Community discussions

MikroTik App
 
cor5air
just joined
Topic Author
Posts: 6
Joined: Mon Sep 26, 2022 10:24 pm

VLAN no IP via DHCP

Sat Oct 01, 2022 2:01 pm

Hello,

I am new to RouterOS and am trying to physically separate two networks with VLANs.

The goal is to later provide separate networks for different apartments (guests), which all use the same internet connection. I have decided to work with VLANs to separate the networks cleanly and securely.

Now I have started to set up a simple test scenario to familiarise myself with the topic of VLANs.
I have read various tutorials and watched YouTube videos, but the configuration options seem to be complex.

I am using an RB2011iL-RM.
APs and clients are to be connected directly to this device.
There are no other switches or similar.

I would like to map the following test scenario:

Port 3, 4 --> no VLAN, but a common IP range via DHCP.
Port 5, 6, 7 --> VLAN ID 10 (Private) and a shared IP range via DHCP.
Port 8, 9, 10 --> VLAN ID 45 (Guest) and a shared IP range via DHCP

In my configuration I have set up bridges for ports 3,4 // 5,6,7 and 8,9,10.
In the Interfaces --> VLANs section I have defined VLANs for Private (ID10) and Guest (ID45) and assigned them to the bridge interfaces.

Under IP --> Addresses I have configured the corresponding addresses and assigned them to the VLAN interfaces, or for port 3,4 to the bridge.

DHCP with address ranges is configured and assigned to the VLAN interfaces.
The DHCP for port 3,4 is assigned to the bridge.

Now I get an IP from the DHCP with my Windows client when I connect to port 3 or port 4. Very good!

If I connect my Windows client to one of the ports that are assigned to a VLAN, I do not get an IP address from the DHCP.

This is where I need help. What is wrong with my configuration?

I have read that ports to which clients are to be directly connected must be "untaged".
Then I also created the VLANs in the Bridges --> VLAN area and the corresponding ports as "untaged".

Unfortunately without success. I am grateful for any tips at this point.

Greetings

# sep/30/2022 19:44:36 by RouterOS 7.4.1
# software id = 7V5K-7VZN
#
# model = RB2011iL
/interface bridge
add frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no \
    name=bridge-Guest pvid=45 vlan-filtering=yes
add admin-mac=18:FD:74:19:40:D1 auto-mac=no name=bridge-Other
add frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no \
    name=bridge-Private pvid=10 vlan-filtering=yes
/interface vlan
add interface=bridge-Private name=vlan-10-Private vlan-id=10
add interface=bridge-Guest name=vlan-45-Guest vlan-id=45
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP-Pool-Other ranges=192.168.88.50-192.168.88.200
add name=DHCP-Pool-Private ranges=192.168.10.50-192.168.10.200
add name=DHCP-Pool-Guest ranges=192.168.45.50-192.168.45.200
/ip dhcp-server
add address-pool=DHCP-Pool-Other interface=bridge-Other name=DHCP-Other
add address-pool=DHCP-Pool-Private interface=vlan-10-Private name=\
    DHCP-Private
add address-pool=DHCP-Pool-Guest interface=vlan-45-Guest name=DHCP-Guest
/interface bridge port
add bridge=bridge-Other comment=defconf interface=ether4
add bridge=bridge-Other interface=ether3
add bridge=bridge-Private interface=ether5
add bridge=bridge-Private interface=ether6
add bridge=bridge-Private interface=ether7
add bridge=bridge-Guest interface=ether8
add bridge=bridge-Guest interface=ether9
add bridge=bridge-Guest interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN-Privat
/interface bridge vlan
add bridge=bridge-Private untagged=ether5,ether6,ether7 vlan-ids=10
add bridge=bridge-Guest untagged=ether8,ether9,ether10 vlan-ids=45
/ip address
add address=192.168.88.1/24 interface=bridge-Other network=192.168.88.0
add address=192.168.10.1/24 interface=vlan-10-Private network=192.168.10.0
add address=192.168.45.1/24 interface=vlan-45-Guest network=192.168.45.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-none=yes gateway=192.168.10.1
add address=192.168.45.0/24 dns-none=yes gateway=192.168.45.1
add address=192.168.88.0/24 dns-none=yes gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN-Privat
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN-Privat
/tool mac-server
set allowed-interface-list=LAN-Privat
/tool mac-server mac-winbox
set allowed-interface-list=LAN-Privat
 
tdw
Forum Guru
Forum Guru
Posts: 1554
Joined: Sat May 05, 2018 11:55 am

Re: VLAN no IP via DHCP

Sat Oct 01, 2022 5:39 pm

The Mikrotik VLAN setup does have a steep learning curve, and it isn't helped by various changes which have been made to RouterOS over the years - historically you had to use a bridge per network/VLAN until VLAN-aware bridges were introduced.

The main issue with your setup is you have configured the bridge-to-CPU interfaces to be untagged by using the bridge pvid= setting, but also attaching a VLANs with the same ID to the bridge interfaces.

In most cases the current recommended method is to use a single VLAN-aware bridge, unfortunately there are many blogs and videos on the internet which use the old method, are incomplete, or just wrong. There is an excellent post viewtopic.php?t=143620 and the documentation https://help.mikrotik.com/docs/display/ ... NFiltering as a starting point, plus viewtopic.php?t=173692 explaining the multiple personalities a Mikrotik bridge has.
 
cor5air
just joined
Topic Author
Posts: 6
Joined: Mon Sep 26, 2022 10:24 pm

Re: VLAN no IP via DHCP

Sat Oct 01, 2022 5:54 pm

Hey thanks a lot for your answer,

Today I looked into the topic a bit more and also noticed that the Mikrotik tutorials all just create a bridge and define the VLANs in it.

I looked at the example "Router-Switch-AP (all in one)" and reduced the complexity to an absolute minimum - in my opinion.

No wireless, no firewall, only 2 ports, 2 VLANs, 2 DHCP servers.

But without success :(

I reset the configuration of my router and created the following settings based on the example - just for testing.


I do not get an IP with my Windows client on ports 6 and 7 via the DHCP...
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

# ingress behavior
/interface bridge port

# Blue VLAN
add bridge=BR1 interface=ether6 pvid=80

# Green VLAN
add bridge=BR1 interface=ether7 pvid=90

# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=80]
set bridge=BR1 tagged=BR1 [find vlan-ids=90]


# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=80
/ip address add interface=BLUE_VLAN address=10.0.10.1/24
/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=90
/ip address add interface=GREEN_VLAN address=10.0.20.1/24
/ip pool add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]


# Turn on VLAN mode
/interface bridge set BR1 vlan-filtering=yes
Last edited by cor5air on Sat Oct 01, 2022 5:56 pm, edited 1 time in total.
 
cor5air
just joined
Topic Author
Posts: 6
Joined: Mon Sep 26, 2022 10:24 pm

Re: VLAN no IP via DHCP

Sat Oct 01, 2022 5:55 pm

# jan/02/1970 00:06:44 by RouterOS 7.4.1
# software id = 7V5K-7VZN
#
# model = RB2011iL
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BLUE_VLAN vlan-id=80
add interface=BR1 name=GREEN_VLAN vlan-id=90
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=80
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether7 pvid=90
/ip address
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
 
tdw
Forum Guru
Forum Guru
Posts: 1554
Joined: Sat May 05, 2018 11:55 am

Re: VLAN no IP via DHCP

Sat Oct 01, 2022 7:31 pm

It looks as though when @pcunite reworked the Router-Switch-AP config some errors crept in as

# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=80]
set bridge=BR1 tagged=BR1 [find vlan-ids=90]


only works if the bridge VLANs already exist. If you add the following to your configuration it should fix it:

/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=80
add bridge=BR1 tagged=BR1 vlan-ids=90
 
cor5air
just joined
Topic Author
Posts: 6
Joined: Mon Sep 26, 2022 10:24 pm

Re: VLAN no IP via DHCP

Sat Oct 01, 2022 8:25 pm

Hey,
Thanks a lot for your help! It works.
Now I get an IP from DHCP on the VLAN ports - perfect!

I will now continue testing and transfer the configuration to my planned network.

Thank you very much and have a nice Saturday!
 
sid5632
Long time Member
Long time Member
Posts: 516
Joined: Fri Feb 17, 2017 6:05 pm

Re: VLAN no IP via DHCP

Sun Oct 02, 2022 3:19 am

In most cases the current recommended method is to use a single VLAN-aware bridge, unfortunately there are many blogs and videos on the internet which use the old method, are incomplete, or just wrong.
Yes, many are incomplete or just wrong, INCLUDING THIS ONE. Oh the irony.
I would dispute the use of "most cases" too.

Do not use a single VLAN-aware bridge on a 2011. Performance is crap as everything goes through the CPU.

You need to use the switch chip config. on this device.
 
tdw
Forum Guru
Forum Guru
Posts: 1554
Joined: Sat May 05, 2018 11:55 am

Re: VLAN no IP via DHCP

Sun Oct 02, 2022 1:29 pm

If the majority of the traffic will undergo NAT or routing then the additional CPU load of VLAN-aware bridging is minimal. Using the switch chips only has a benefit for traffic between ports in the same VLAN, e.g. between a PC and NAS, other than on the very recent models which support L3 hardware offloading. A 2011 should be able to route/NAT around 200-250Mbps.

Also Mikrotiks with multiple switch ports have other issues if you wish to have a VLAN spanning the two switch chips https://wiki.mikrotik.com/wiki/Manual:L ... itch_chips
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN no IP via DHCP

Sun Oct 02, 2022 6:11 pm

It looks as though when @pcunite reworked the Router-Switch-AP config some errors crept in as
It is not an error but uses syntax that is confusing to the beginner is all.

The fact of the matter is that, practically speaking, every vlan pvid has to be tagged to at least one interface on a conf and if not, then has to be tagged to the bridge.
viewtopic.php?p=956155#p956155
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN no IP via DHCP

Sun Oct 02, 2022 6:12 pm

For the @OP, if you post your complete config minus serial number and any public WANIP info, will have a look.
 
cor5air
just joined
Topic Author
Posts: 6
Joined: Mon Sep 26, 2022 10:24 pm

Re: VLAN no IP via DHCP

Mon Oct 03, 2022 12:05 am

Hey,
thanks for the further input.
I have completed my configuration further.

It is not yet productive, the Mikrotik is currently still behind my FritzBox. I'm still testing.

The performance issue sounds interesting.
Currently I "only" have a 50Mbit connection to which all apartments / residents with a FritzBox guest access are connected.

I hope to have a 500Mbit fibre connection this year. Each apartment will then have its own AccessPoint. In addition, with a limit of 100/20Mbit, so that one resident cannot use the entire bandwidth.
The private VLAN should have full bandwidth available.

No traffic is planned between the individual VLANs. The networks should be cleanly and securely separated from each other.
I only want to be able to access the APs of the guests from the private VLAN for configuration purposes, if necessary.

Here is my current configuration:
# oct/02/2022 22:53:41 by RouterOS 7.4.1
# software id = 7V5K-7VZN
#
# model = RB2011iL
/interface bridge
add admin-mac=18:FD:74:19:40:D1 auto-mac=no comment=defconf name=\
    bridge-Backupzugang
add ingress-filtering=no name=bridge-VLAN vlan-filtering=yes
/interface vlan
add interface=bridge-VLAN name=vlan-10-WG1 vlan-id=10
add interface=bridge-VLAN name=vlan-20-WG2 vlan-id=20
add interface=bridge-VLAN name=vlan-40-WG4a vlan-id=40
add interface=bridge-VLAN name=vlan-45-WG4b vlan-id=45
add interface=bridge-VLAN name=vlan-60-WG6 vlan-id=60
add interface=bridge-VLAN name=vlan-100-Private vlan-id=100
add interface=bridge-VLAN name=vlan-200-Homeatic vlan-id=200
/interface list
add name=WAN
add name=LAN-Privat
add name=LAN-Mieter
add name=LAN-Internetzugang
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP-Pool-Backupzugang ranges=192.168.88.50-192.168.88.200
add name=DHCP-Pool-Private ranges=192.168.100.50-192.168.100.200
add name=DHCP-Pool-WG1 ranges=192.168.10.50-192.168.10.200
add name=DHCP-Pool-WG2 ranges=192.168.20.50-192.168.20.200
add name=DHCP-Pool-WG4a ranges=192.168.40.50-192.168.40.200
add name=DHCP-Pool-WG4b ranges=192.168.45.50-192.168.45.200
add name=DHCP-Pool-WG6 ranges=192.168.60.50-192.168.60.200
add name=DHCP-Pool-Homeatic ranges=192.168.200.50-192.168.200.200
/ip dhcp-server
add address-pool=DHCP-Pool-Backupzugang interface=bridge-Backupzugang name=\
    DHCP-Backupzugang
add address-pool=DHCP-Pool-Private interface=vlan-100-Private lease-time=1d \
    name=DHCP-Private
add address-pool=DHCP-Pool-WG1 interface=vlan-10-WG1 name=DHCP-WG1
add address-pool=DHCP-Pool-WG2 interface=vlan-20-WG2 name=DHCP-WG2
add address-pool=DHCP-Pool-WG4a interface=vlan-40-WG4a name=DHCP-WG4a
add address-pool=DHCP-Pool-WG4b interface=vlan-45-WG4b name=DHCP-WG4b
add address-pool=DHCP-Pool-WG6 interface=vlan-60-WG6 name=DHCP-WG6
add address-pool=DHCP-Pool-Homeatic interface=vlan-200-Homeatic name=\
    DHCP-Homeatic
/queue simple
add max-limit=5M/20M name=queue-Limit4b target=vlan-45-WG4b
add max-limit=20M/98M name=queue-Limit4a target=vlan-40-WG4a
add max-limit=20M/98M name=queue-Limit1 target=vlan-10-WG1
add max-limit=20M/98M name=queue-Limit2 target=vlan-20-WG2
add max-limit=20M/98M name=queue-Limit6 target=vlan-60-WG6
/interface bridge port
add bridge=bridge-Backupzugang comment=defconf interface=ether4
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=100
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=10
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=20
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=40
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether9 pvid=45
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10 pvid=60
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=200
/ip neighbor discovery-settings
set discover-interface-list=LAN-Privat
/interface bridge vlan
add bridge=bridge-VLAN tagged=bridge-VLAN vlan-ids=10
add bridge=bridge-VLAN tagged=bridge-VLAN vlan-ids=20
add bridge=bridge-VLAN tagged=bridge-VLAN vlan-ids=40
add bridge=bridge-VLAN tagged=bridge-VLAN vlan-ids=45
add bridge=bridge-VLAN tagged=bridge-VLAN vlan-ids=60
add bridge=bridge-VLAN tagged=bridge-VLAN vlan-ids=100
add bridge=bridge-VLAN tagged=bridge-VLAN vlan-ids=200
/interface ethernet switch vlan
add independent-learning=no ports=ether5 switch=switch1 vlan-id=100
/interface list member
add interface=bridge-Backupzugang list=LAN-Privat
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=vlan-100-Private list=LAN-Privat
add interface=vlan-10-WG1 list=LAN-Mieter
add interface=vlan-20-WG2 list=LAN-Mieter
add interface=vlan-40-WG4a list=LAN-Mieter
add interface=vlan-45-WG4b list=LAN-Mieter
add interface=vlan-60-WG6 list=LAN-Mieter
add interface=bridge-Backupzugang list=LAN-Internetzugang
add interface=vlan-10-WG1 list=LAN-Internetzugang
add interface=vlan-20-WG2 list=LAN-Internetzugang
add interface=vlan-40-WG4a list=LAN-Internetzugang
add interface=vlan-45-WG4b list=LAN-Internetzugang
add interface=vlan-60-WG6 list=LAN-Internetzugang
add interface=vlan-100-Private list=LAN-Internetzugang
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-Backupzugang \
    network=192.168.88.0
add address=192.168.100.1/24 interface=vlan-100-Private network=192.168.100.0
add address=192.168.10.1/24 interface=vlan-10-WG1 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan-20-WG2 network=192.168.20.0
add address=192.168.40.1/24 interface=vlan-40-WG4a network=192.168.40.0
add address=192.168.45.1/24 interface=vlan-45-WG4b network=192.168.45.0
add address=192.168.60.1/24 interface=vlan-60-WG6 network=192.168.60.0
add address=192.168.200.1/24 interface=vlan-200-Homeatic network=\
    192.168.200.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.45.0/24 dns-server=192.168.45.1 gateway=192.168.45.1
add address=192.168.60.0/24 dns-server=192.168.60.1 gateway=192.168.60.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1 \
    netmask=24
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.0/24 list=Router_IPs
add address=192.168.20.0/24 list=Router_IPs
add address=192.168.40.0/24 list=Router_IPs
add address=192.168.45.0/24 list=Router_IPs
add address=192.168.60.0/24 list=Router_IPs
add address=192.168.100.0/24 list=Router_IPs
add address=192.168.200.0/24 list=Router_IPs
add address=192.168.88.0/24 list=Router_IPs
add address=192.168.10.0/24 list=GastAP_IPs
add address=192.168.20.0/24 list=GastAP_IPs
add address=192.168.40.0/24 list=GastAP_IPs
add address=192.168.45.0/24 list=GastAP_IPs
add address=192.168.60.0/24 list=GastAP_IPs
/ip firewall filter
add action=drop chain=input comment="WAN -> Router | Ping verbieten" \
    in-interface-list=WAN protocol=icmp
add action=accept chain=input comment=\
    "Allg. | aufgebaute Verbindung erlauben" connection-state=\
    established,related
add action=accept chain=input comment="Allg. | DNS erlauben" \
    dst-address-list=Router_IPs dst-port=53 protocol=udp
add action=accept chain=input comment="Allg. | DNS erlauben" \
    dst-address-list=Router_IPs dst-port=53 protocol=tcp
add action=accept chain=input comment=\
    "LAN-Privat -> Router | Zugriff auf Router erlauben" in-interface-list=\
    LAN-Privat
add action=drop chain=input comment=\
    "Allg. | Verbindung ohne Verbindungsstatus verbieten"
add action=accept chain=forward comment=\
    "Allg. | Aufgebaute Verbindung erlauben"
add action=accept chain=forward comment=\
    "LAN Privat -> LAN-Mieter | Zugriff auf APs erlauben" dst-address-list=\
    GastAP_IPs in-interface-list=LAN-Privat
add action=accept chain=forward comment=\
    "LAN -> WAN | Internetzugang erlauben" in-interface-list=\
    LAN-Internetzugang out-interface-list=WAN
add action=drop chain=forward comment="Allg. | Alles verbieten"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input comment="WAN -> Router | Ping verbieten" \
    in-interface-list=WAN protocol=icmpv6
add action=accept chain=input comment=\
    "Allg. | aufgebaute Verbindung erlauben" connection-state=\
    established,related
add action=accept chain=input comment="WAN -> Router | DHCP f\FCr Router" \
    dst-port=546 in-interface-list=WAN protocol=udp src-port=547
add action=drop chain=input comment="Allg. | ung\FCltige Pakete verwerfen" \
    connection-state=invalid
add action=drop chain=input comment=\
    "WAN -> Router | externen Verbindungsaufbau verwerfen" connection-state=\
    new in-interface-list=WAN
add action=accept chain=forward comment=\
    "Allg. | aufgebaute PING Verbindungen erlauben" protocol=icmpv6
add action=accept chain=forward comment=\
    "Allg. | aufgebaute Verbindung erlauben" connection-state=\
    established,related
add action=accept chain=forward comment="Allg. | Neue Verbindbung erlauben" \
    connection-state=new in-interface-list=LAN-Internetzugang
add action=drop chain=forward comment="Allg. | ung\FCltige Pakete verwerfen" \
    connection-state=invalid
add action=drop chain=forward comment="WAN -> Router | neue Pakete verwerfen" \
    in-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN-Privat
/tool mac-server mac-winbox
set allowed-interface-list=LAN-Privat
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN no IP via DHCP

Mon Oct 03, 2022 3:55 am

(1) Recommend one bridge, thus take your backupzugang access on ether4, OFF any bridge. Remove it, the dhcp server, the IP pool etc.., all not needed.
Simply have the IP address only. Then you can plug in your latpop at any time to access the router using an IPV4 address on the pc network, ethernet card settings.
Just use 192.168.88.x to access the router, I typically use .5.

This will simplify your config as it gets confusing with extra noise and what looks like a second management vlan or bridge, which it is NOT.
One also removes ether4 from the bridge, so that you have off bridge access that will not be affected by the bridge if it stops working!

(2) Your iP neighbours discovery is for all smart devices that you need to configure beyond the router, so any other devices like smart switches or smart APs......
Therefore the rule you have is the right one!! (privat in your case means trusted subnet aka your management vlan)

(3) All the /interface bridge vlan settings are fine, I just prefer to manually insert the untagging so I can confirm with my /interface bridge port settings. incorrect.

(4) What is the purpose of this, its in conflict with your /interface bridge port settings for ether5 ???
Remove it!!!
/interface ethernet switch vlan
add independent-learning=no ports=ether5 switch=switch1 vlan-id=100


(5) YOur interface list membership is BLOATED................. Lets cut the fat.
add interface=bridge-Backupzugang list=LAN-Internetzugang NOT REQUIRED>
Instead just put ether4 on the Private LAN as a member.

There is no difference between your two lists now. The groups are identical for lan and internet and therefore we will get rid of the internet one.......
It appears you have vlan200 going on ether3, but its not part of any interface, so we will see how that works out.
Also add private vlan to lan-metier, so it can be included in like rules. ( for internet etc.)

(5) Its actually better to allow ICMP, who told you to block it??
From: add action=drop chain=input comment="WAN -> Router | Ping verbieten" \
in-interface-list=WAN protocol=icmp
TO:
add action=accept chain=input comment="allow ping of router" protocol=icmp

(6) The first rule in your forward chain makes no sense. REMOVE IT....... It allows all access from anywhere to anywhere.
add action=accept chain=forward comment=\
"Allg. | Aufgebaute Verbindung erlauben"


(7) Instead put these as your first three rules in the forward chain!
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid


(8) The next two rules concern allowing the private lan access to all vlans except v200, and all vlans access to internet except v200

add action=accept chain=forward comment=\
"LAN Privat -> all guest vlans except 200" dst-address-list=\
GastAP_IPs in-interface-list=LAN-Privat
add action=accept chain=forward comment=\
"LAN -> WAN | all vlans except 200 " in-interface-list=\
LAN-Mieter out-interface-list=WAN


You could uses LAN-metier for the first one (out interface list) as there is no harm if v100 is on the same list) and that way you could get rid of the firewall address list gast-aps.

(9) Set to NONE, mac by itself is not encrypted at all.
/tool mac-server
set allowed-interface-list=LAN-Privat

A fixed config is provided.....
...
# model = RB2011iL
/interface bridge
add ingress-filtering=no name=bridge-VLAN vlan-filtering=yes
/interface vlan
add interface=bridge-VLAN name=vlan-10-WG1 vlan-id=10
add interface=bridge-VLAN name=vlan-20-WG2 vlan-id=20
add interface=bridge-VLAN name=vlan-40-WG4a vlan-id=40
add interface=bridge-VLAN name=vlan-45-WG4b vlan-id=45
add interface=bridge-VLAN name=vlan-60-WG6 vlan-id=60
add interface=bridge-VLAN name=vlan-100-Private vlan-id=100
add interface=bridge-VLAN name=vlan-200-Homeatic vlan-id=200
/interface list
add name=WAN
add name=LAN-Privat
add name=LAN-Mieter
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP-Pool-Private ranges=192.168.100.50-192.168.100.200
add name=DHCP-Pool-WG1 ranges=192.168.10.50-192.168.10.200
add name=DHCP-Pool-WG2 ranges=192.168.20.50-192.168.20.200
add name=DHCP-Pool-WG4a ranges=192.168.40.50-192.168.40.200
add name=DHCP-Pool-WG4b ranges=192.168.45.50-192.168.45.200
add name=DHCP-Pool-WG6 ranges=192.168.60.50-192.168.60.200
add name=DHCP-Pool-Homeatic ranges=192.168.200.50-192.168.200.200
/ip dhcp-server
add address-pool=DHCP-Pool-Private interface=vlan-100-Private lease-time=1d \
    name=DHCP-Private
add address-pool=DHCP-Pool-WG1 interface=vlan-10-WG1 name=DHCP-WG1
add address-pool=DHCP-Pool-WG2 interface=vlan-20-WG2 name=DHCP-WG2
add address-pool=DHCP-Pool-WG4a interface=vlan-40-WG4a name=DHCP-WG4a
add address-pool=DHCP-Pool-WG4b interface=vlan-45-WG4b name=DHCP-WG4b
add address-pool=DHCP-Pool-WG6 interface=vlan-60-WG6 name=DHCP-WG6
add address-pool=DHCP-Pool-Homeatic interface=vlan-200-Homeatic name=\
    DHCP-Homeatic
/queue simple
add max-limit=5M/20M name=queue-Limit4b target=vlan-45-WG4b
add max-limit=20M/98M name=queue-Limit4a target=vlan-40-WG4a
add max-limit=20M/98M name=queue-Limit1 target=vlan-10-WG1
add max-limit=20M/98M name=queue-Limit2 target=vlan-20-WG2
add max-limit=20M/98M name=queue-Limit6 target=vlan-60-WG6
/interface bridge port
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=100
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=10
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=20
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=40
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether9 pvid=45
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10 pvid=60
add bridge=bridge-VLAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=200
/ip neighbor discovery-settings
set discover-interface-list=LAN-Privat
/interface bridge vlan
add bridge=bridge-VLAN tagged=bridge-VLAN untagged=ether5 vlan-ids=100
add bridge=bridge-VLAN tagged=bridge-VLAN untagged=ether6 vlan-ids=10
add bridge=bridge-VLAN tagged=bridge-VLAN untagged=ether7 vlan-ids=20
add bridge=bridge-VLAN tagged=bridge-VLAN untagged=ether8 vlan-ids=40
add bridge=bridge-VLAN tagged=bridge-VLAN untagged=ether9 vlan-ids=45
add bridge=bridge-VLAN tagged=bridge-VLAN untagged=ether10 vlan-ids=60
add bridge=bridge-VLAN tagged=bridge-VLAN untagged=ether3 vlan-ids=200
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether4 list=LAN-Privat
add interface=vlan-100-Private list=LAN-Private
add interface=vlan-100-Private list=LAN-Mieter
add interface=vlan-10-WG1 list=LAN-Mieter
add interface=vlan-20-WG2 list=LAN-Mieter
add interface=vlan-40-WG4a list=LAN-Mieter
add interface=vlan-45-WG4b list=LAN-Mieter
add interface=vlan-60-WG6 list=LAN-Mieter
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-Backupzugang \
    network=192.168.88.0
add address=192.168.100.1/24 interface=vlan-100-Private network=192.168.100.0
add address=192.168.10.1/24 interface=vlan-10-WG1 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan-20-WG2 network=192.168.20.0
add address=192.168.40.1/24 interface=vlan-40-WG4a network=192.168.40.0
add address=192.168.45.1/24 interface=vlan-45-WG4b network=192.168.45.0
add address=192.168.60.1/24 interface=vlan-60-WG6 network=192.168.60.0
add address=192.168.200.1/24 interface=vlan-200-Homeatic network=\
    192.168.200.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.45.0/24 dns-server=192.168.45.1 gateway=192.168.45.1
add address=192.168.60.0/24 dns-server=192.168.60.1 gateway=192.168.60.
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1 \
    netmask=24
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.0/24 list=Router_IPs
add address=192.168.20.0/24 list=Router_IPs
add address=192.168.40.0/24 list=Router_IPs
add address=192.168.45.0/24 list=Router_IPs
add address=192.168.60.0/24 list=Router_IPs
add address=192.168.100.0/24 list=Router_IPs
add address=192.168.200.0/24 list=Router_IPs
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="allow ping" protocol=icmp
add action=accept chain=input comment="Allg. | DNS erlauben" \
    dst-address-list=Router_IPs dst-port=53 protocol=udp
add action=accept chain=input comment="Allg. | DNS erlauben" \
    dst-address-list=Router_IPs dst-port=53 protocol=tcp
add action=accept chain=input comment=\
    "LAN-Privat -> Router | Zugriff auf Router erlauben" in-interface-list=\
    LAN-Privat
add action=drop chain=input comment=\
    "Allg. | Verbindung ohne Verbindungsstatus verbieten"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
    "LAN Privat -> all guest vlans except 200" out-interface-list=\
    LAN-Metier in-interface-list=LAN-Privat
add action=accept chain=forward comment=\
    "LAN -> WAN | all vlans except 200" in-interface-list=\
    LAN-Metier out-interface-list=WAN
add action=drop chain=forward comment="Allg. | Alles verbieten"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN-Privat
 
cor5air
just joined
Topic Author
Posts: 6
Joined: Mon Sep 26, 2022 10:24 pm

Re: VLAN no IP via DHCP

Mon Oct 03, 2022 1:18 pm

Hey,
thanks for your input.
Yes indeed, some things can still be simplified.
It's always good to have someone else take a look at the configuration.

I will take a look at your input this evening and implement it.

Since there was already talk of performance problems here, I did some googling last night.
We will get a 500MBit connection in the course of the year. Do I understand correctly that the RB2011 with NAT and firewall will not be able to use this bandwidth? I read something that a maximum of 250 - 300 MBit would be possible?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN no IP via DHCP

Mon Oct 03, 2022 2:12 pm

Haha, asking me that is funny question......It depends who you talk to. Recently some folks were espousing its capabilities if not using filters or queues or anything just fastpath alone. That describes maybe 1% of people, then throw in the fact that your asking people to throw money at an old 1 core CPU.......makes one scratch their head, probably down to .01%. They clearly have a tenuous grip on reality :-) and they whine a lot.

For your normal and practical concerns, the clear answer is no. A hex would do the job but you are used to many ports on the router.
An RB4011 would be a good starting place but that is getting a bit old and for the same price, the RB5009 is a better product. Depends upon availability more than anything else.
Check in your area with distributors on lead times......

Who is online

Users browsing this forum: Semrush [Bot] and 5 guests