MikroTik

Posted: **Sat Oct 21, 2023 7:17 pm**

Hello, I tried to follow some tutorials (viewtopic.php?t=143620#p706997, viewtopic.php?t=182898#) to achieve a rather simple setup which is depicted here.

For some reasons it's not possible to ping the address of the vlan. Is there any advice?

Drawing13.jpg

/interface bridge
add admin-mac=48:A9:8A:CF:8B:AA auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=smarthome.local vlan-id=7
add interface=bridge name=stl.local vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=2
add bridge=bridge comment=defconf interface=ether3 pvid=2
add bridge=bridge comment=defconf interface=ether4 pvid=7
add bridge=bridge comment=defconf interface=ether5 pvid=2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=2
add bridge=bridge tagged=bridge vlan-ids=7
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0
add address=192.168.2.254/24 interface=stelzer.local network=192.168.2.0
add address=192.168.7.254/24 interface=smarthome.local network=192.168.7.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 protocol=tcp src-port=""
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Vienna
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Posted: **Sat Oct 21, 2023 8:43 pm**

for start
/interface bridge
add admin-mac=48:A9:8A:CF:8B:AA auto-mac=no comment=defconf name=bridge vlan-filtering=yes

Posted: **Sun Oct 22, 2023 12:02 am**

I prefer to use VLAN all the way, no hybrid/implicit VLAN's. That would mean that you add an additional VLAN.
In your config I missed the DHCP servers for the VLAN's, is that on purpose?

Btw, you didn't follow the tutorial completely.

Posted: **Sun Oct 22, 2023 12:04 pm**

Hi, thanks for your help, the activation did the trick. It's true that I didn't follow the whole tutorial because I tried it several times. I also added DHCP now and everything's working.

Posted: **Sun Oct 22, 2023 12:05 pm**

I prefer to use VLAN all the way, no hybrid/implicit VLAN's. That would mean that you add an additional VLAN.
In your config I missed the DHCP servers for the VLAN's, is that on purpose?

Btw, you didn't follow the tutorial completely.

What VLAN would be required in addition?

Posted: **Sun Oct 22, 2023 1:42 pm**

From your configuration I assume you are using 3 networks:

"Corporate": 192.168.88.1/24
stelzer.local
smarthome.local

Corporate (as I call it) will use default vlan id (which is 1). Better, in my opinion, is to give it an explicit vlan id as well.
In line with the examples...

Posted: **Sun Oct 22, 2023 5:45 pm**

be careful with using .local for your internal domains.
.local is reserved for MDNS/Bonjour (RFC6762) used by many Apple Devices, Google Chromecast,Smarthome stuff etc. and using it for your internal domain might cause hard to track issues.

https://en.wikipedia.org/wiki/.local

If you have an official domain, make the internal network as subdomain, something like "lan.yourdomain.com"
If not I usually use .lan

Posted: **Mon Oct 23, 2023 11:56 pm**

be careful with using .local for your internal domains.
.local is reserved for MDNS/Bonjour (RFC6762) used by many Apple Devices, Google Chromecast,Smarthome stuff etc. and using it for your internal domain might cause hard to track issues.

https://en.wikipedia.org/wiki/.local

If you have an official domain, make the internal network as subdomain, something like "lan.yourdomain.com"
If not I usually use .lan

Thanks for the hint!

Posted: **Mon Oct 23, 2023 11:59 pm**

I have to reopen again! The "tagged" Ports are not working, only the untagged. Any ideas?

Posted: **Tue Oct 24, 2023 1:05 am**

/interface bridge vlan
add bridge=bridge tagged=bridge,etherN,... vlan-ids=2
...

Posted: **Tue Oct 24, 2023 9:32 am**

/interface bridge vlan
add bridge=bridge tagged=bridge,etherN,... vlan-ids=2
...

Thanks, but why is it required to set the VLAN tagged on the bridge AND on etherX?

Posted: **Tue Oct 24, 2023 11:05 am**

https://help.mikrotik.com/docs/display/ ... VLAN+Table
simplified ...
tag/untag port - traffic through ports
tag/untag bridge - traffic to the router itself (mgmt,route etc.)

Posted: **Fri Nov 17, 2023 12:27 am**

This is a Mikrotik specialty: The switch/bridge port towards the CPU has the same name as the bridge itself. Adding this port as tagged makes the CPU facing switch port a tagged member of the VLAN. While adding a VLAN interface to the bridge adds a VLAN (virtual interface) on the CPU Ethernet port going towards the switch. So both ends of the CPU<->switch connection send and receive tagged traffic for the respective VLAN.

This is the same for all routers with integrated switch, but the Mikrotik way of configuring it is confusing, at least at the beginning.

Posted: **Fri Nov 17, 2023 12:46 am**

Lets get real here you didnt read the first reference at all!!

How else can you explain this...... TWO VLANS and only one pool and one dhcp server and they are not for either vlan ????
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf

Not only that, but its for an effing bridge. No where does the OP mix apples and oranges and have both the bridge and vlans doing DHCP.
Once you add vlans make all subnets vlans, much cleaner simpler and consistent.

So you probably should have 3 vlans, 3 pools etc etc etc.....

MikroTik

VLAN Issues

VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues

Re: VLAN Issues