=30]
set bridge=BR1 tagged=ether1 [find vlan-ids=40]
set bridge=BR1 tagged=ether1 [find vlan-ids=50]
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99

/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.3/24 interface=BASE_VLAN
/ip route add distance=1 gateway=192.168.0.1

/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]

/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]

/interface bridge set BR1 vlan-filtering=yes

anav · Mon Aug 30, 2021 1:33 am

Again, if the diagram is your stated method of showing us your requirments why are you farting around with vlans?
MKX said quite clearly you dont need any. Suggesting you setup your router without vlans according to the diagram you want.
When you have that done post your FULL config, not just what you think you need to show!! (not the sensitive stuff).

THEN and only then should you contemplate the addition of additional requirements or functionality.
One step at a time, walk before you run, keep it simple.

Adding vlans will be dirt simple after the fact but your stuck halfway in between spinning in circles.

mkx · Mon Aug 30, 2021 9:07 am

The config you posted has nothing to do with bridge vlan-filtering which is nicely explained by tutorial I mentioned in my previous post.
Trying to understand bridges and VLANs... Is this have more sense?

You're almost there.
Just make sure that other end-point of ether1 link is using tagged VLANs, configuration for ether1 port should match configuration of the other end.

Since device will be doing routing between different IP subnets (in your original config device has IP addresses in all VLANs), you'll have to add bridge interface as tagged member of all needed VLANs, so all VLANs should have /interface bridge vlan configuration command similar to the one configuring VLAN 99. Then you'll need appropriate /interface vlan interfaces for the rest of VLANs (in same manner as you have BASE_VLAN).

mikrotikshell · Mon Aug 30, 2021 10:32 am

Again, if the diagram is your stated method of showing us your requirments why are you farting around with vlans?

Maybe it is stupid, but there is two reasons:
1. Most important - I'd like to know how VLANs works. I've build few small networks/servers, but I never had the need VLANs. Now I have MT and building network from scratch and have ability to understand how it works.
2. Want to prepare my networks for future changes. Of course I can build one LAN on one physical port, but maybe there will be need to build two LANs on single port. Then will be easier to add new VLAN than rearranged whole configuration.

So, yes, I know that isn't as simple as it could be (yep, KISS), but educational purpose is important for me.

Hope there isn't nothing wrong with my path of thought

anav · Mon Aug 30, 2021 2:06 pm

None at all, but in terms of learning,
a. its really cool to see that you setup your network without vlans and without the use of bridge.
b. then add a bridge and a few vlans ( a mix of both worlds).
c. and then screw subnets and ports join the borg and ONLY do vlans.

In this way you still learn about vlans but get a wider appreciation of the routers wide scope of possibilities.
In any case if you want to change the requirements , then post a different diagram (or modify the one you have) of what you would like to achieve (make it accurate or config to the diagram)

mikrotikshell · Mon Aug 30, 2021 9:43 pm

None at all, but in terms of learning,
a. its really cool to see that you setup your network without vlans and without the use of bridge.

OK

First step: no VLANs, no bridge.
My setup without VLANS looks now:

# aug/30/2021 20:37:55 by RouterOS 6.48.4
# software id = ICTI-3408
#
# model = RB750Gr3
# serial number = XXXXXXXXXXXX
/interface list
add comment=defconf name=WAN
add name=LAN-ether2
add name=LAN-ether3
add name=LAN-ether4
add name=LAN-ether5
add comment=defconf include=LAN-ether2,LAN-ether3,LAN-ether4,LAN-ether5 name=\
    LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_ether2_192.168.20.0 ranges=192.168.20.20-192.168.20.200
add name=dhcp_ether3_192.168.30.0 ranges=192.168.30.10-192.168.30.200
add name=dhcp_ether4_192.168.40.0 ranges=192.168.40.10-192.168.40.200
add name=dhcp_ether5_192.168.50.0 ranges=192.168.50.10-192.168.50.200
/ip dhcp-server
add address-pool=dhcp_ether2_192.168.20.0 disabled=no interface=ether2 name=\
    DHCP-ether2
add address-pool=dhcp_ether3_192.168.30.0 disabled=no interface=ether3 name=\
    DHCP-ether3
add address-pool=dhcp_ether4_192.168.40.0 disabled=no interface=ether4 name=\
    DHCP-ether4
add address-pool=dhcp_ether5_192.168.50.0 disabled=no interface=ether5 name=\
    DHCP-ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN-ether2
add interface=ether3 list=LAN-ether3
add interface=ether4 list=LAN-ether4
add interface=ether5 list=LAN-ether5
/ip address
add address=192.168.30.1/24 interface=ether3 network=192.168.30.0
add address=192.168.40.1/24 interface=ether4 network=192.168.40.0
add address=192.168.50.1/24 interface=ether5 network=192.168.50.0
add address=192.168.20.1/24 interface=ether2 network=192.168.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="MY FW STARTS HERE" in-interface-list=\
    LAN-ether2
add action=accept chain=forward in-interface-list=LAN-ether2
add action=accept chain=input in-interface-list=LAN-ether3
add action=accept chain=forward in-interface-list=LAN-ether3
add action=accept chain=input in-interface-list=LAN-ether4
add action=accept chain=forward in-interface-list=LAN-ether4
add action=accept chain=input in-interface-list=LAN-ether5
add action=accept chain=forward in-interface-list=LAN-ether5
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Till now it works fine, different ETH got different IP-ranges, all of them got internet access and access to MT (access limit will do in the future).
Does my configuration is OK?

anav · Tue Aug 31, 2021 1:49 am

Yikes what did you do LOL.......

This is what your interface list should look like
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

This is what your interface list members should look like (just modify the interface name to what you are using.)
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether1 list=WAN

I think whats screwed up is at the start your ETHERNET INTERFACE is not setup.

You should only have four of everything , pools, dhcp servers etc. if you have four subnets??
Understand you are probably keeping the default original while configuring so okay!

Firewall rules are partially okay, where you kept the defaults mostly okay, the rest needs review.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN {note- should be here in the order of rules}

add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

Everything below is suspect!!!
and dependent upon requirements.
Suggesting you get rid of them and state the requirements of what your trying to do without talking about the config but simply in terms of users/devices.

(add action=accept chain=input comment="MY FW STARTS HERE" in-interface-list=\
LAN-ether2
add action=accept chain=forward in-interface-list=LAN-ether2
add action=accept chain=input in-interface-list=LAN-ether3
add action=accept chain=forward in-interface-list=LAN-ether3
add action=accept chain=input in-interface-list=LAN-ether4
add action=accept chain=forward in-interface-list=LAN-ether4
add action=accept chain=input in-interface-list=LAN-ether5
add action=accept chain=forward in-interface-list=LAN-ether5

TO CONTROL internet access simply add an Interface list ENTRY
like so.
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=internet_access name=With_INT

/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=With_INT
add interface=ether4 list=With_INT
add interface=ether5 list=With_INT

In firewall rules.

Add last rule
add chain=forward action=drop comment=drop all else.
Right before this last rule add
add chain=forward action=accept in-interface-list=With_INT out-interface-list=WAN

Now only lans 2,4,5 will have access to the internet.
As an added bonus all connectivity between the subnets should be blocked as well.
LAN2 should not be able to reach any other LAN for example.
If you wish to ensure routing between them is possible
then you would add BEFORE THE LAST DROP ALL RULE...........(for all of these)

add chain=forward actioni=accept in-interface=ether2 out-interface=ether3 I think you get the idea.

If you only wanted one IP address in LAN2 to access LAN3
add chain=forward action=accept source-address=LAN2 IP address out-interface=ether3

If you wanted a few IP addresses to access LAN 3 then create a firewall address list containing those IPs and call it TOLAN3
add chain=forward action=accept source-address-list=TOLAN3 out-interface=ether3

mikrotikshell · Tue Aug 31, 2021 8:36 pm

Yikes what did you do LOL.......

Great Scott! Yoy're great

Thanks for help!
LAN rules idea is now such:

MT_LAN.jpg

and my configuration is such (is OK now?):

# aug/31/2021 19:32:47 by RouterOS 6.48.4
# software id = ICTI-3408
#
# model = RB750Gr3
# serial number = XXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="NO internet access" name=ALLOW_INTERNET
/ip pool
add name=dhcp_ether2_PC ranges=192.168.20.20-192.168.20.200
add name=dhcp_ether3_CAMS ranges=192.168.30.10-192.168.30.200
add name=dhcp_ether4_NAS ranges=192.168.40.10-192.168.40.200
add name=dhcp_ether5_WiFi ranges=192.168.50.10-192.168.50.200
/ip dhcp-server
add address-pool=dhcp_ether2_PC disabled=no interface=ether2 lease-time=2w \
    name=DHCP-PC
add address-pool=dhcp_ether3_CAMS disabled=no interface=ether3 lease-time=2w \
    name=DHCP-CAMS
add address-pool=dhcp_ether5_WiFi disabled=no interface=ether5 lease-time=2w \
    name=DHCP-WiFi
add address-pool=dhcp_ether4_NAS disabled=no interface=ether4 lease-time=2w\
    name=DHCP-NAS
/system logging action
add disk-file-name=disk1/log name=usb target=disk
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add comment=WAN interface=ether1 list=WAN
add comment="LAN - PC" interface=ether2 list=LAN
add comment="LAN - CAMS" interface=ether3 list=LAN
add comment="LAN - NAS" interface=ether4 list=LAN
add comment="LAN - WiFi" interface=ether5 list=LAN
add interface=ether2 list=ALLOW_INTERNET
add interface=ether5 list=ALLOW_INTERNET
/ip address
add address=192.168.30.1/24 interface=ether3 network=192.168.30.0
add address=192.168.40.1/24 interface=ether4 network=192.168.40.0
add address=192.168.50.1/24 interface=ether5 network=192.168.50.0
add address=192.168.20.1/24 interface=ether2 network=192.168.20.0
add address=192.168.10.1 interface=ether1 network=192.168.10.1
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server config
set store-leases-disk=1d
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.10.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.10.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.10.1 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=NOT_LAN
add action=accept chain=input comment="MY FW: accept INPUT from LAN" \
    in-interface-list=LAN
add action=accept chain=forward comment=\
    "MY FW: accept only ALLOWED FORWARD from LAN" in-interface-list=\
    ALLOW_INTERNET
add action=accept chain=forward comment="MY FW: allow PCs access to all LAN" \
    in-interface=ether2 out-interface-list=LAN
add action=drop chain=forward comment=\
    "MY FW: drop IoT clients INTERNET access" src-address=\
    192.168.50.201-192.168.50.250
add action=accept chain=forward comment=\
    "MY FW: allow WiFis access to all LAN" in-interface=ether5 \
    out-interface-list=LAN
add action=accept chain=forward comment="MY FW: allow NAS access to CAMs" \
    in-interface=ether4 out-interface=ether3
add action=drop chain=forward comment="MY FW: drop ALL else" log=yes \
    log-prefix=DROP_ELSE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.50.50 name=xxxxxx profile=default-encryption \
    remote-address=192.168.50.100 service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system logging
set 0 action=usb
set 1 action=usb
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Tue Aug 31, 2021 9:10 pm

LUV the diagram!!!
Just looking at it quickly ascertained you need another port or a managed switch!.

You cannot separate users on the subnet attached to ether5. They are all on the same LAN.
You should separate users and IOT devices into two different ports and subnets!!
It is also not clear if the pc clients are separate from the wifi clients in terms of security dont think so but do you have a guest wifi separate from home wifi?

You also have to spend money as you now have run out of ports and need a managed switch.
This also means you will need at least two vlans.

You crack me up, with this interface name, are you coming or going....................

add comment="NO internet access" name=ALLOW_INTERNET

Firewall rules are overly complex but not point in addressing till we get an overall design that will work

mikrotikshell · Tue Aug 31, 2021 9:25 pm

Just looking at it quickly ascertained you need another port or a managed switch!.

You cannot separate users on the subnet attached to ether5. They are all on the same LAN.
You should separate users and IOT devices into two different ports and subnets!!

"add comment="NO internet access" name=ALLOW_INTERNET" - forgot to change comment

Yes, I know, WiFi, PC and IoT users are connected to unmanaged switch and have access to each others on 192.168.50.XX subnet. I have not managed switch and another port.
Does separation of IoT and (WiFi + PC) can be done using VLANs?

anav · Tue Aug 31, 2021 9:27 pm

Yes, that is the beauty of vlans.
They are required when you need to send more than one subnet through a port.
In your case if you had had a 10 port router (aka a larger switch capability), then we could do it all through separate ports and subnets without vlans\
in this case IOT, PC USERS, WIFI USERS and GUEST WIFI USERS we all be on different subnets and different ports.

However you can see things get a bit whacky so the use of vlans helps us manage multiple subnets over a limited number of ports.
In fact on my main router I have about 20 vlans going through one port to a main managed switch.

mkx · Tue Aug 31, 2021 10:33 pm

In fact on my main router I have about 20 vlans going through one port to a main managed switch.

You do realize you don't need separate VLANs for each bit of connected device's MAC address, right?

anav · Tue Aug 31, 2021 10:44 pm

In fact on my main router I have about 20 vlans going through one port to a main managed switch.
You do realize you don't need separate VLANs for each bit of connected device's MAC address, right?

Nope, not aware of other methods to accomplish same that are more optimal...

mikrotikshell · Wed Sep 01, 2021 2:14 pm

Yes, that is the beauty of vlans.
They are required when you need to send more than one subnet through a port.

I'd like to love VLANs

Changed my configuration a little bit.
To unmanaged switch I can connect a kind of "device", which have ability to define their VLAN. I can conect WiFi router with VLAN ability.
My idea is such: offer for "Device" subnet range and LAN only access, offer for WiFi clients subnet range and Internet access only.

Of course, it is possible using DHCP+FW only, but... is this possible to use it with VLANs? Kind of "one DHCP subnet range for RED (VLAN=10), different subnet range for (GREEN) VLAN=20"?

LAN-VLAN.jpg

anav · Wed Sep 01, 2021 2:31 pm

Which wifi router? Model Number?

A wifi router can be turned into an AP switch but most consumer models then lose their ability for routing and vlans.
If that is the case then you would have to use your wifi device as a router and then the question becomes, is the consumer device able to accept vlans coming in on the WAN side or is it just designed for vlans on the LAN side of the house...........

So make and model number will let me do some research on that end.
In the meantime there are 5 port switches that can handle vlans for less then $25 US.

mikrotikshell · Wed Sep 01, 2021 2:41 pm

Which wifi router? Model Number?

A wifi router can be turned into an AP switch but most consumer models then lose their ability for routing and vlans.
If that is the case then you would have to use your wifi device as a router and then the question becomes, is the consumer device able to accept vlans coming in on the WAN side or is it just designed for vlans on the LAN side of the house...........

So make and model number will let me do some research on that end.
In the meantime there are 5 port switches that can handle vlans for less then $25 US.

My router is Huawei AX3, and VLAN option looks like:

Huawei-Wi-Fi-AX3-Router-baglanti-ayarlari[1].jpg

After enabling "VLAN" feature it ask for VLAN number.

"Device" is additional NAS server DS213 with LAN option:

nas2.jpg

Yes, I know that managed switches are cheap enough, but I have non-VLANed only and I'm wonder if it will be usable

without any additional costs.

anav · Wed Sep 01, 2021 2:54 pm

This beautiful white monster LOL.
https://consumer.huawei.com/en/routers/ax3-quad-core/ ??

mikrotikshell · Wed Sep 01, 2021 3:01 pm

This beautiful white monster LOL.
https://consumer.huawei.com/en/routers/ax3-quad-core/ ??

Almost, dual core. Bought for WiFi6 + gigabit + looks nice. I hate black spider-like routers with 176494 antennas

anav · Wed Sep 01, 2021 5:34 pm

Too bad, I cannot find a full user manual for this router? Only useless quick start guide. Did you get a manual on a CD for example??

mikrotikshell · Wed Sep 01, 2021 6:18 pm

Too bad, I cannot find a full user manual for this router? Only useless quick start guide. Did you get a manual on a CD for example??

I think there is no detailed manual, only Quick start with "hey, guy, just plug in and play". Only one thing about VLAN is "If you need to configure VLAN on your network, contact your broadband carrier to confirm the VLAN parameters, and enable the VLAN switch on the screen". With options: "VLAN ID" and "802.1p".

anav · Wed Sep 01, 2021 7:20 pm

I think you will be chasing your tail trying to get that to work then...
Much easier to get a cheap managed small switch.

Something like this.......
https://www.amazon.de/s?k=managed+switc ... _sb_noss_2

mikrotikshell · Wed Sep 01, 2021 10:32 pm

I think you will be chasing your tail trying to get that to work then...

Yep, I've messing a little bit

Maybe other way: now I have ether5(DHCP server)<->(DHCP clinet)router working.

Router has VLAN ability. Is there a way to build such configuration:
ether5(DHCP server, VLAN)<->(DHCP clinet, VLAN) router
or
ether5-bridge(DHCP server, VLAN)<->(DHCP clinet, VLAN) router
or sth like that, with VLAN option enabled in router?

anav · Wed Sep 01, 2021 10:38 pm

I am not certain and the question is worded in such a way not to be clear, or its clear as mud!!

In any case there can only be one DHCP service for a VLAN.
So if its on the MT router, then one cannot have DHCP service on the H Router for that particular vlan.
If its on the H router then one cannot have DHCP service on the MT Router for that particular vlan

Therefore if you have DHCP server on the MT router one can pass that vlan to the H router and the H router just needs to know that:
a the vlan exists so you identify it on the H router, give it a name and the same vlan ID number.
b. ensure the H router knows its coming over the WAN port (no idea how to do this on the H router).

IF the DHCP service for a vlan is coming from the H router then the MT router needs to
a. have that vlan identified, its vlan id an any name you give it,(and on the bridge etc)
b. know that the vlan is coming on the port from the H router as per interface bridge vlan settings.

mikrotikshell · Wed Sep 01, 2021 11:25 pm

I am not certain and the question is worded in such a way not to be clear, or its clear as mud!!

Now it looks fine (sorru for using images...):

1.JPG

2.JPG

I'd like to define VLAN on Huawei, but then Huawei don't ger IP adress from MT DHCP

3.JPG

4.JPG

Try configure VLAN on MT that way:

5.JPG

6.JPG

anav · Wed Sep 01, 2021 11:47 pm

Please do not use VLAN1 for a name its SUPER CONFUSING. USE VLAN4WIFI or VLAN4MEDIA or something descriptive.

anav · Wed Sep 01, 2021 11:48 pm

Is this identifying vlan100 on ether5 that the wifi router is providing DHCP service for??
If so why are you setting dhcp server for it etc.......... it should be done on the H router??

mikrotikshell · Thu Sep 02, 2021 12:17 am

Is this identifying vlan100 on ether5 that the wifi router is providing DHCP service for??
If so why are you setting dhcp server for it etc.......... it should be done on the H router??

Not really. I'd like to do such easy VLAN configuration:

vlan100.jpg

Now I want create VLAN100 network (RED) for my Huawei device. Just for knowledge

But in the furure I'm thinking about putting another router/NAS/device and configure VLAN200 (GREEN) - still on the dame device (ether5)

anav · Thu Sep 02, 2021 12:26 am

Get rid of the unmanaged switch and replace it with a managed switch and all is possible, also suggest that you get APs that are designed to read vlan tags and not spend money on wifi routers.
EAP 245 by TPLINK comes to mind.

mikrotikshell · Thu Sep 02, 2021 12:39 am

Get rid of the unmanaged switch and replace it with a managed switch and all is possible, also suggest that you get APs that are designed to read vlan tags and not spend money on wifi routers.
EAP 245 by TPLINK comes to mind.

OK, I think I will work with LANS with managed switches

Thank you @anav, @mkx and @BartoszP for help and sharing your knowledge!

anav · Thu Sep 02, 2021 1:27 am

Another option is to get an MT router with more ports and use the hex as a managed switch ........
However that is far more expensive than just getting a basic managed 5 port switch.

mikrotikshell · Thu Sep 02, 2021 9:15 am

Another option is to get an MT router with more ports and use the hex as a managed switch ........
However that is far more expensive than just getting a basic managed 5 port switch.

Yes, I've just been wonder, if my hardcore-configuration is possible using my devices only. Additional MT or managed switch is nice option, bu I have no space in my 6U rack case

mkx · Thu Sep 02, 2021 12:13 pm

In principle it is possible to pass VLAN tagged frames through unmanaged switch (shown by the right part of your scheme that @anav likes so much) with a few gotchas:

switch has to support "baby jumbo" frames.
Traditional standard payload size of ethernet frames was 1500 bytes, hence usual setting in IP stack is MTU=1500. With VLANs there's additional IEEE 802.1Q header which adds 4 bytes to ethernet payload size (n.b. IP stack still uses MTU=1500). Really old switches could not accommodate for the extra 4 bytes and would drop 802.1Q frames. Newer unmanaged switches can do it, some even note max L2 MTU in their specs.
there won't be any VLAN-related security when it comes to unmanaged switch
Properly configured managed switch will take care that frames, tagged with certain VLAN ID, won't get transmitted through ports that are not members of that VLAN. Unamanged switch, however, will only care about receiver's MAC address. In case switch did not learn mapping between dst MAC and switch port, or dst MAC is broadcast MAC address, then unmanged switch will transmit those frames through all ports.
Similarly unmanaged switch will happily accept frames regardless VLAN ID and is thus possible for malicious machine to join any VLAN. Properly configured managed switch will have filtering and such thing can not happen.
for sure there are other gotchas but I just can't remember any more right now

mikrotikshell · Thu Sep 02, 2021 12:53 pm

In case switch did not learn mapping between dst MAC and switch port, or dst MAC is broadcast MAC address, then unmanged switch will transmit those frames through all ports.

Dooh! That's too bad, in this case it's totally bad idea to put VLANs via unmanaged switch. Seems to increase whole LAN data transmission because of VLANs only... Will stay with my subnets and firewall for traffic control

anav · Thu Sep 02, 2021 2:54 pm

Yes, you only should consider one subnet going to an unmanaged device, it can be a subnet assigned to the port, it could also be a vlan on a bridge that is untagged on that port (untagged meaning the router untags the frames when sent back down the port to the device and that the frames coming from the device onto the port which dont have tags, are then tagged for further transmission to wherever they need to travel.