Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Sanity check for my VLAN setup and more

Post Reply
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 262
Joined: Mon Nov 30, 2020 7:44 pm

Sanity check for my VLAN setup and more

Sat Apr 27, 2024 3:36 pm

Hi,
I reset my HaP AC2 and started to set it up from scratch, implementing my LAN with the VLAN feature. Before I go ahead and set up other fancy stuff on it, like load balancing and PBR, I'd like you to take a look at my setup and tell me if you see anything wrong with it, or if it can be improved. Thanks

Here is my configuration:
Code: Select all
# 2024-04-27 14:18:27 by RouterOS 7.14.3
# software id = 5Z4J-31GG
#
# model = RBD52G-5HacD2HnD
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] comment="My PC" name=ether2-access10
set [ find default-name=ether3 ] name=ether3-access10
set [ find default-name=ether4 ] comment=Server name=ether4-access20
set [ find default-name=ether5 ] name=ether5-access30
/interface vlan
add interface=bridge1 name=vlan10-main vlan-id=10
add interface=bridge1 name=vlan20-server vlan-id=20
add interface=bridge1 name=vlan30-guest vlan-id=30
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=ap-2.4 \
    supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=motog \
    supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=ap-5 \
    supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=ap-2.4-guest \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=france disabled=no \
    frequency=2437 name=wlan1-WAN2 security-profile=motog ssid="moto g" \
    wps-mode=disabled
set [ find default-name=wlan2 ] country=france disabled=no mode=ap-bridge \
    security-profile=ap-5 ssid=mik5 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:xx:xx:xx \
    master-interface=wlan1-WAN2 multicast-buffering=disabled name=wlan3 \
    security-profile=ap-2.4 ssid=mik2 vlan-id=10 wds-cost-range=0 \
    wds-default-cost=1 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:xx:xx:xx \
    master-interface=wlan1-WAN2 multicast-buffering=disabled name=wlan4-guest \
    security-profile=ap-2.4-guest ssid=guest vlan-id=30 wds-cost-range=0 \
    wds-default-cost=1 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=172.16.10.100-172.16.10.254
add name=dhcp_pool2 ranges=172.16.20.100-172.16.20.254
add name=dhcp_pool3 ranges=172.16.30.100-172.16.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan10-main name=dhcp-vlan10
add address-pool=dhcp_pool2 interface=vlan20-server name=dhcp-vlan20
add address-pool=dhcp_pool3 interface=vlan30-guest name=dhcp-vlan30
/queue simple
add burst-limit=7M/10M burst-threshold=7M/10M burst-time=10s/10s max-limit=\
    5M/8M name=GUEST-Subnet target=172.16.30.0/24
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-access10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-access10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-access20 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-access30 pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan2 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan4-guest pvid=30
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2-access10 vlan-ids=10
add bridge=bridge1 untagged=ether3-access10 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether4-access20 vlan-ids=20
add bridge=bridge1 tagged=bridge1 untagged=ether5-access30 vlan-ids=30
add bridge=bridge1 untagged=wlan2 vlan-ids=10
add bridge=bridge1 untagged=wlan3 vlan-ids=10
add bridge=bridge1 untagged=wlan4-guest vlan-ids=30
/interface list member
add interface=ether1-WAN1 list=WAN
add interface=wlan1-WAN2 list=WAN
add interface=vlan10-main list=LAN
add interface=vlan20-server list=LAN
add interface=vlan30-guest list=LAN
/ip address
add address=172.16.10.1/24 interface=vlan10-main network=172.16.10.0
add address=172.16.20.1/24 interface=vlan20-server network=172.16.20.0
add address=172.16.30.1/24 interface=vlan30-guest network=172.16.30.0
/ip dhcp-client
add interface=ether1-WAN1 use-peer-dns=no
add interface=wlan1-WAN2 use-peer-dns=no
/ip dhcp-server lease
add address=172.16.10.100 client-id=1:44:8a:5b:c9:fb:7c comment=My-PC \
    mac-address=44:8A:5B:C9:xx:xx server=dhcp-vlan10
add address=172.16.20.10 client-id=\
    ff:cb:39:a:c7:0:2:0:0:ab:11:bf:f9:6a:1b:df:2:97:92 comment=Server \
    mac-address=20:CF:30:17:39:2F server=dhcp-vlan20
add address=172.16.10.11 client-id=1:0:26:ab:39:f3:44 comment=Printer \
    mac-address=00:26:AB:39:F3:44 server=dhcp-vlan10
add address=172.16.30.3 client-id=1:78:ab:bb:4d:24:33 comment=SmartTV \
    mac-address=78:AB:BB:4D:24:33 server=dhcp-vlan30
add address=172.16.10.12 client-id=1:0:c:29:3a:86:fd comment=GNS3 \
    mac-address=00:0C:29:3A:86:FD server=dhcp-vlan10
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.10.1 gateway=172.16.20.1
add address=172.16.30.0/24 dns-server=172.16.10.1 gateway=172.16.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=vlan10-main \
    protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=reject chain=input in-interface-list=LAN log=yes log-prefix=\
    rej_LAN reject-with=icmp-admin-prohibited
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface=vlan10-main out-interface-list=\
    LAN
add action=accept chain=forward comment="Accept Plex" dst-address=\
    172.16.20.10 dst-port=32400 protocol=tcp src-address=172.16.30.3
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow dst-nat from both WAN and LAN (including port forwarding)" \
    connection-nat-state=dstnat
add action=reject chain=forward in-interface-list=LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=!172.16.10.1 dst-port=53 log=yes \
    protocol=udp src-address=!172.16.10.1 to-addresses=172.16.10.1 to-ports=\
    53
add action=dst-nat chain=dstnat dst-address=!172.16.10.1 dst-port=53 log=yes \
    protocol=tcp src-address=!172.16.10.1 to-addresses=172.16.10.1 to-ports=\
    53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=miky
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=\
    "/interface wireless set wlan2 disabled=(![get wlan2 disabled])"
/system scheduler
add interval=30s name=DNSscript on-event="# set variables\r\
    \n:local primaryDNS \"172.16.20.10\";\r\
    \n:local fallbackDNS \"1.1.1.1,8.8.8.8\";\r\
    \n:local currentDNS;\r\
    \n:set \$currentDNS [/ip dns get servers];\r\
    \n#:log warning \"What I got is: \$currentDNS\"\r\
    \n#:log warning \"What I want to see is: \$primaryDNS\"\r\
    \n:do {\r\
    \n:put [resolve google.com server=\$primaryDNS];\r\
    \nif (\$currentDNS!=\$primaryDNS) do={\r\
    \n:log warning \"DNS Failover: Switching to primaryDNS\";\r\
    \n/ip dns set servers \$primaryDNS\r\
    \n} else={}\r\
    \n} on-error={ :set \$currentDNS [/ip dns get servers];\r\
    \nif (\$currentDNS!=\$fallbackDNS) do={\r\
    \n:log error \"DNS Failover: Switching to FallbackDNS\";\r\
    \n/ip dns set servers \$fallbackDNS;\r\
    \n} else={:log info \"Using Failover DNS, Primary Unavailable\"}\r\
    \n}\r\
    \n#try to reach google through the primaryDNS\r\
    \n#if it works and we are on a different DNS, set the DNS server to the pr\
    imaryDNS\r\
    \n#if it works and we are already on the primaryDNS, do nothing\r\
    \n#if we can't reach google and we aren't already on our FallbackDNS, swit\
    ch to fallback\r\
    \n#if we can't reach google through primaryDNS and we are on the fallback,\
    \_log that primaryDNS is unavailable" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-04-26 start-time=14:52:29
/tool mac-server
set allowed-interface-list=none
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19602
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Sanity check for my VLAN setup and more

Sat Apr 27, 2024 5:44 pm

The only thing required on the bridge is to give it a name other, than bridge, if so inclined, and at some point change vlan-filtering to yes ( aka get rid of frame type setting and leave that to bridge ports, as you have done!! )

For each bridge port setting I also add ingress-filtering=yes

Interface bridge vlans needs some work!
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2-access10,ether3-access,wlan2,wlan3 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether4-access20 vlan-ids=20
add bridge=bridge1 tagged=bridge1 untagged=ether5-access30,wlan4-guest vlan-ids=30

Confused about this....... Why is wlan associated with WAN ?? ( okay wlan1 is incoming wifi wan source )

If that is true, then this is wrong.
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:xx:xx:xx \
master-interface=wlan1-WAN2 multicast-buffering=disabled name=wlan4-guest \
security-profile=ap-2.4-guest ssid=guest vlan-id=30 wds-cost-range=0 \
wds-default-cost=1 wps-mode=disabled

The guest vlan has no connection to the WAN side of the house............ it needs to have a bridge WLAN as master.
Same issue with WLAN3.

IN conclusion, if your using WLAN1 to terminate an internet connection from some source as a WAN connection ( private or public), one cannot use that wlan as a master for bridge related WLANs.


Other note, I dont see a purpose for this rule ???
add action=reject chain=forward in-interface-list=LAN reject-with=\
icmp-admin-prohibited
Top
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 262
Joined: Mon Nov 30, 2020 7:44 pm

Re: Sanity check for my VLAN setup and more

Sat Apr 27, 2024 7:28 pm

The only thing required on the bridge is to give it a name other, than bridge, if so inclined, and at some point change vlan-filtering to yes ( aka get rid of frame type setting and leave that to bridge ports, as you have done!! )

I set it that way to get rid of this "annoying" vlan ID:

Image

For each bridge port setting I also add ingress-filtering=yes
Yes, each bridge port is already set this way

Interface bridge vlans needs some work!
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2-access10,ether3-access,wlan2,wlan3 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether4-access20 vlan-ids=20
add bridge=bridge1 tagged=bridge1 untagged=ether5-access30,wlan4-guest vlan-ids=30
Strange. Everything works as expected. I only have ether2 connected at the moment though

Confused about this....... Why is wlan associated with WAN ?? ( okay wlan1 is incoming wifi wan source )
Ether1 as my main WAN. Wlan1 as a backup connection via tethering at the moment

If that is true, then this is wrong.
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:xx:xx:xx \
master-interface=wlan1-WAN2 multicast-buffering=disabled name=wlan4-guest \
security-profile=ap-2.4-guest ssid=guest vlan-id=30 wds-cost-range=0 \
wds-default-cost=1 wps-mode=disabled

The guest vlan has no connection to the WAN side of the house............ it needs to have a bridge WLAN as master.
Same issue with WLAN3.
IN conclusion, if your using WLAN1 to terminate an internet connection from some source as a WAN connection ( private or public), one cannot use that wlan as a master for bridge related WLANs.

Yeah, I noticed that when WLAN1 is down, the wifi doesn't work anymore. Is there anything I can do to overcome the issue?

Other note, I dont see a purpose for this rule ???
add action=reject chain=forward in-interface-list=LAN reject-with=\
icmp-admin-prohibited

I copy-pasted from an article of yours. Yes, it is useless, there is the drop [all] input rule after it. :-)


Thank you very much
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19602
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Sanity check for my VLAN setup and more

Sat Apr 27, 2024 7:53 pm

So in summary, the vlan1 thingy is normal and should be there.
I have it in all my configs, not an issue. Dont try and get too fancy. :-)

Your bridge vlan interface setup is not wrong, just not efficient as can be stated with less rules is all.

Your real problem is that you need more wifi. You need a second device to populate your house with 2.4ghz traffic as its currently ( on the router ) used for WAN and thus not available for LAN.
Top
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 262
Joined: Mon Nov 30, 2020 7:44 pm

Re: Sanity check for my VLAN setup and more

Sat Apr 27, 2024 8:07 pm

Your real problem is that you need more wifi. You need a second device to populate your house with 2.4ghz traffic as its currently ( on the router ) used for WAN and thus not available for LAN.

Yes, I know. I want to buy a managed switch/AP, maybe another Mikrotik device. Actually 2.4GHz traffic is available for LAN, but only when WLAN1 is connected to the AP.
The WLAN1 as my backup connection (WAN2) is also useful when I use my little one as a "travel router", getting connection from my smartphone on the fly without changing anything.
Anyway, a user once suggested to set a virtual WLAN as my WAN2 and let Wlan1 as my 2.4Ghz AP, but I think that I will come across the same problem if I put the Wlan1 in the bridge.
What do you think about it?

Thanks
Top
Post Reply

Who is online

Users browsing this forum: Ullinator and 9 guests
  4. RouterOS
  5. Beginner Basics