Page 1 of 1
Help with Basic VLAN
Posted: Tue Jul 31, 2018 6:17 am
by BassTeQ
Hi,
I've recently setup my router using the default settings and latest OS version, things are working well.
I'd now like to add a VLAN into the mix, the purpose of this VLAN is to create a separate network which will be utilised by Unifi Access Points
Current configuration
Eth1 = WAN
Eth2 = LAN (192.168.100.0/24) This goes into my main Unifi Switch where all devices are connected
Default Bridge
[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 H ;;; defconf
ether2-LAN bridge yes 1 0x80 10 10 none
1 I H ;;; defconf
ether6-master bridge yes 1 0x80 10 10 none
2 I ;;; defconf
sfp1 bridge no 1 0x80 10 10 none
3 I H ether3 bridge yes 1 0x80 10 10 none
4 I H ether4 bridge yes 1 0x80 10 10 none
5 I H ether5 bridge yes 1 0x80 10 10 none
6 I H ether7 bridge yes 1 0x80 10 10 none
7 I H ether8 bridge yes 1 0x80 10 10 none
8 I H ether9 bridge yes 1 0x80 10 10 none
9 I H ether10 bridge yes 1 0x80 10 10 none
I'd like to create a new VLAN, eg VLAN 10 and it have a network address of 10.0.10.0/24. What steps are required to implement this?
Appreciate any assistance.
Thanks
Re: Help with Basic VLAN
Posted: Tue Jul 31, 2018 11:15 am
by usdmatt
- Create a vlan sub-interface on the bridge with your relevant vlan number.
- In "/switch vlan" create a vlan entry and add ether2 and switch1-cpu. You can also add other ports if they might handle vlan traffic. If it's something like an RB2011 you may need to add switch2-cpu to the list to use ports 6+
- Add an ip to the vlan interface and setup a dhcp server on it
Re: Help with Basic VLAN
Posted: Tue Jul 31, 2018 11:16 am
by samsung172
just add a vlan to your bridge and add an ip to this new interface. next you need to tag the vlan at your ubnt device, and use it for your requirements.
Re: Help with Basic VLAN
Posted: Tue Jul 31, 2018 11:49 am
by nichky
Re: Help with Basic VLAN
Posted: Wed Aug 01, 2018 3:57 am
by BassTeQ
Thanks for the tips, will try these suggestions shortly.
Is it best to tag traffic for my current 192.168.100.0 network as well, or leave this untagged as-is?
Re: Help with Basic VLAN
Posted: Wed Aug 01, 2018 1:50 pm
by BassTeQ
I've made the suggested changes, does everything look ok? Any obvious mistakes?
When I try connect to the UniFi wireless network, it has VLAN 10 set, it fails trying to obtain IP address.
I think as a starting point I want to first take Unifi and the main switch connected on Eth2 out of the equation. If I can connect a PC to Eth3, and get an IP on the VLAN 10, that would be a good start. Is there anything additional I might need to achieve this?
Unifi Network
Thanks!
Re: Help with Basic VLAN
Posted: Wed Aug 01, 2018 2:28 pm
by skylark
Re: Help with Basic VLAN
Posted: Wed Aug 01, 2018 3:24 pm
by Samot
I'm not sure why the majority of the suggestions are pre-6.41 since that hasn't been the case for almost a year now. You've got most of it right but here is what needs to happen.
1) Do not use the Switch setup. That's wrong, it's done via the Bridge now.
2) Under Bridge go to the VLAN tab, you'll want to add a new VLAN. Add the VLAN ID where it asks and then add the bridge itself and the ether ports (3 in this case) that need to be tagged.
3) Enable VLAN Filtering on the Bridge.
Having the VLAN interface as a port on the bridge, correct.
Having the DHCP/IP Addresses assigned to the VLAN interface, correct.
You just need to set this up on the bridge instead of the switch interface.
Re: Help with Basic VLAN
Posted: Thu Aug 02, 2018 2:28 am
by BassTeQ
I'm not sure why the majority of the suggestions are pre-6.41 since that hasn't been the case for almost a year now. You've got most of it right but here is what needs to happen.
1) Do not use the Switch setup. That's wrong, it's done via the Bridge now.
2) Under Bridge go to the VLAN tab, you'll want to add a new VLAN. Add the VLAN ID where it asks and then add the bridge itself and the ether ports (3 in this case) that need to be tagged.
3) Enable VLAN Filtering on the Bridge.
Thanks Samot, this is what caused me confusion, lots of the content in forums, youtube etc is pre 6.41.
I've done as you suggested, removed the config in the "switch"
Enabled VLAN Filtering, and added the details in the VLAN tab.
However when I connect a PC into Eth3 I'm getting a 192.168.100.X IP address when it should be 10.0.10.X.
Cheers
Re: Help with Basic VLAN
Posted: Thu Aug 02, 2018 6:11 pm
by CZFan
Vlan10 must be on Bridge
In Bridge-->Ports, change ether3 PVID from 1 to 10
In Bridge-->Vlan make Bridge as tagged and ether3 untagged for Vlan id 10
Re: Help with Basic VLAN
Posted: Fri Aug 03, 2018 2:17 am
by BassTeQ
Vlan10 must be on Bridge
In Bridge-->Ports, change ether3 PVID from 1 to 10
In Bridge-->Vlan make Bridge as tagged and ether3 untagged for Vlan id 10
Thanks CZFan,
Vlan10 must be on Bridge
Is this correct?
[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge 10
Done
[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 H ;;; defconf
ether2-LAN bridge yes 1 0x80 10 10 none
1 I H ;;; defconf
ether6-master bridge yes 1 0x80 10 10 none
2 I ;;; defconf
sfp1 bridge no 1 0x80 10 10 none
3 I H ether3 bridge yes 10 0x80 10 10 none
**--snip--**
Like this?
Thank you.
Re: Help with Basic VLAN
Posted: Fri Aug 03, 2018 9:54 am
by CZFan
Vlan10 must be on Bridge
In Bridge-->Ports, change ether3 PVID from 1 to 10
In Bridge-->Vlan make Bridge as tagged and ether3 untagged for Vlan id 10
Thanks CZFan,
Vlan10 must be on Bridge
Is this correct?
[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge 10
...
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
Re: Help with Basic VLAN
Posted: Fri Aug 03, 2018 1:07 pm
by BassTeQ
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
I already have this setup using a different name, will this be ok?
[admin@MikroTik] /interface vlan> print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLAN-ID INTERFACE
0 R vlan10_Guest 1500 enabled 10 bridge
Re: Help with Basic VLAN
Posted: Fri Aug 03, 2018 4:04 pm
by CZFan
should be good to go, then if you want to prevent the guest vlan communication via layer 3 with other devices, use firewall filter rules
Re: Help with Basic VLAN
Posted: Fri Aug 03, 2018 7:19 pm
by diddie17
I'm not sure why the majority of the suggestions are pre-6.41 since that hasn't been the case for almost a year now. You've got most of it right but here is what needs to happen.
1) Do not use the Switch setup. That's wrong, it's done via the Bridge now.
I'm very happy to be corrected, but for my own education, I hadn't understood is as being as binary as using the switch menu before 6.41 and VLAN filtering after. My understanding was that if there was a VLAN switching requirement, you should still use the switch menu for devices with a switch chip, rather than VLAN filtering on the bridge, in order to maintain HW offload and wirespeed switching (with the exception of the crs3xx range that can maintain HW offload using VLAN filtering on the bridge).
If I've understood correctly, the answer given is right for the eth1 and eth2 question being asked by the OP as there is no switching going on. But wouldn't there be benefit even after 6.41 to using the switch menu and chip to maintain HW offload if eth3, eth4 etc. were also used with VLAN's?
Re: Help with Basic VLAN
Posted: Sat Aug 04, 2018 12:40 am
by CZFan
@diddie17, you are 100% correct, if you want to switch VLAN's, i.e. Ether3 and ether4 is in same vlan, then it is best to use switch vlan config except for crs3xx devices.
Between VLAN's will happen with routing and this will go via cpu
Re: Help with Basic VLAN
Posted: Sat Aug 04, 2018 9:33 am
by BassTeQ
Getting closer, when I connect to PC to Eth3 I now get an IP in the 10.0.10.0 subnet, however it can't access the internet, or ping google dns 8.8.8.8.
Am I missing something? I've not put in any firewall rules to block traffic, the same rules remain as before I started trying to add this VLAN.
Traffic on the 192.168.100.0 subnet is fine, and has full connectivity.
Thanks again!
Re: Help with Basic VLAN
Posted: Sat Aug 04, 2018 1:46 pm
by CZFan
provide output of "export hide-sensitive"
Re: Help with Basic VLAN
Posted: Sat Aug 04, 2018 2:14 pm
by BassTeQ
provide output of "export hide-sensitive"
# aug/04/2018 21:09:53 by RouterOS 6.42.6
# software id = UUZ2-Z8I4
#
# model = RouterBOARD 3011UiAS
# serial number =
/interface bridge
add admin-mac=CC:2D:E0:7B:34:9F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether6 ] name=ether6-master
/interface vlan
add interface=bridge name=vlan10_Guest vlan-id=10
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.1-192.168.100.254
add name=Guest ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=LAN
add address-pool=Guest disabled=no interface=vlan10_Guest name=GUEST
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=10
/interface list member
add interface=ether2-LAN list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1-WAN list=WAN
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2-LAN network=\
192.168.100.0
add address=10.0.10.1 interface=vlan10_Guest network=10.0.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1-WAN
/ip dhcp-server network
add address=10.0.10.0/24 comment=GUEST dns-server=10.0.0.1 gateway=10.0.10.1 \
netmask=24
add address=192.168.100.0/24 comment=LAN gateway=192.168.100.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.254 name=router
/ip firewall address-list
add address=my.dynamic.host list=WANIP
/ip firewall filter
add action=log chain=prerouting disabled=yes dst-port=22 log=yes log-prefix=\
step1 protocol=tcp
add action=log chain=forward disabled=yes dst-port=22 log=yes log-prefix=\
step2 protocol=tcp
add action=log chain=postrouting disabled=yes dst-port=22 log=yes log-prefix=\
step3 protocol=tcp
add action=drop chain=input comment="Drop Ping from WAN" in-interface=\
ether1-WAN protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp \
protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=forward disabled=yes dst-port=8228 in-interface=\
ether1-WAN log=yes log-prefix="accept forward port 22" protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1-WAN log-prefix="drop all from wan - input"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix="drop invalid"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1-WAN log-prefix=\
"drop from wan not dstnated"
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN Nat for loopback" \
dst-address=192.168.100.0/24 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1-WAN
add action=dst-nat chain=dstnat comment="SSH Server" dst-port=9922 \
in-interface=ether1-WAN protocol=tcp to-addresses=192.168.100.150 \
to-ports=22
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/lcd
set backlight-timeout=never default-screen=stat-slideshow
/lcd interface
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether6-master disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=ether1-WAN,ether2-LAN
/system clock
set time-zone-name=Australia/Melbourne
/system ntp client
set enabled=yes primary-ntp=150.101.178.147 secondary-ntp=203.7.149.150
/system routerboard settings
set silent-boot=no
/system scheduler
/system script
/tool graphing interface
add interface=ether1-WAN
add interface=ether2-LAN
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Re: Help with Basic VLAN
Posted: Mon Aug 06, 2018 7:41 pm
by CZFan
Below some corrections of mistakes and suggestions, so change these first and come back:
From
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2-LAN network=\
192.168.100.0
add address=10.0.10.1 interface=vlan10_Guest network=10.0.10.0
To
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2-LAN network=\
192.168.100.0
add address=10.0.10.1/24 interface=vlan10_Guest network=10.0.10.0
From
/ip dhcp-server network
add address=10.0.10.0/24 comment=GUEST dns-server=10.0.0.1 gateway=10.0.10.1 \
netmask=24
add address=192.168.100.0/24 comment=LAN gateway=192.168.100.254 netmask=24
To
/ip dhcp-server network
add address=10.0.10.0/24 comment=GUEST dns-server=10.0.10.1,8.8.8.8 gateway=10.0.10.1 \
netmask=24
add address=192.168.100.0/24 comment=LAN dns-server=192.168.100.254,8.8.8.8 gateway=192.168.100.254 netmask=24
From
/ip dns
set allow-remote-requests=yes
To
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
Re: Help with Basic VLAN
Posted: Wed Aug 08, 2018 4:05 am
by BassTeQ
Thanks very much, I've made your suggested changes (excluding the google dns ones, as I want to use the ISP DNS for default) and I now have connectivity!!!!
Whats the best method to now block traffic on the Guest VLAN so it can't see the other network, and vise versa?
I've added these rules and it seems to do the job, just wondering if there's a better approach? If I add more VLANS the amount of rules would quickly increase.
chain=forward action=drop in-interface=vlan10_Guest dst-address=192.168.100.0/24 log=no log-prefix=""
chain=forward action=drop src-address=192.168.100.0/24 out-interface=vlan10_Guest log=no log-prefix=""
Cheers
Re: Help with Basic VLAN
Posted: Wed Aug 08, 2018 6:27 pm
by CZFan
I will use:
chain=forward action=drop src-address=10.0.10.0/24 dst-address=192.168.100.0/24 log=no log-prefix=""
chain=forward action=drop src-address=192.168.100.0/24 dst-address=10.0.10.0/24 log=no log-prefix=""
Re: Help with Basic VLAN
Posted: Thu Aug 09, 2018 4:24 am
by BassTeQ
Any particular reason why you avoid using the "interface" in those rules?
Also I just noticed I'd left VLAN Filtering disabled on the Bridge, however everything seemed to be working ok, I can connect to the UniFi AP Wifi Network which has the VLAN ID set and get an IP in the 10.0.10.0 network. However when I Enable VLAN Filtering on the bridge, and connect to the Wifi Network, I don't get internet connectivity, any ideas why?
Thanks
Re: Help with Basic VLAN
Posted: Fri Aug 10, 2018 1:26 am
by CZFan
Personally I use interfaces for bridge filters and IP for firewall filters, another reason would be that you might have multiple interfaces as members of same vlan, the it makes more sense to use the subnet of the vlan, but it is just set a personal choice
Did you tag the vlan on the unify AP's, if so, change ether 3 from untagged to tagged under bridge vlan
Re: Help with Basic VLAN
Posted: Fri Aug 10, 2018 2:09 am
by BassTeQ
Personally I use interfaces for bridge filters and IP for firewall filters, another reason would be that you might have multiple interfaces as members of same vlan, the it makes more sense to use the subnet of the vlan, but it is just set a personal choice
Did you tag the vlan on the unify AP's, if so, change ether 3 from untagged to tagged under bridge vlan
Ok fair enough, it makes sense.
Yes I tagged the vlan on the AP's, these are connected to a unfi switch, which is connected to
Eth2, Eth3 was only used as a test when I was first having an issue getting the vlan working, nothing is now connected there.
Cheers
Re: Help with Basic VLAN
Posted: Fri Aug 10, 2018 7:23 pm
by CZFan
Add ether2 as tagged under Bridge Vlan for Vlan id 10
Re: Help with Basic VLAN
Posted: Sat Aug 11, 2018 9:58 am
by BassTeQ
Add ether2 as tagged under Bridge Vlan for Vlan id 10
Done, and enabled VLAN Tagging on the bridge, still no connectivity.
In fact I end up getting a 192.254.51.X IP address if connect a PC to Ether3 or connect to the Guest Wifi VLAN ID=10, when I should be seeing a 10.0.10.X address
Thanks
Re: Help with Basic VLAN
Posted: Sat Aug 11, 2018 4:23 pm
by CZFan
As per my post in this topic, post # 10, Bridge must also be tagged for Vlan id's 10, 20, 30, 40, this is to allow access to the CPU for DHCP from these Vlans
Re: Help with Basic VLAN
Posted: Sun Aug 12, 2018 3:16 am
by BassTeQ
As per my post in this topic, post # 10, Bridge must also be tagged for Vlan id's 10, 20, 30, 40, this is to allow access to the CPU for DHCP from these Vlans
Is this correct? With this setup like below, and VLAN Filtering enabled I still can't access the internet.
Should the new VLAN 10 be added to the Bridge/Port section, at the moment only the physical ports are listed there Eth2 to Eth10?
I've seen other examples where people had done this, not sure if it was required for my configuration?
Cheers
Re: Help with Basic VLAN [SOLVED]
Posted: Sun Aug 12, 2018 12:45 pm
by CZFan
look at the differences in the screenshots in your posts # 27 & 29, by adding the bridge as tagged, you have removed ether2 which broke the setup again, add ether2 back as tagged
Should the new VLAN 10 be added to the Bridge/Port section, at the moment only the physical ports are listed there Eth2 to Eth10?
No, you don't need this, I assume some people tried to do some QinQ when they did that
Re: Help with Basic VLAN
Posted: Mon Aug 13, 2018 12:05 pm
by BassTeQ
look at the differences in the screenshots in your posts # 27 & 29, by adding the bridge as tagged, you have removed ether2 which broke the setup again, add ether2 back as tagged
Thank you very much for your assistance, it's now working as expected!!!!