Community discussions

MikroTik App
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 2:23 pm

Can anybody help me setup my new MikroTik Hex S?

I'm switching router to MikroTik Hex S, coming from a Freshtomato flashed ASUS router. The ASUS wireless router was only being used wired and is mostly a heater for the cabinet it's in. Also, because of added devices in the Router cabinet, I wished to switch to a wired router and a seperate POE swtich, keeping number of powerplugs in check and keeping the cabinet neat and tidy.

Because I managed to have below setup working with the Freshtomato router I thought I'd be "advanced" enough to handle this setup in MikroTik but obviously I was sorely mistaken. The elements in WinBox GUI all look familiar, but it still all feels very foreign and I'm not getting anything working the way I'd like to. Any help very, very much appreciated. Really. Very, Much. Appreciated.

In addition to below pic I'd like to add:
- All LAN devices (irrespective of VLAN) are allowed to see each other and interact. VLAN is sorely for the purpose of choosing regular or adblocked wireless experience.
- Note default WAN port ETH1 should be used as LAN port (for purpose of POE), ETH2 can be WAN.
- There needs to be some kind of intercept rule so that VLAN20 uses the PiHole DNS no-matter-what the application on VLAN20 is trying to do (i.e. for apps with hardcoded DNS).
- For the rest just regular Firewall / NAT / UPnP.
- At the moment no desire for traffic shaping, packet inspection, QOS etc.
Screenshot 2022-10-18 130410.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 9479
Joined: Tue Feb 25, 2014 12:49 pm
Location: 🇮🇹, my 💔 is in 🇺🇦

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 2:51 pm

VLAN 1?
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 3:22 pm

VLAN 1, as in, the default VLAN? Otherwise I'm not getting your comment...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14362
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 3:39 pm

VLAN1 in MT is best left working behind the scenes and not used for data so change vlan1 to vlan11 and we can make progress.

As far as the config goes, lets talk requirements and not presume your solution approach is the right answer, it could be, but best to explore the true requirements first.

It seems to be so far you have ONE LAN and desiring two different WLANS, one for add blocked traffic and one for open traffic.

The users decide which WIFI they connect to and thus whether or not they get add blocked internet?
Which begs the question, why would some choose one or the other???
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 4:19 pm

Thanks for your reply. Most of the time ad-blocked works well, but sometimes the adblocker "breaks" a site and then it is just convenient to be able to switch the wifi.

The WAP can be configured to have a VLAN per SSID. Can not configure separate DNS in the WAP. So this has to be done at the router, hence the use of VLAN that determines the DNS.

EDIT: this is just a home use situation, and I'm not aspiring to be a pro networker. Hence I'm comfortable with running one switch to another switch, and have only one switch connect to the router. The switches have a lot more total bandwith than the MikroTik. Also, not sure what good a seperate MT VLAN would do me in a home situation?

EDIT 2: I should manage to change the defailt WAN port with help from this post: viewtopic.php?t=135396
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14362
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 5:43 pm

Understood, what is the make and model of the APs? I have at times up to 10 vlans at my home.
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 8:53 pm

2 WAP's, Unifi AC Lite, controlled by Unifi controller running on the Raspberry.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 557
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 10:01 pm

I assume by "vlan 1" you mean that the trunk port from the router to the PoE switches carries vlan 1 untagged (what cisco would call the native vlan), and vlan 20 is tagged.

Are those PoE switches managed or just vlan-transparent? I ask because there are PoE switches that are not managed. If they are vlan-transparent but not managed, and the access points and the router are the only vlan-aware devices, using a trunk with native vlan will be a requirement.

The MikroTik terminology for a trunk link with an active vlan using untagged frames (an active native vlan) is a "Hybrid" (or a port connecting to a vlan trunk link with an active native untagged vlan is referred to as a "Hybrid Port".

Bookmark @anav's New User Pathway To Config Success thread. It has links to useful info. See section C for info about vlan-filtering bridge.

Note: @anav does not like using vlan 1 for anything. It is possible to use another vlan and still untag it at the port going to the switch, although that is not a requirement (you can use the base interface for access to the "untagged" or native vlan).

What do you plan to use the other ports on the hEX S for?
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 557
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 10:06 pm

2 WAP's, Unifi AC Lite, controlled by Unifi controller running on the Raspberry.
You can get this to work with your hEX S. At home I am using an ER-X with two UAP-AC-LR and a Raspberry Pi "UniPi" running the UniFi controller. I also have a hEX S in my home lab, and for the application you have, it can do what the ER-X can do, both are based on the same underlying SoC (system on a chip), the MediaTek MT7621A.
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 10:48 pm

I assume by "vlan 1" you mean that the trunk port from the router to the PoE switches carries vlan 1 untagged (what cisco would call the native vlan), and vlan 20 is tagged.

Are those PoE switches managed or just vlan-transparent?

The switches are what Netgear calls "plus", which is "sort of" managed. I can configure VLAN 802.1Q which allows me to tag, untag, exclude VLAN ID's per port.

What do you plan to use the other ports on the hEX S for? For now, no other use. Just ether1 for POE + LAN and ether2 for WAN. Only use I can think of for the other ports on the Hex S is that I could use ether1 for LAN (ground floor switch) and ether3 for LAN (switch on second floor), but I'm not sure about the switching bandwith of the HEX S. Might be better to leave the switching to the Netgears.
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 10:58 pm

Are those PoE switches managed or just vlan-transparent? I ask because there are PoE switches that are not managed. If they are vlan-transparent but not managed, and the access points and the router are the only vlan-aware devices, using a trunk with native vlan will be a requirement.
The switches won't be a problem. I have the exact setup in the drawing working, but with a different router flashed with Freshtomato. Reason for getting the hEX S is so I can power over POE, free a power socket that I need for another device that will be introduced in the router cabinet soon. So I don't need to add a power strip in the router cabinet, and keep things tidy. I guess you could say that the reason for switching from Freshtomato router (working setup) to hEX S (anybody's guess if I can get this to work, not without outside help that's for sure) is a combination of boredom, curiosity and a mild case of keeping-things-tidy-OCD.
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: Newbie setting up WAN / LAN / VLANs

Tue Oct 18, 2022 11:55 pm

So, first step: set ether1 to LAN, set ether2 to WAN, with PPPoE configured. Not testing on actual WAN yet, just to check if I can POE on ether1 and still access the device. ISP incoming internet is on VLAN6.

- Did I do OK with what I intended for ether1 (LAN) and ether2 (WAN)?
- is the PPPoE configured correctly?
- are the firewall rules set OK?
# jan/02/1970 02:13:10 by RouterOS 7.6
# software id = 6QLC-S57X
#
# model = RB760iGS
# serial number = H**********
/interface bridge
add admin-mac=18:FD:74:79:02:93 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-WAN
/interface vlan
add interface=ether2-WAN name=vlan6_ISP vlan-id=6
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2-WAN name=pppoe-out1 \
    use-peer-dns=yes user=********
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-client
add disabled=yes interface=ether2-WAN
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by clem on Wed Oct 19, 2022 9:48 pm, edited 1 time in total.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 557
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Newbie setting up WAN / LAN / VLANs

Wed Oct 19, 2022 12:03 am

Only use I can think of for the other ports on the Hex S is that I could use ether1 for LAN (ground floor switch) and ether3 for LAN (switch on second floor), but I'm not sure about the switching bandwith of the HEX S. Might be better to leave the switching to the Netgears.
I have several Netgear GS908E switches I got at the EOS selloff on Amazon (it's over, it was Jan 2020).

If the first switch is "right next to" the hEX S, and you don't want the remaining extra ports on the hEX S to act as "extensions" to the other switches, you could let everything be done on the Netgear switches.

However, it if you are running a recent version of RoS on the hEX S (v7.4 or later has most bridge related enhancements/bug fixes), the switch ASIC in the MediaTek MT7621A SoC the hEX S is based on is now fully supported for vlans. This means that for traffic within the same vlan, where routing is not needed, traffic between hEX S ports in the same vlan will not ever even hit the CPU, and will be processed at wire speed (including untagging/tagging on different ports). But for that to work, you must use a single bridge with the vlans created under it and use vlan-filtering to keep the vlans distinct.

MikroTik, like most vendors, has its own way(s) to configure vlans. On the hEX S, I have used the vlan-filtering bridge and it works and for traffic between ports in the same vlan, the only CPU usage is minimal, and that is primarily related to RSTP and discovery. But my usage is primarily in a lab situation and I am not using any special features like igmp snooping, etc. so I can't talk to that requirement.

One thing to be aware of, if you plan to extend mDNS device across your vlans, is that MikroTik ROS does not support mDNS reflection/repeater/gateway functionality, and currently has no plans to. mDNS repeater feature So if you need that functionality, you will need to load the vlan package on your Raspberry Pi, and then run something like avahi for the mDNS repeater. mDNS / Bonjour thourgh WLAN and VLAN
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: Newbie setting up WAN / LAN / VLANs

Wed Oct 19, 2022 9:47 pm

Thanks for the reply! No idea what mDNS is for, cross that bridge when I get there.

About the config in my last post, can you confirm
- Did I do OK with what I intended for ether1 (LAN) and ether2 (WAN)?
- is the PPPoE configured correctly?
- are the firewall rules set OK? (like, default, on the correct interface)

Thanks for any feedback, anybody!

If this is OK I'll continue with VLANs (unless anybody has better ideas), setting up some port forwarding and Upnp.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 557
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Newbie setting up WAN / LAN / VLANs

Wed Oct 19, 2022 10:28 pm

No idea what mDNS is for, cross that bridge when I get there.
I am not sure if you meant that as a pun or not. The point is mDNS will cross a bridge, but not a router.
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: Newbie setting up WAN / LAN / VLANs

Wed Oct 19, 2022 11:55 pm

I'm not half as smart as you thought I was in that moment.

What do you think of the config, can I continue to next steps?
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 557
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Newbie setting up WAN / LAN / VLANs

Thu Oct 20, 2022 5:22 am

Because I am only using my hEX S in a lab environment behind a firewall on my ER-X, and I understand EdgeOS/vyatta firewall much better than ROS, I don't feel qualified to analyze your firewall. It appears to be close to the "default config". I also have never used pppoe on either ROS or EdgeOS/vyatta, so can't provide too much info there either.

What I would do if I were you would be to configure a windows PC with the "public" firewall (where it is less trusting than the "private" template), make sure you have created a new admin user with a strong password on the hEX S, then log in with the new user and and at least disabled the "stock" admin username.

Then with only the single windows PC connected to the hEX S LAN (ether1), connect the WAN to ether2 and then verify that you can access web sites from the PC. Because pppoe consumes part of the standard 1500 byte MTU, the pppoe interface will have an MTU of 1492, and that may cause issues with some sites, if you don't use mss clamping. I am not sure if that is done by default or not on the ROS, but I don't see anything in your config with either "mtu" or "mss".

But I would try to get your internet connection working with a single PC before trying to tackle the rest.

@anav has a good thread with helpful links about initial configuration New User Pathway To Config Success and he can perhaps scan your config and make suggestions.
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: Newbie setting up WAN / LAN / VLANs

Thu Oct 20, 2022 1:55 pm

Understand your suggestion about connecting a single PC, however other people in the household also like their internet. And with my limited knowledge, I wouldn't know if things are setup correctly even with internet working.

The link you mentioned earlier, I didn't miss it! Thx for that.

Mss clamping. OK.... :shock: :shock: The plot thickens. Starting to consider if I should look for other options for a decent wired-only router :D

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot] and 25 guests