MikroTik

Posted: **Sat Nov 15, 2014 11:02 pm**

Hello everybody,

A good friend of my advised me on buying devices from Mikrotik because of the good price/quality.
I've bought two devices:
a. RB951G-2HnD
b. CRS109-8G-1S-2HnD-IN

Reseller advised me on buying the RB951G in stead of a switch because of the possibility to extend the WiFi network from the CRS109.

I would like to get the following setup:
Segmentation through VLAN, routing between the VLAN's (Intervlan) and Fire-walling between the VLAN's.

I would like to ask you guys if you can help me how to accomplish this?

Thank you.

Posted: **Tue Nov 18, 2014 7:13 am**

VLANS are pretty easy to setup on Tiks, I researched it through Googleing and watching videos in less than a day. There is a lot of info out there. To get you started though..... Click on Interface tab-> VLAN and then just create a new one. Then under IP tab on left you will have to input the address and create DHCP pools and servers if you want that functionality.

Posted: **Fri Nov 21, 2014 1:56 am**

VLANS are pretty easy to setup on Tiks, I researched it through Googleing and watching videos in less than a day. There is a lot of info out there. To get you started though..... Click on Interface tab-> VLAN and then just create a new one. Then under IP tab on left you will have to input the address and create DHCP pools and servers if you want that functionality.

Thank you for your reply.

That's right, VLANS are pretty easy to setup BUT InterVlan is something else.

Mikrotik devices:
Router1: CRS109-8G-1S-2HnD-IN
Router2: RB951G-2HnD

In my understanding......VLAN tagging in switch-chip (router2) and routing in RouterOS (router1)
Intervlan trunking, so it's possible for devices connected to router 1 in the 192.168.10.0/24 subnet to communicate with devices on router 2 in the 192.168.20.0/24 subnet.
When this is accomplished, I would like to add restrictions to the communications between the different VLANS.

Management of the Mikrotik devices must be also in a different VLAN

I searched on the web and tried different configs, unfortunately without any success.
That's why I would like to ask you guys again if you can help me how to accomplish this?

Thank you.

Posted: **Sat Nov 22, 2014 9:53 am**

The VLANS should by default route between the different subnets, then you can control isolation through the firewall. I was really struggling with them until I figured out trunking, tagging, and PVID setting on my SWITCH. Once I grasped that it was easy to setup multiple inter-routing VLANS.

I made a picture guide in Word to help me in the future if I forgot. Shoot me an email mike(at)43index(dot)com and I can forward it to you.

Posted: **Tue Dec 02, 2014 6:02 pm**

ok, sounds like this friend of yours deserves some good slappin. for that "Advice"

So i did some configuration and setup a test lab and yes it is true that intervlan routing is on by default. All VLAN clients can connect to each other. Still i'm having trouble blocking specific traffic by default routed between different VLANS. Hence, i am planning to implement white listing using firewall chains, but I am having trouble understanding how the fw works. Guess I have some reading to do.

Posted: **Fri Dec 05, 2014 4:47 pm**

ok, sounds like this friend of yours deserves some good slappin. for that "Advice"

So i did some configuration and setup a test lab and yes it is true that intervlan routing is on by default. All VLAN clients can connect to each other. Still i'm having trouble blocking specific traffic by default routed between different VLANS. Hence, i am planning to implement white listing using firewall chains, but I am having trouble understanding how the fw works. Guess I have some reading to do.

Thank you for your comment.

So that's strange, because at my testlab intervlan routing in not on by default.
This is my configuration:

Router1:
/interface vlan
add name=VLAN20 vlan-id=20 interface=ether8 disabled=no
add name=VLAN30 vlan-id=30 interface=ether8 disabled=no 

Add IP addresses to VLANs:
/ip address
add address=10.10.20.1/24 interface=VLAN20
add address=10.10.30.1/24 interface=VLAN30

Router2:
/interface vlan
add name=VLAN20 vlan-id=20 interface=ether5 disabled=no
add name=VLAN30 vlan-id=30 interface=ether5 disabled=no 

Add IP addresses to VLANs:
/ip address
add address=10.10.20.2/24 interface=VLAN20
add address=10.10.30.2/24 interface=VLAN30

--> Now it's possible to ping from router1 to all vlan's on router 2, visa versa.

Router 1 + 2
/interface bridge
add name=br-vlan20 disabled=no
add name=br-vlan30 disabled=no

Router1:
/interface bridge port
add interface="vlan-20" bridge="br-vlan20" disabled=no
add interface="ether7" bridge="br-vlan20" disabled=no
add interface="vlan-30" bridge="br-vlan30" disabled=no
add interface="ether6" bridge="br-vlan30" disabled=no

Router2:
/interface bridge port
add interface="vlan-20" bridge="br-vlan20" disabled=no
add interface="ether4" bridge="br-vlan20" disabled=no
add interface="vlan-30" bridge="br-vlan30" disabled=no
add interface="ether3" bridge="br-vlan30" disabled=no

--> When I connect a device on ether7 (router1) with IP: 10.10.20.20, and my laptop on ether4 (router2) communication to each other is possible.
--> But when I connect a device on ether6 (router1) with IP: 10.10.30.30 and my laptop is still on ether4 (router2), communication is not working.

Router1:
chain=forward action=accept src-address=10.10.20.0/24 dst-address=10.10.30.0/24 log=no log-prefix=""
chain=forward action=accept src-address=10.10.30.0/24 dst-address=10.10.20.0/24 log=no log-prefix=""

--> Now it's possible to ping between vlans, so intervlan is working.

But i'm wondering, because whem I look @ the following guide:
http://wiki.mikrotik.com/wiki/Manual:CRS_examples
Section: InterVLAN Routing
This configuration is much different then my config.
Can somebody explain the difference and if my configuration is correct

What's my goal:
- Management VLAN
- Default VLAN for home network (Wifi / LAN)
- Guest Wifi VLAN
- DMZ

So isolation through VLAN, but intervlan for routing between vlan's and through firewall configuation rules so only accepting traffic from one vlan to another vlan.

Any help is very welcome

MikroTik

Inter-Vlan Routing

Inter-Vlan Routing

Re: Inter-Vlan Routing

Re: Inter-Vlan Routing

Re: Inter-Vlan Routing

Re: Inter-Vlan Routing

Re: Inter-Vlan Routing