Beginner VLAN setup question(s)

GrasDK · Fri Apr 07, 2023 4:34 pm

Hello

Moving from a single LAN setup into the Mikrotik (and Ubiquiti Unifi) world, I haven't quite figured out how to correctly setup VLANs. I hope someone here can help.
I have attached a diagram, trying to show the imagined setup:

Network-Target.png

My immediate questions are:
On the RB5009
- ether3-7 (green) are access ports. They should all be VLAN 3. What would be the correct / recommended RouterOS 7.8 way to do this? (considering next questions)
- ether1 (white) and SFP+ should carry both VLAN 1, 3 and 250 and allow downstream devices to handle these, what would be correct for this? (I believe they are trunk ports?)
- ether2 (purple) is my PC to be used for management of the whole LAN, anything to take into account here?
Notes:
- I'm aware that VLAN 1 can be a bad practice. I would use it for management to avoid trouble with the unifi controller. I'm willing to change it, if it's recommended, but right now I'm struggling with just "enforcing" VLAN 3 on all "green ports"
- I'm able to carry VLAN 250 to the Unifi APs and "advertise" them on a separate IoT/Guest SSID. When I check "VLAN filtering" on the bridge containing (in WinBox) all ports except ether 8, which is the WAN, it seems that the unifi APs are not able to deliver an IP on VLAN 250 (maybe it's due to another misconfiguration.

I appreciate any help, including links to previous posts. I'm probably asking the same question as many others, but I haven't found the answer or I found it and didn't understand it

There is how my current setup looks (I think):

Network-Current.png

And here is my configuration with secrets removed. There is a bit of trash lying around as well, including an extra dhcp and a disabled VLAN. I also have a lot of static DHCP-leases, which I removed to make a better overview. One important static lease is my pi-hole being at 192.168.2.100. Others include my NAS and some family PCs.

# apr/07/2023 13:17:54 by RouterOS 7.8
# software id = XXXX
#
# model = RB5009UPr+S+
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=48:A9:8A:34:6F:80 auto-mac=no name=WAN_bridge
add admin-mac=48:A9:8A:34:6F:81 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether8 ] comment=ISP
/interface vlan
add interface=bridge name=GuestIoT vlan-id=250
add interface=bridge name=Home vlan-id=3
add disabled=yes interface=bridge name=MgmtMaybe vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool250 ranges=192.168.250.2-192.168.250.254
add name=dhcp_pool3 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge name=dhcp2b
add address-pool=dhcp_pool250 interface=GuestIoT name=dhcp250
add address-pool=dhcp_pool3 interface=Home name=dhcp3
add address-pool=dhcp_pool2 disabled=yes interface=MgmtMaybe name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment="defconf was ether8" interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=WAN_bridge interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment="defconf was ether1 now it's the WAN bridge (containing ether8 and\
    \_using a fake mac address)" interface=WAN_bridge list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=192.168.250.1/24 interface=GuestIoT network=192.168.250.0
add address=192.168.3.1/24 interface=Home network=192.168.3.0
add address=192.168.2.1/24 disabled=yes interface=MgmtMaybe network=\
    192.168.2.0
/ip dhcp-client
add comment="defconf was ether1 - now WAN_bridge with fake MAC-address equal t\
    o ether1's MAC address, to fool ISP into giving me an IP address" \
    interface=WAN_bridge
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.100,192.168.2.1 gateway=\
    192.168.2.1 netmask=24
add address=192.168.3.0/24 dns-server=192.168.2.100,192.168.2.1 gateway=\
    192.168.3.1
add address=192.168.250.0/24 dns-server=8.8.8.8,194.239.134.83 gateway=\
    192.168.250.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5001 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.2.40 to-ports=5001
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name="MikroTik RB5009"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

More notes:

I'm not remotely close to setting up firewalls yet, but I added my thoughts on firewalls to the first diagram as well.
The WAN interface (ether 8 ) is "replaced" by a VLAN. That way I could fake the mac-address towards the ISP fiber modem. Otherwise it wouldn't give me an IP address (probably mac-locked). It works fine.

Thanks in advance

Fri Apr 07, 2023 4:57 pm

viewtopic.php?t=143620

BTW ... why people tend to complicate their LAN so much?

anav · Fri Apr 07, 2023 5:10 pm

First I would not use vlan-id=1 its a default vlan that is behind the scenes and should be left alone.

Second, the management vlan is for the devices management so all smart devices should be on this subnet. Also to state the management vlan should not have access to all other vlans.

You are confusing purposes. One is to ensure all smart devices are on an isolated vlan for management purposes.
The access to all vlans is required for the admin only

The admin has several options, have a small managed switch at ones desk so one can plug in to the managment network or the trusted working network for work.
If one doesnt have the option to play musical ports, simply give the admin access to all vlans DONE.
Typically this is firewall list covering all admin devices (laptop, desktop, iphone-ipad, etc.) and any remote wireguard vpn access as well.

On your input chain looks like
add chain=input action=accept in-interface-list=MGMT src-address-list=Authorized

Where MGMT interface list comprised of Trusted work vlan, VPN remote interface admin uses, and management vlan
ip neighbours discovery interface-list=MGMT
ip tools mac-server winmac-server interface-list=MGMT

One bridge, the rest VLANs.
Depending upon how you setup your unifi controller, it could by a hybrid port from 5009 or a trunk port.

Personally I would put your PC, the NAS and the PIHOLE on a separate trusted vlan, with the management vlan just for smart device IP assignment and isolation.

One bridge, bridge does just bridging. NO subnets attached to it.

anav · Fri Apr 07, 2023 5:11 pm

Bartoz, how have you survived so long if you think thats complicated. I see beautiful simplicity and clarity.
@OP Read the link provided.

/interface bridge ports
Access ports - bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=etherX/wlanY pvid=AA
Trunk ports - bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged-vlans interface=etherX
Hybrid ports - bridge=bridge interface=etherS pvid=BB

/interface bridge vlans ( line on a per vlan basis )
add bridge=bridge tagged=bridge,trunkport(s) untagged=access ports/hybrid port vlan-ids=X
add bridge=bridge tagged=bridge,trunkport(s) untagged=access ports/hybrid port vlan-ids=Y
etc...........

Amm0 · Fri Apr 07, 2023 5:39 pm

Bartoz, how have you survived so long if you think thats complicated. I see beautiful simplicity and clarity.

Well, until you try to print the beautiful diagram from the guest VLAN. Maybe not a need, but VLAN block multicast/broadcast discovery

One thing to look for designing the VLANs is what needs to be "discoverable" using stuff like mDNS/SSDP/etc*. Maybe the SONOS don't need to be on the same LAN as their app, but that be the one worry I'd have on this point.

(*since there is UBNT stuff, it's may be possible to do any potential mDNS repeating on that side... but RouterOS does not have that feature)

k6ccc · Fri Apr 07, 2023 5:42 pm

I'll leave the config to those that understand bridges in RouterOS, but I gotta say that is one of the most detailed network drawings I have ever seen here. Especially impressive that it was in your first forum post. Good job there...

anav · Fri Apr 07, 2023 6:53 pm

Concur and I am a sucker to answer someone who makes such an initial effort!!!

Concur Ammo, but no L2 discovery stuff was mentioned. So the OP should detail user requirements for traffic, including admin, in full detail without mention of any config.

GrasDK · Fri Apr 07, 2023 9:22 pm

Hi guys

Thanks for the responses, very nice.
@Bartosz: Physical hardware and location makes this the simplest setup for me. If the RB5009 had around 17 ports instead of 9 it would be alone in my wiring closet without the unifi switch and the unmanaged switch. The RB260GSP is in the Home office / play room, where I would sometimes connect an unmanaged switch when the children have a mini LAN party (guest network) or use my work laptop (also guest). Or use my own equipment which is welcome on the Home VLAN. Hence the requirement for both Home and Guest lan on that switch (~same argument for why the Wifi APs have Home and Guest VLANs). I will re-read the page you linked, it's one of the things that I probably didn't understood correctly and completely

@anav: Ok, so I misunderstood the word "management vlan" as it meant "from where you manage everything". I will create a real VLAN for the purple part of the network (Pihole, PC, NAS). I'll dig into the firewall stuff, when I have (wide open) VLANs up and running, but I see your point with a list of Authorized devices. And I'll re-read the link.

@Amm0: Good point. Maybe I didn't think of everything, but the "Home" VLAN was supposed to cover this, by being where most things are, including Sonos and the printer and various chrome casts. The NAS is referenced directly by Sonos, the Home PCs, Android TV's, so as long as the correct ports are accessible from the Home LAN to the NAS, it should be safe (I think). The small "maybe", that I might allow guests to control my Sonos or access some other internal "Home" service, is not insanely important.

@k6ccc, anav: Thanks for the kind words.

I'll get back to you after studying the rsc-files in the link as well, I guess they collectively fit my scenario (router with trunk ports and router with access ports), if I can gather the tecnical understanding and mix and match the elements.

anav · Fri Apr 07, 2023 9:30 pm

Yeah the discovery thing is a pain in the ass.
I wish I knew how to work IGMP ir IGMP proxy ????? between vlans so as to enable discovery........
For the moment put all devices that need to discover in same vlan is the only thing I can think of.

Buckeye · Fri Apr 07, 2023 10:18 pm

This xkcd comic #2044 Sandboxing Cycle, although about sandboxing servers/services, the same problems arise when someone reads/hears that they should segment their network to protect against "untrusted IoT devices". But then they realize that real separation isn't what they wanted. But they normally start at the bottom right.

anav · Fri Apr 07, 2023 10:32 pm

LUV IT!!!
So what are the easy and quick IGMP or IGMP proxy commands, if this is the answer LOL.

Okay so what else?
I know lets add zerotier to connect the vlans on the same router............. out to the cloud and back LOL

GrasDK · Sat Apr 08, 2023 1:26 am

Ok. I feel really stupid here. I think I grasp the concepts fairly OK now. So the new target drawing looks like the first, but it has the admin VLAN as VLAN 2 instead of the basic VLAN 1. It's the same drawing, but I attached it for good measure, and so you can facepalm if it's not what you meant

Network-Targetv2.png

Technically there is something I am missing. Maybe it's just the way I'm trying to do things slowly.

So the network here at home is always busy. So I'm doing a trial and error configuration and trying to "move to a VLAN setup" in small steps, as to not interrupt anyone's online gaming or streaming. When I'm confident that I can get things working, I can call for a 10 minute break and reconfigure everything, but I like to test things in small steps first.

So the situation is:

The current config is just a bridge with a DHCP attached (like an old-school no-VLAN LAN).
I added VLANs 2,3 and 250 to the bridge
Now I want to switch devices one by one to the correct VLAN of my target drawing, starting with the Family PC on ether6

So using Winbox I set PVID to 3 under bridge ports ether6.

PVIDether6.png

- My understanding is that you want to do this for access ports: It will add VLAN 3 to packets comming from that interface (and strip them off when replying on that interface).

However, the PC when renewing IP, keeps getting an IP from the no-VLAN LAN (I setup a dhcp server on the bridge itself).
When I set VLAN filtering on on the Bridge, there is no connection at all (and my wife's streaming on the TV stops).

So
1) What am I missing on ether 6?
I tried configuring the bridge with tagged=ether6 vland-ids=3, no difference
2) Is what I'm doing simply not feasible... maybe I should make one big VLAN first and then go from there, if I want to go with small steps?

A picture of what I'm trying to do:

Network-Currentv2.png

So my problem with the guide here viewtopic.php?t=143620 and the attached examples, is that I'm in a hybrid setup between the two first examples. My RB5009 both needs to have trunk ports and access ports (maybe a hybrid port as well, per suggestions), and I don't know if I misunderstood what the post says, or if the real problem is that I just can't migrate from LAN to VLAN setup port by port, due to the inherent "omnipresence" of VLAN 1 or something...

Thanks again.

Config

# apr/08/2023 00:28:42 by RouterOS 7.8
# software id = XXXXXXXX
#
# model = RB5009UPr+S+
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=48:A9:8A:34:6F:80 auto-mac=no comment="defconf was ether1 now it\
    's the WAN bridge (containing ether8 and using a fake mac address)" name=\
    WAN_bridge
add admin-mac=48:A9:8A:34:6F:81 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether8 ] comment="Original mac: 48:A9:8A:34:6F:87"
/interface vlan
add interface=bridge name=GuestIoT vlan-id=250
add interface=bridge name=Home vlan-id=3
add interface=bridge name=HomeAdmin vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool250 ranges=192.168.250.2-192.168.250.254
add name=dhcp_pool3 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge name=dhcp2
add address-pool=dhcp_pool250 interface=GuestIoT name=dhcp250
add address-pool=dhcp_pool3 interface=Home name=dhcp3
add address-pool=dhcp_pool1 interface=HomeAdmin name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=3
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=WAN_bridge interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge disabled=yes tagged=ether6 vlan-ids=3
/interface list member
add comment=defconf interface=bridge list=LAN
add comment="defconf was ether1 now it's the WAN bridge (containing ether8 and\
    \_having a fake MAC address)" interface=WAN_bridge list=WAN
/ip address
add address=192.168.2.1/24 comment="defconf (LAN)" interface=bridge network=\
    192.168.2.0
add address=192.168.250.1/24 interface=GuestIoT network=192.168.250.0
add address=192.168.3.1/24 interface=Home network=192.168.3.0
add address=192.168.1.1/24 interface=HomeAdmin network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=WAN_bridge
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.100,192.168.2.1 gateway=\
    192.168.2.1 netmask=24
add address=192.168.3.0/24 dns-server=192.168.2.100,192.168.2.1 gateway=\
    192.168.3.1
add address=192.168.250.0/24 dns-server=8.8.8.8,194.239.134.83 gateway=\
    192.168.250.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5001 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.2.40 to-ports=5001
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name="MikroTik RB5009"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Buckeye · Sat Apr 08, 2023 1:50 am

@GrasDK well done on an initial post. I see you have new post since I started this. I will respond to it in another post, but these are some refernces to look at.

Just a comment about your new post: You have 3 switches that you will need to reconfigure, and they all use a different configuration "language". If this is your first time, you are overly optimistic to think that 10 minutes will be enough time. It doesn't help that the RB5009 is your main internet router, and that you can't test things in a lab environment. Working around family members is in many ways harder than in a work environment, where you can often schedule things for off hours.

Having a good plan will minimize the chance of screwing things up. And make backups of everything before you start making changes, and have a good fall back plan.

What were you using as a router before the RB5009? Is it still available? Just in case you need to access the internet if things don't go as planed.

Several questions.

You state you are moving from single lan to multiple lans. Is this your first experience with vlans? If not what type of equipment have you configured vlans on before?

Where is your UniFi controller? Which vlan? Have you asked any questions on the UI forum?

Have you already adopted the UniFi APs into the controller? Are you using the default of untagged "management" access to the UAPs? That can be changed to a tagged vlan, but unless you are a purist that want only tagged vlans on a trunk link, all the equipment you have should allow you to have a "native" vlan that is untagged going to the UAP. MikroTik terminology for a trunk port that has traffic using an untagged vlan is a "Hybrid" port.

Here's another thread worth reading: RouterOS bridge mysteries explained, but it presumes you understand vlans and how to configure an external switch. It is essentially trying to explain how to wrap your head around the MikroTik bridge "combination" device. These are two comments I made about the post that explained some thing I learned when playing with my hEX S post 18 and post 19

And the Mikrotik documentation is worth reading as well. The RB260 configuration is quite different (SwOS) than the RB5009 (ROS) or the UniFi switch. When you get done you will know much more about vlans and configuring them than you did when you started. Here's the ROS help Bridging and Switching and this section Bridge VLAN Table For the RB260 see this SwOS/RB250-RB260-VLAN-Example

k6ccc · Sat Apr 08, 2023 2:11 am

If you need assistance with SwitchOS for the RB260, just ask. I have several of them and all have VLANs in use.

GrasDK · Sat Apr 08, 2023 3:16 am

@Buckeye:
Thank you for the reply.
@k6ccc:
Thanks, I will keep that in mind

@Buckeye
Yeah I agree, and I could reinsert my previous router still: An Asus RT-AX89X, though I have it up for sale. I was annoyed with it being too simple in its features and was recommended (and warned) about Mikrotik

But I'm not afraid of learning new things even if it is a steep learning curve. As you can infer I'm up and running at least as well as I was with the consumer-grade Asus router using a basic LAN.

The Unifi Switch and the two AP's are adopted and the unifi controller is running on a Raspberry PI, which also runs PiHole. I haven't messed around with the RB260. It is just "plain" switching for now.

I did setup the Unifi APs to host a Guest SSID using VLAN 250 using the unifi controller:

Unifi.png

and the RB5009 does the dhcp'ing because the unifi switch (or the APs or both) are VLAN aware:

leases.png

This is my first first-hand meeting with VLANs. I did know about them up front and the basic idea behind them, and got to learn more on these forums. I'm very much into starting small and building and learning from there, but my problem is that I haven't found out how to "start small". Maybe adding a VLAN to a single machine on ether6 isn't the way to go.

My plan was

single out a port on the RB5009, make it an access port for a PC to the Home VLAN",
Then add more ports.
Then make the HomeAdmin VLAN and an access port to use it...
Then expand onto the trunk ports that connect to the other swithces and begin the setup there.I suspect the Unifi will be quite different to setup, but I haven't gotten to that yet and haven't asked anything on the UI forums.

As mentioned in the earlier post, I got stuck at the first step. The PC on ether6 sticks with the old setup when VLAN filtering on the bridge is disabled. When VLAN filtering is enabled, everything on the basic LAN loses internet connection and the PC on ether6 can't negotiate for a new IP.

This kind of problem tickles my "I have a wrong assumption"-sense. There is something basic that I'm missing. Is it that you cannot have a working LAN setup and gradually switch to a VLAN setup in small steps?

Or is it something I read and overlooked about access ports?
- For example (quoting viewtopic.php?t=143620):

Access ports are configured in a way that means ingress (incoming) packets must not have tags and thus will get a tag applied. The egress (outgoing) packets (that are replying back to whatever was plugged in) get tags removed.

. The switch.rsc file attached to the follow-up post makes me believe that achieving what is in the quote, in Mikrotik language, is adding pvid to the bridge ports (as I did with my ether6). However the example #1 here: https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering indicates that you also need to set "tagged" and "untagged" correctly, and perhaps this is where my problem is.

So what do you think / know? Bad / infeasible approach or just newbie-problems of not being able to map concepts to the proper commands / winbox gui clicks?

anav · Sat Apr 08, 2023 3:37 am

email me tomorrow, check profile, i have a suggestion

Buckeye · Sat Apr 08, 2023 7:40 am

So using Winbox I set PVID to 3 under bridge ports ether6.
- My understanding is that you want to do this for access ports: It will add VLAN 3 to packets coming from that interface (and strip them off when replying on that interface).

That's one way to "imagine it", but what happens inside the switch is probably different in reality, the IEEE 802.1Q spec says nothing about how a switch works internally, it just describes a "bridge" as a black box that must behave in a specific way externally. I like to use the word "classify" instead of "tag", because tags are something that are used on the wire to keep ethernet frames for different vlans distinct from each other. All the switch does internally is to keep vlans separate from each other, you can think of it as 4094 lanes that only allow traffic for a single vlan each. Many implementation also limit the number of vlans that can be used at the same time, for example up to 64 unique vlans chosen from the 4094 possible choices (1-4094), 0 and 4095 are reserved for special uses. The PVID just specifies what vlan untagged packets received on a port will be associated with. Usually the PVID is also a clue to the switch that when it transmits an ethernet frame for that vlan, the frame will be transmitted from the port as a standard untagged ethernet frame.

However, the PC when renewing IP, keeps getting an IP from the no-VLAN LAN (I setup a dhcp server on the bridge itself).
When I set VLAN filtering on on the Bridge, there is no connection at all (and my wife's streaming on the TV stops).

Were you hoping only the ether6 port would be affected?

Turning on vlan-filtering changes the way the bridge/switch works.

Until you enable VLAN filtering, the PVID and other vlan stuff is ignored. It's like a port being connected to a dumb switch. The bridge operates in vlan-transparent mode, it doesn't examine the ethertype field in the ethernet frame (the 2 octet field that follows the src mac address in the ethernet header); it just passes the frames through unchanged, so you can still have tagged packets pass through the bridge to be interpreted by an external vlan aware device like the UAP, or a vlan-aware switch. Internally in the non-vlan-filtering switch all frames are in a single lane (broadcast domain).

When vlan-filtering is enabled, the switch starts to pay attention to the ethertype in addition the mac addresses, and if the ethertype matches 0x8100 (the tag protocol id), then it knows that this is a tagged ethernet frame, and that it will find the vlan id and priority info in the next two octets, and then the original ethertype in the following two octets.

But once vlan-filtering is activated, then only those vlans explicitly allowed will egress through a bridge port.
Was the TV streaming over wireless? If it was using a vlan interface, once you turned on vlan-filtering, any frame with vlans not explicitly allowed will be dropped (filtered out).

BTW, you should be able to set the ethernet address of ether8 without making it a separate bridge. Unless your ISP is providing you with multiple vlans on the Internet side (each with a different service like VoIP, IPTV etc), then I would remove ether 8 from the bridge and just use it as a dedicated ethernet port. See this @normis post about how to achieve this.

Yeah I agree, and I could reinsert my previous router still: An Asus RT-AX89X, though I have it up for sale. I was annoyed with it being too simple in its features and was recommended (and warned) about Mikrotik But I'm not afraid of learning new things even if it is a steep learning curve. As you can infer I'm up and running at least as well as I was with the consumer-grade Asus router using a basic LAN.

Learning new things is good! And having a mix of different devices, each with a different way to configure will lead to a much better understanding, but it will take more effort.

The SwOS is pretty easy to setup, and the examples are pretty clear in the documentation, given you understand the difference between an untagged (implicit) vlan and a tagged (explicit) vlan.

This is my first first-hand meeting with VLANs. I did know about them up front and the basic idea behind them, and got to learn more on these forums. I'm very much into starting small and building and learning from there, but my problem is that I haven't found out how to "start small". Maybe adding a VLAN to a single machine on ether6 isn't the way to go.

My plan was
...
So what do you think / know? Bad / infeasible approach or just newbie-problems of not being able to map concepts to the proper commands / winbox gui clicks?

I think you can get it to work, but you will need to at a minimum, configure the the RB5009 SFP+ port so it will pass the vlans to the switch in the same manner they are currently being sent, the base vlan untagged and the GuestIoT tagged. As long as you have the trunk ports sending the same vlans tagged and untagged, then things should work the same when vlan-filtering is enabled. You may want to remove a port from the switch (perhaps one of the family pc's and then you will have access to the RB5009 and not get locked out. Next setup trunk on eth1 to the RB260 switch.

Also, I think you need to add your vlan interfaces to the LAN list as members.

@anav has helped many people, he will probably have some suggestions about your firewall as well.

Good luck in you learning journey.

Buckeye · Sat Apr 08, 2023 7:50 pm

I went back and made copies of your two configs, and they were different (I removed the section in my previous post saying they looked the same).

Here is a section of the documentation that has an example worth study: VLAN Example - InterVLAN Routing by Bridge

Note that in my opinion, the graphic is a bit confusing as it does not show what bridge1 is connected to when /interface bridge vlan add bridge=bridge1 tagged=bridge1 vlan-ids=200 is specified. This is the connection from the CPU's routing engine through /interface vlan add interface=bridge1 name=VLAN200 vlan-id=200 and the "internal trunk link" of bridge1) to vlan 200 in the switch block (which is a hardware switch ASIC in the RB5009). Here I have added text "CPU routing block".

Bridge for inter-vlan routing.png

To get it to work with your existing switch config, you are going to need to use Hybrid trunk links (if you don't want to change the other switches at stage one). @anav will disagree with me here, and tell you that all trunk links should be pure tagged links, and there are good reasons for having trunk links use only tagged traffic, as it makes vlan mismatches impossible. But since you want to do this in small steps, it can be done with no changes to the existing switches (the UniFi and the RB260) if you use Hybrid links (I have no UniFi switches (or any Ubiquiti switches other than what is in the EdgeRouter X), but I think they do all their management using untagged ethernet, at least by default). So to use hybrid links on SFP+ and ether1 see this section in the documentation. Note however that you will need to include the bridge device as tagged in the /interface bridge vlan section for every vlan (other than the untagged pvid 1 (which is the implicit default pvid when not specified). To see what I mean, compare the /interface bridge vlan sections in VLAN Example - Trunk and Access Ports (where it is configured as a switch with no connection to the CPU's routing engine) and VLAN Example - InterVLAN Routing by Bridge (where it is configured as a router and the trunk link would be going to an external switch, similar to what you are doing, except this example uses a "pure tagged trunk" connection.)

I actually prefer the example configs in the v6 documentation, where they explicitly list the untagged vlan corresponding to the PVID. Although it will be "automatically configured" by ROS, putting it in the config makes your intentions clear and in my opinion makes it easier to understand, because everything is explicit in the configuration, you don't need to reference the /interface bridge port to see what the PVID is. On the other hand, if you change one, then you must change both, so in that way leaving it out makes it "easier" to change in one place. It is a preference thing.

Compare the /interface bridge vlan section of the v6 documentation example VLAN Example #3 (InterVLAN Routing by Bridge) to the v7 documentation example VLAN Example - InterVLAN Routing by Bridge

Buckeye · Sat Apr 08, 2023 8:02 pm

@GrasDK if you haven't ever seen Ed Harmoush's free vlan info, I think it is one of the most clear explanations of vlans. He uses Cisco terminology, so whenever he mentions "the native vlan", that is equivalent to the PVID (port vlan id), or the single vlan that untagged ethernet frames will be classified into when received on that port. This makes it important that if you are using vlan aware devices connected with a hybrid link, that the pvid is the same on both ends of the link, otherwise what one device thinks the vlan used for untagged traffic will be different than the device at the other end of the link. This is described the following, in the "Native VLAN" section.

Virtual Local Area Networks (VLANs)

He also has good videos on youtube on many networking topics including vlans.

Sat Apr 08, 2023 8:44 pm

Bartosz, how have you survived so long if you think thats complicated. I see beautiful simplicity and clarity.....

It's wasn't about complexity of this particular planned network "per se" but more a rethotical question "Do & why I really need so many VLANS at home?"
Kid's LAN, IoT's LAN, Office LAN, game LAN ....

P.S.
You tend to omit "s" in my name ... no problem but in Polish both letters "sz" make sound like "sh" in a "wish" so it makes a difference

anav · Sat Apr 08, 2023 10:40 pm

sz hit

mkx · Sat Apr 08, 2023 10:42 pm

No, it'd be "szit"...

Sat Apr 08, 2023 10:42 pm

happens...

anav · Sat Apr 08, 2023 10:43 pm

No, it'd be "kakec"...

Fixed it for ya!!

Sat Apr 08, 2023 11:52 pm

Polish your Polish.

GrasDK · Sun Apr 09, 2023 2:37 am

@Buckeye: Thanks for the pointers. Was AFK for the whole day. I'll read up on your links, so just checking in to appreciate the responses. When I thought about my "problem" now and then during the day, I guess I came to a conclusion similar to yours, in my own not yet matured way of thinking.

So my switch connecting ports (ether 1 and SFP+) need to be configured as trunk ports (or hybrid ports) and not doing exactly that, is the cause of the TV losing connection, when setting VLAN filtering to "on". (The TV being connected to the unifi switch, which is connected via SFP+ to the mikrotik).
I'll read more. Experiment more. And even if it will take some time - other obligations await, I'll get back to you here with results (or more questions)

Buckeye · Sun Apr 09, 2023 5:27 am

So my switch connecting ports (ether 1 and SFP+) need to be configured as trunk ports (or hybrid ports) and not doing exactly that, is the cause of the TV losing connection, when setting VLAN filtering to "on". (The TV being connected to the unifi switch, which is connected via SFP+ to the mikrotik).

If the streaming was in the "purple" VLAN1 (with an ip address from the bridge itself, in 192.168.2.0/24) then I can't explain why you saw what you did.

I just took my new RB5009 (in a lab environment) with default config other than adding ether1 to the LAN list so I could connect to it from the upstream network in the lab, connected to it with winbox, connected a Raspberry pi to ether5 (which obtained a lease for 192.168.88.254), then from tools on the RB5009 I did a ping to 192.168.88.254. I then switched the bridge into vlan-filtering mode. It missed about 5 pings while the configuration of the switch was changing, but then pings returned.

bridge communication when changing vlan-filtering.png

bridge communication when changing vlan-filtering 2.png

Buckeye · Sun Apr 09, 2023 6:06 am

I have not played with vlans on the RB5009. (in fact I haven't play with it much at all, been busy with other things).

But I just noticed something that is odd in my opinion. The RB5009 has an unusually low default L2MTU of 1514. That's insufficient for holding a 1500 L3 MTU with ethernet header 6+6+2 (14) and vlan tag (4).

See MTU in RouterOS

L2MTU RB5009UG+S+ vs RB760iGS.png

L2MTU and MAX-L2MTU RB5009 vs hEX S.png

rextended · Sun Apr 09, 2023 12:47 pm

@Buckeye
You can increase the value without problems, to match your needs, it's not blocked.
The router cannot always be set up by default on the way we like it, as long as it is modifiable to cover our needs, is not a problem.

Buckeye · Sun Apr 09, 2023 8:34 pm

@Buckeye
You can increase the value without problems, to match your needs, it's not blocked.

I realize it can be changed. I haven't even verified it would cause a problem with vlans, but it seems it would cause problems with 1500 byte L3MTU packets with a vlan header was there.

I just posted another response in the max-MTU Question thread, it doesn't seem to be related to routerboard firmware either. @ammo said his RB5009 is the PoE version and he did a netinstall/reset-configurationl (which I did not), and evidently he has a higher L2MTU (I assume without him manually setting it).

It l2mtu doesn't appear in the defconf script, so it must be "baked in" to the factory default config. This is the defconf script that came with my RB5009

#| Welcome to RouterOS!
#|    1) Set a strong router password in the System > Users menu
#|    2) Upgrade the software in the System > Packages menu
#|    3) Enable firewall on untrusted networks
#| -----------------------------------------------------------------------------
#| RouterMode:
#|  * WAN port is protected by firewall and enabled DHCP client
#|  * Ethernet interfaces (except WAN port/s) are part of LAN bridge
#| LAN Configuration:
#|     IP address 192.168.88.1/24 is set on bridge (LAN port)
#|     DHCP Server: enabled;
#|     DNS: enabled;
#| WAN (gateway) Configuration:
#|     gateway:  ether1 ;
#|     ip4 firewall:  enabled;
#|     ip6 firewall:  enabled;
#|     NAT:   enabled;
#|     DHCP Client: enabled;
#| Login
#|     admin user protected by password

:global defconfMode;
:log info "Starting defconf script";
#-------------------------------------------------------------------------------
# Apply configuration.
# these commands are executed after installation or configuration reset
#-------------------------------------------------------------------------------
:if ($action = "apply") do={
  # wait for interfaces
  :local count 0;
  :while ([/interface ethernet find] = "") do={
    :if ($count = 30) do={
      :log warning "DefConf: Unable to find ethernet interfaces";
      /quit;
    }
    :delay 1s; :set count ($count +1); 
  };
  :local count 0;
  :while ([/interface wireless print count-only] < 0) do={ 
    :set count ($count +1);
    :if ($count = 40) do={
      :log warning "DefConf: Unable to find wireless interface(s)"; 
      /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
      /quit
    }
    :delay 1s;
  };
 /interface list add name=WAN comment="defconf"
 /interface list add name=LAN comment="defconf"
 /interface bridge
   add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
 :local bMACIsSet 0;
 :foreach k in=[/interface find where !(slave=yes   || name="ether1" || passthrough=yes   || name="ether1" || name~"bridge")] do={
   :local tmpPortName [/interface get $k name];
   :if ($bMACIsSet = 0) do={
     :if ([/interface get $k type] = "ether") do={
       /interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
       :set bMACIsSet 1;
     }
   }
     :if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
       /interface bridge port
         add bridge=bridge interface=$tmpPortName comment=defconf;
     }
   }
   /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
   /ip dhcp-server
     add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
   /ip dhcp-server network
     add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf";
  /ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
 /ip dns {
     set allow-remote-requests=yes
     static add name=router.lan address=192.168.88.1 comment=defconf
 }

   /ip dhcp-client add interface=ether1 disabled=no comment="defconf";
 /interface list member add list=LAN interface=bridge comment="defconf"
 /interface list member add list=WAN interface=ether1 comment="defconf"
 /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
 /ip firewall {
   filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
   filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
   filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
   filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
   filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
   filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
   filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
   filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
   filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
 }
 /ipv6 firewall {
   address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
   address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
   address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
   address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
   address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
   address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
   address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
   address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
   address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
   filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
   filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
   filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
   filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
   filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
   filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
   filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
   filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
   filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
   filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
   filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
   filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
   filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
   filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
   filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
   filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
   filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
   filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
   filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
   filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
 }
   /ip neighbor discovery-settings set discover-interface-list=LAN
   /tool mac-server set allowed-interface-list=LAN
   /tool mac-server mac-winbox set allowed-interface-list=LAN
 :if (!($defconfPassword = "" || $defconfPassword = nil)) do={
   /user set admin password=$defconfPassword
   :delay 0.5
   /user expire-password admin 
 }
}
#-------------------------------------------------------------------------------
# Revert configuration.
# these commands are executed if user requests to remove default configuration
#-------------------------------------------------------------------------------
:if ($action = "revert") do={
/user set admin password=""
 /system routerboard mode-button set enabled=no
 /system routerboard mode-button set on-event=""
 /system script remove [find comment~"defconf"]
 /ip firewall filter remove [find comment~"defconf"]
 /ipv6 firewall filter remove [find comment~"defconf"]
 /ipv6 firewall address-list remove [find comment~"defconf"]
 /ip firewall nat remove [find comment~"defconf"]
 /interface list member remove [find comment~"defconf"]
 /interface detect-internet set detect-interface-list=none
 /interface detect-internet set lan-interface-list=none
 /interface detect-internet set wan-interface-list=none
 /interface detect-internet set internet-interface-list=none
 /interface list remove [find comment~"defconf"]
 /tool mac-server set allowed-interface-list=all
 /tool mac-server mac-winbox set allowed-interface-list=all
 /ip neighbor discovery-settings set discover-interface-list=!dynamic
   :local o [/ip dhcp-server network find comment="defconf"]
   :if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
   :local o [/ip dhcp-server find name="defconf" !disabled]
   :if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
   /ip pool {
     :local o [find name="default-dhcp" ranges=192.168.88.10-192.168.88.254]
     :if ([:len $o] != 0) do={ remove $o }
   }
   :local o [/ip dhcp-client find comment="defconf"]
   :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
 /ip dns {
   set allow-remote-requests=no
   :local o [static find comment="defconf"]
   :if ([:len $o] != 0) do={ static remove $o }
 }
 /ip address {
   :local o [find comment="defconf"]
   :if ([:len $o] != 0) do={ remove $o }
 }
 :foreach iface in=[/interface ethernet find] do={
   /interface ethernet set $iface name=[get $iface default-name]
 }
 /interface bridge port remove [find comment="defconf"]
 /interface bridge remove [find comment="defconf"]
 /interface bonding remove [find comment="defconf"]
 /interface wireless cap set enabled=no interfaces="" caps-man-addresses=""
  /caps-man manager set enabled=no
  /caps-man manager interface remove [find comment="defconf"]
  /caps-man manager interface set [ find default=yes ] forbid=no
  /caps-man provisioning remove [find comment="defconf"]
  /caps-man configuration remove [find comment="defconf"]
  /caps-man security remove [find comment="defconf"]
}
:log info Defconf_script_finished;
:set defconfMode;

rextended · Mon Apr 10, 2023 2:32 am

The true "defconf" is 2000+ lines and never set any form of MTU.
The RB5009UG+S+ ( 70x0 ) have the default of 1514 not matter if you reinstall or not.

That value is probably loaded from chip or drivers because I do not find hardcoded on standard settings.

The RB5009 has an unusually low default L2MTU of 1514. That's insufficient for holding a 1500 L3 MTU with ethernet header 6+6+2 (14) and vlan tag (4).

Now I underrstand your worry from what you wroted on previous post...

On the L2 MTU is not included the ethernet header of 14 Bytes, so is possible to use, for eample, also VLAN + MPLS without change L2 MTU...
Another example: use VLAN with internal MTU of 1508, for use a PPoE with L3 MTU of 1500, require only one L2 of 1512.

Buckeye · Mon Apr 10, 2023 3:19 am

@rextended thanks for opening my eyes to what I had looked at before but didn't catch the distinction between l2mtu and full frame mtu (which I was thinking of). So with l2mut 1514, full frame mtu would be 1528, more than enough for vlan and mpls (could even have a stacked vlan). I was missing the 14 bytes not included in the l2mtu.

Amm0 · Mon Apr 10, 2023 6:37 pm

@ammo said his RB5009 is the PoE version and he did a netinstall/reset-configurationl (which I did not), and evidently he has a higher L2MTU (I assume without him manually setting it).

FWIW, opened up a new RB5009 w/PoE, and yeah it was always 1514 L2MTU regardless if I reset. So my bad here. I realize the L2MTU must have been leftover from earlier VXLAN testing (my test config script had a [find] instead of [find interface=] I meant, so fooled me

)... Since this is kinda my "test router", I guess I thought I'd done a reset-configuration recently but guess not.... Still I'd like to say the default L2MTU does seem to vary by device but let's not quote me it

.

nichky · Tue Apr 11, 2023 8:47 am

@anav

First I would not use vlan-id=1 its a default vlan that is behind the scenes and should be left alone.

is that for the security reason?

mkx · Tue Apr 11, 2023 11:00 am

@anav

First I would not use vlan-id=1 its a default vlan that is behind the scenes and should be left alone.
is that for the security reason?

No. The reason is that VID=1 is implicit default all over the place. If one is not careful enough to configure all interfaces (also those which don't come first to one's mind)[*], then there might be some unexpected behaviour. Also other vendors often treat VID=1 in a special way, but the way it's treated is not consistent between vendors, which can be another source of surprises.

If one avoids using VID 1, then it's very likely one avoids surprises.

[*] one example is bridge interface, many users tend to forget (or have misconception) about that personality of bridge. If one doesn't want to have bridge setup as untagged member of VLAN 1, then one has to set bridge interface to frame-types=admit-only-vlan-tagged ... and that's under /interface/bridge, so quite a few users think that this setting is sort of a default setting for all bridge ports ... which is not.

anav · Tue Apr 11, 2023 1:57 pm

My corollary is--> I turn off the gas lawn mower when I want to clean the shute of grass & leaves buildup.
I could probably get away with leaving the motor running and not lose a finger or hand to the moving blade, but why risk it.............
SO FACKING turn the motor off ( that was an Australian accent ). or in RoS terminology, dont mess with vlan-id=1

mkx · Tue Apr 11, 2023 3:46 pm

I turn off the gas lawn mower

OK. But what should we do if one has electric lawn mower? And what if it was a battery lawn mower? Or the robotic/autonomous one?

anav · Tue Apr 11, 2023 4:30 pm

Clearly you dont do yard work LOL

GrasDK · Tue Jun 06, 2023 12:09 am

Hi again everyone

So I just wanted to send an update this way. I got busy with other stuff, but I ended up doing the sort of slow migration from VLAN 1 to real VLANs, but not in the way I thought I would.

So my takeaways from your replies are many. If you feel like it, let me know if they're wrong.

There is more than one way to do things. This makes mikrotik powerful, but also hard on beginners
If you want to get started with VLANs and read the guides and manuals, you might still overlook or misunderstand stuff. These are some basic info that I overlooked and or misunderstood. I checked afterwards: They're all there in the documenation and in some of your replies.
- Interface: Keep everything on one bridge (at least on newer devices). Define the VLANs you want under interfaces and "attach" them to the bridge
- Bridge: The PVID value of each port defines the VLAN ID of the ingress traffic - the (untagged) traffic that comes FROM the device on the other end. For VLAN unaware devices like linux and windows computers with default configuration, this defines the VLAN they're "on".
- Bridge: VLANs: Tagging an access ports with a VLAN unaware device in the other end is not needed and/or may require extra configuration of your device. My own understanding is that this is egress-traffic getting tagged and if you device doesn't understand this, you won't get the desired results. In my particular case, I had raspberri pis working fine with "their" ports tagged, but devices running Windows 10 choked and didn't get properly connected with default network settings.
- On the bridge, enabling "VLAN filtering" is the final bit. Before this is done, none of the VLAN configuration is in effect. Heed the warnings about not locking yourself out of your router
Firewall configuration is going to take at least as much of your time as the VLAN setup.
If you, like me, expose a few services to the internet (occasional family game server), a webserver or other things that require NAT and port forwarding, it is possible to setup a hairpin rule. I find it easier to explain to the family when such a thing is in effect, than explaining "your friends need to connect to your minecraft server with this name/IP, but YOU do it with this other name/IP". I agree that a cleaner setup would be having a proxy and local DNS and leave out the hairpin rule, but maybe you don't have this...

Anyway. This is what I "discovered" over time...

My approach was to leverage the Mikrotik switch and the Ubiquiti switch and have them use the defined VLANs first. They are both much simpler to work with and it didn't take long to reconfigure them.

The Mikrotik switch exposes 2 different VLANs on it's 4 ports (last port is "uplink" to my MT router).
The ubiquity switch and my two access points of the same brand utilized 2 of the 3 LANs, enabling my primary goal: Isolating the IoT Wireless connected products on a internet-access only VLAN and hosting another Wireless network for the "normal" VLAN.

Having the above setup allowed me to begin playing with firewalls, while retaining the rest of the network on VLAN 1, during the experimentation. After this was working as intended, I got to understand the MT router better (see the points at the beginning) and I could move one device at a time to the new VLAN networks.

I'm almost done now. I even got Sonos to work across 2 VLANs (no, not the IoT, but the other two). Still need to work on a DNS backup for my pihole, wireguard and tightening my firewall a bit. Maybe also play with VPN.

I retained VLAN1, directly against several recommendations. It is only used for the router and the "network infrastructure", so the MT router, MT switch, Ubiquiti Switch and Access points all operate on VLAN 1, but no (other) devices are there. I like the mental picture that these devices work on the base LAN supporting the VLANs above. I don't know if it poses a security issue or if it's a matter of taste and "purity".

So this is my report. I'm pretty much at the config I showed after the first rounds in this thread:

I'll be happy to post a config in a not too far future using anav's favorite comment:

/export file=anynameyouwish

(minus router serial number and any public WANIP information, keys etc.)

Until then, thanks for the help and understanding... and yeah, maybe Buckeye's xkcd reference hits home in my case as well. But I learned a lot on the journey. And my vacuum cleaner, smart plugs and washing machine can't connect to my NAS' SMB shares anymore

anav · Tue Jun 06, 2023 5:51 pm

Clearly you have to config properly for PiHole and consider any differences due to using unifi equipment.
Not sure about their switches, hopefully they are not bass-ackwered like their APs.

Unifi APs, typically are default setup to take the admin (trusted) subnet as an untagged vlan, with the data (AP) vlans tagged.
Thus from MT to Unifi AP, one needs to create a hybrid port setup. (No ingress filtering or frame type limitations (with pvid of trusted vlan)).

Also ensure that the controller and APs are in the same vlan for them to communicat ( workarounds if not but a pain ).

# model = RB5009UPr+S+
/interface bridge
add admin-mac=48:A9:8A:34:6F:81 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] name=eth3-OffBridge
/interface vlan
add interface=bridge name=GuestIoT vlan-id=250
add interface=bridge name=Homevlan-id=3
add interface=bridge name=HomeAdmin vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool250 ranges=192.168.250.2-192.168.250.254
add name=dhcp_pool3 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool2 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool250 interface=GuestIoT name=dhcp250
add address-pool=dhcp_pool3 interface=Home name=dhcp3
add address-pool=dhcp_pool2 interface=HomeAdmin name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=2
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=3
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=3
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6 pvid=3
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=3
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-taggedinterface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,sfp-sfpplus1 untagged=ether2 vlan-ids=2
add bridge=bridge tagged=bridge,ether2,sfp-sfpplus1 untagged=ether4,ether5,ether6,ether7  vlan-ids=3
add bridge=bridge tagged=bridge,ether2,sfp-sfpplus1 vlan-ids=250
/interface list member
add comment=defconf interface=HomeAdmin list=LAN
add comment=defconf interface=Home list=LAN
add comment=defconf interface=GuestIoT list=LAN
add interface=eth3-OffBridge list=LAN
add interface=ether8 list=WAN
add interface=HomeAdmin list=MGMT 
add interface=eth3-OffBridge list=MGMT
/ip address
add address=192.168.250.1/24 interface=GuestIoT network=192.168.250.0
add address=192.168.3.1/24 interface=Home network=192.168.3.0
add address=192.168.1.1/24 interface=HomeAdmin network=192.168.1.0
add address=192.168.55.1/24 interface=eth3-OffBridge network=192.168.55.0
/ip dhcp-client
add comment=defconf interface=ether8
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.3.0/24 dns-server=192.168.2.100,192.168.2.1 gateway=\
    192.168.3.1
add address=192.168.250.0/24 dns-server=8.8.8.8,194.239.134.83 gateway=\
    192.168.250.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
{ input chain }
(default rules)
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
(admin rules)
add action=accept chain=input comment="admin config access" in-interface-list=MGMT
add action=accept chain=input comment="services access" in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input comment="services access" in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"
{ forward chain }
(default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
(admin rules)
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to all vlans"  in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5001 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.2.40 to-ports=5001
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name="MikroTik RB5009"
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

.......
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

As for pihole note the changes below. Assuming pihole is at IP address 192.168.1.44 Assuming you didnt want the IOT vlan going out pihole.
............

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.44 gateway=192.168.1.1
add address=192.168.3.0/24 dns-server=192.168.1.44 gateway=192.168.3.1
add address=192.168.250.0/24 dns-server=8.8.8.8,194.239.134.83 gateway=192.168.250.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.2

/ip firewall address-list
add ip-address=192.168.1.44 list=Excluded
add ip-address=192.168.250.0/24 list=Excluded
add ip-address=192.168.55.0/24 list=Excluded

/ip firewall rules
{ forward chain }
......
(admin rules)
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN dst-address=192.168.1.44
add action=accept chain=forward comment="admin to all vlans" in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=LAN src-adress-list=!excluded dst-port=53 protocol=tcp to-addresss=192.168.1.44
add action=dst-nat chain=dstnat in-interface-list=LAN src-adress-list=!excluded dst-port=53 protocol=udp to-addresss=192.168.1.44
add action=dst-nat chain=dstnat dst-port=5001 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.2.40 to-ports=5001

+++++++++++++++++++++++++++++++++++++++++++++

Review each line of the configs above and jot down any questions you have.........................

One thing I did was make a port (ether3) just for you to work on a complex setup which involves the bridge from a position NOT ON THE bridge. This will save you countless hours of grief as you will continually lock yourself out otherwise. Just put in any IP address from the 192.168.55.0 subnet on the ipv4 settings on your PC and you will have access to the router at the router. This may leave you one home pC shy but suggesting get a cheap un-managed switch and I am sure you can combine some of those 2-7 home ports at an un-managed switch somewhere along the line.

GrasDK · Sat Jun 10, 2023 2:09 pm

Wow, thanks.

Yes, I can spare a port at the router, to have a physical "management port". I'll look into that. And yes, spot on with the 250 VLAN not needing to bother my PiHole with work.

The unifi controller actually runs on a VLANm while both the unifi switch and the AP is on the untagged LAN. It works fine with 2 firewall rules and the unifi setting "adopt host" set correctly.

I'll review your input in detail this weekend and get back

GrasDK · Sun Jun 11, 2023 10:25 pm

Hi anav, a few clarifications, when you have time and feel like it

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,sfp-sfpplus1 untagged=ether2 vlan-ids=2
add bridge=bridge tagged=bridge,ether2,sfp-sfpplus1 untagged=ether4,ether5,ether6,ether7  vlan-ids=3
add bridge=bridge tagged=bridge,ether2,sfp-sfpplus1 vlan-ids=250

tagged list should be bridge,ether1,sfp-sfpplus1 in all 3 lines right?
and now the real question: the untagged interfaces show up as dynamically untagged when I view the settings in winbox. Is there a benefit of explicitly listing them as untagged?

Same ballpark, I think: Your config here

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=2
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=3
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=3
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6 pvid=3
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=3
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-only-vlan-taggedinterface=sfp-sfpplus1

and my config here:

/interface bridge port
add bridge=bridge comment=HomeAdmin interface=ether2 pvid=2
add bridge=bridge comment=defconf interface=ether4 pvid=3
add bridge=bridge comment=defconf interface=ether5 pvid=3
add bridge=bridge comment=defconf interface=ether6 pvid=3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=3
add bridge=bridge comment=MTswitch interface=ether1
add bridge=bridge comment=unifiswitch" interface=sfp-sfpplus1

ether 2,4,5,6 and 7 have devices at the other end of the wire, so they're access ports. My config doesn't set ingress-filtering and frame-types (so no filtering and allow all). Is the practical difference here, that I could attach a VLAN-aware device to one of these ports in my setup and get access to VLAN 2 from ether 4, for example? While your setup would ignore the VLAN 2 traffic from such a device on ether 4?
ether1 and sfp-sfpplus1 in my setup allows VLAN 1, any other important differences?

Another question unrelated to VLANs: Any reason for chosing subnet 192.168.55.1/24 for the MGMT ehter3 port, instead of 192.168.88.1/24 for example, which seems to default mikrotik. Maybe that is the exact reason? A measure of security by obscurity, like me using 192.168.2.1/24 for VLAN1?

Someone in the comments above mentioned that instead of me adding a bridge for WAN and putting ether8 there, I could just change ether8's mac-adress (because my ISP expects that mac-address). I didn't know how to do that, and I haven't changed it. Is the additional brigde for the WAN a measurable penalty in performance or otherwise? In other words: If should I get rid of my WAN bridge, change ether8's mac adress instead for other reasons that simplicity?

I think I will stop here for now and get back to the firewall rules later.

anav · Mon Jun 12, 2023 2:19 am

(1) Yes, this assumes that all three vlans should pass through this port tagged going to a smart device that can read the tags.

(2) Yes, for me I much prefer for two reasons.
a. as you noted they actually show up as untagged in winbox and in an export config for review.
b. when reviewing config its very easy to match up the /interface bridge ports and /interface bridge vlans to see what the person has done ( good for troubleshooting and to see if the OP understands how to config vlans ).

(3) I much prefer strict adherence to the vlan rules for security purposes and thus yes, I want to ensure only certain frame types are permitted etc....
personal preference.

(4) You could choose any vlan subnet for offbridge, just a rectal pluck. I prefer not to use default anything as a basic habit, from default subnets, to winbox port to wireguard port etc....

(5) I see no reason to use a bridge for WAN in your scenario (and there are performance hits) ................ why would you need to change your mac address, did you do something strange on the bridge ref mac address ???

Amm0 · Mon Jun 12, 2023 6:55 pm

(3) I much prefer strict adherence to the vlan rules for security purposes and thus yes, I want to ensure only certain frame types are permitted etc....
personal preference.

Well... I'd say more than security/preference. The bridge runs RSTP (by default) so you start asking for trouble with hybrid ports. They may be unavoidable for some stuff (e.g. some VoIP phones), but if that the case you'd want to use MSTP as the loop detection. But if things are either trunk or access ports (e.g. never "allow-all"), that avoid a lot of considerations/side-effects/etc.

Also, the reason not to use 192.168.88.0/24 is that it is the default, so if you get a new Mikrotik device and it accidentally get plugged in...it a much easier problem to sort out since you shouldn't be getting a 192.168.88.0 in a normal case. In general, I use the VLAN ID as the subnet in 192.168.<vlan-id>.0/24 for LANs, but this is just preference.

anav · Mon Jun 12, 2023 7:02 pm

On hybrid ports one should not use ingress filtering and frame types should not be specified which defaults to ALL.

Amm0 · Mon Jun 12, 2023 7:11 pm

On hybrid ports one should not use ingress filtering and frame types should not be specified which defaults to ALL.

In looking at the diagram again, the Unifi stuff may "need" a hybrid port (or be helpful... since I think it support a mgmt VLAN) – but that can be created on the Unifi switch. Basically, all the ether1 and SFP+ ports in the diagram should not allow untagged packets (e.g. trunks) IMO. Avoid "frame-type=allow-all" is my advice.

anav · Mon Jun 12, 2023 7:49 pm

Yup, trunk ports and access ports should have ingress filtering enabled and the frame types set accordingly.
Nothing new here, also dont pick your nose in public.
Unfi is a strange beast, at least their APs expect, as the default, the management subnet untagged and the data vlans tagged.
This is probably to support all the folks that just want to plug in one network to their AP, ( management subnet = data subnet = single SSID wlan )

Buckeye · Mon Jun 12, 2023 10:26 pm

Unfi is a strange beast, at least their APs expect, as the default, the management subnet untagged and the data vlans tagged.
This is probably to support all the folks that just want to plug in one network to their AP, ( management subnet = data subnet = single SSID wlan )

In which case there are no tagged vlans. ( in the "simple case" where management subnet = data subnet = single SSID wlan )

My guess is that in most homes, the trusted SSID and the management share a vlan.

GrasDK · Tue Jun 13, 2023 12:21 am

Thanks for your answers. I will play around with your suggestions. I enabled the "admit only untagged and priority tagged" on the access ports. So far so good.

One evening I will see what happens if I convert my hybrid port for the unifi switch into a trunk-port with "enable only VLAN tagged" and with PVID 2, so it will be on my HomeAdmin VLAN, which I think some of you name the MGMT lan. I hope the result will simply be that the unifi switch and APs get some new IPs on the HomeAdmin VLAN and the rest of the operation continues smoothly once I fix my unifi specific firewall rules. - I will keep you posted.

- And thanks for the heads up on loop detection. I was wondering what all the "avoid VLAN 1" was founded in. Even though I don't know the specifics, I can appreciate the fact that RSTP loop detection problems might occur.

Also, good point on NOT using 192.168.88.* . Adding a new MT device and the default-argument are both good reasons why not

Finally about that WAN mac-address. I have to change it, otherwise there is no internet connection.

When I got the RB5009, I had internet when using ether1 (the default on the MT), but after I switched to ether8, I lost connection.
I figured that the problem was the mac-address from earlier experience, and that my ISP allows a certain amount of switching device, before you have to call them again to "reset". Rather than calling them and having human interaction I decided to try and fake the mac-address.
Since I consider it bad practice to have both ether8 and ether1 using the same mac-address, I decided to use the mac-address of my old ASUS router on ether8
I didn't find a way to fix the mac-address directly, but I found out that I could use a bridge for the purpose. And it works. Next step is to use the command in a post above to give ether8 this mac-address and get rid of the WAN bridge

Thanks again for your valuable input.