What's new

Mikrotik RB4011 question. VLAN config

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rick0227

New Around Here
I am BRAND new to the router config game. Practicing configs for upcoming jobs, so that I am useful to my boss. The Scenario...I need to configure the router to have "Two subnets 192.168.1.0/24 and 192.168.2.0/24. First subnet is default, second subnet only active on eth2 port. Block traffic from the two subnets to talk to eachother, but allow both to internet."
the issue is that I have configured the vlan, the ip's the dhcp server, and the tagged ports. But I'm not pulling the proper IP from the port. I have included the .rsc file I exported from the router. Any help is greatly appreciated.

# dec/19/2019 14:17:44 by RouterOS 6.46
# software id = PLDE-DYLT
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B3A30A573840
/interface bridge add admin-mac=74:4D:28:5C:66:E9 auto-mac=no comment=defconf name=bridge
/interface bridge add name=bridgeVLAN1
/interface bridge add name=bridgeVLAN2 pvid=2 vlan-filtering=yes
/interface wireless
# no supported channel and secondary channel combination
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge secondary-channel=auto ssid=MikroTik-5C66F2 wireless-protocol=802.11
/interface wireless set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-0E1DE9 wireless-protocol=802.11
/interface vlan add interface=bridgeVLAN1 name=vlan1 vlan-id=1
/interface vlan add interface=bridgeVLAN2 name=vlan2 vlan-id=2
/interface ethernet switch port set 0 default-vlan-id=0
/interface ethernet switch port set 1 default-vlan-id=0
/interface ethernet switch port set 2 default-vlan-id=0
/interface ethernet switch port set 3 default-vlan-id=0
/interface ethernet switch port set 4 default-vlan-id=0
/interface ethernet switch port set 5 default-vlan-id=0
/interface ethernet switch port set 6 default-vlan-id=0
/interface ethernet switch port set 7 default-vlan-id=0
/interface ethernet switch port set 8 default-vlan-id=0
/interface ethernet switch port set 9 default-vlan-id=0
/interface ethernet switch port set 10 default-vlan-id=0
/interface ethernet switch port set 11 default-vlan-id=0
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip pool add name=pool2 ranges=192.168.2.1-192.168.2.254
/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip dhcp-server add address-pool=pool2 disabled=no interface=ether1 name=serverVLAN2
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridgeVLAN2 comment=defconf interface=ether3 pvid=2
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=ether6
/interface bridge port add bridge=bridge comment=defconf interface=ether7
/interface bridge port add bridge=bridge comment=defconf interface=ether8
/interface bridge port add bridge=bridge comment=defconf interface=ether9
/interface bridge port add bridge=bridge comment=defconf interface=ether10
/interface bridge port add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface bridge port add bridge=bridge comment=defconf interface=wlan1
/interface bridge port add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface bridge vlan add bridge=bridgeVLAN1 tagged=bridgeVLAN1 untagged=ether4 vlan-ids=1
/interface bridge vlan add bridge=bridgeVLAN2 tagged=bridgeVLAN2 untagged=ether3 vlan-ids=2
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/ip address add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
/ip address add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
/ip dhcp-client add comment=defconf disabled=no interface=ether1
/ip dhcp-server network add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dhcp-server network add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock set time-zone-name=America/New_York
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
 
vlan is an interface, so you run your rules and treat the vlan interface like a regular ethernet interface. That means you do not run your rules and config on the ethernet interface but rather the vlan interface when you are using vlans.

As for inter routing, simply add a route from LAN A to LAN B and from LAN B to LAN A to drop, as for internet you are just going to be having 2 NAT rules (technically you can use a single rule with lists).

mikrotik has mum, classes and certs, well worth going and getting, and a lot lot cheaper than cisco.
 
/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip dhcp-server add address-pool=pool2 disabled=no interface=ether1 name=serverVLAN2

I don't know routerOS never seen it before, just Cisco. Just glancing it looks like dhcp for pool2 is set to ether1 not ether2. But I really don't know.

No. ether2 is vlan1
/ip address add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
So maybe ether3

This is a lot different than Cisco.
 
Last edited:
I don't know routerOS never seen it before, just Cisco. Just glancing it looks like dhcp for pool2 is set to ether1 not ether2. But I really don't know.

No. ether2 is vlan1
/ip address add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
So maybe ether3

This is a lot different than Cisco.
in mikrotik routerOS, things like bridges and vlans and other virtual interfaces that run ontop of physical interfaces take precedence, that means that using the physical interface in your rules are either invalid or only apply to that interface. In a way its more of a raw way of looking at things.

For instance, lets say you have vlan 400 running on eth2, if you set your rules to eth2, than anything on vlan400 bypasses it. If you set your rules to vlan400 but not eth2, than it applies to vlan400 including anything on eth2 that is related to vlan400. However you still do need rules for eth2, because like any other device there is input as well so you will want to block input on the physical port if you are segregating your network and limiting admin access.
 
So System Error Message what is wrong with the code?
quite a lot, but i didnt need to read it to know its wrong. With mikrotik configuring things work slightly different. The part you quoted is wrong so you did spot it, where it should not be applied to the bridge or ethernet interface, but rather the vlans only.

So first you have vlan that is switched, then you have a vlan that isnt, so you dont switch the ports but either set the default vlan on the port or set the ports to be a member of that vlan, either way the ethernet port should only be set for the vlan, all the rules and config should be applied to the vlan and not the ethernet port.

If the vlan is tagged and you dont want untagged/other vlan traffic going around on the physical port, just make sure the port isnt part of a bridge (can be part of switch but not switched).

For the subnets, assuming the same segmentation is followed for vlan, the subnets should be applied on the vlan interface and not the ethernet interface, same applies to dhcp. However you can apply the subnet onto the ethernet port but its only ok for management via L2/L3 winbox incase you get a config wrong, as you can add ip addresses to interfaces on mikrotik and not route them.

You do not need to drop non NAT source traffic from outside, because even google uses multiple IPs to track and respond to you, breaks things easily to apply bank level firewall logic. Making sure to block the right input and output chain though so services can get through (DNS, NTP, etc) and output so as to not unnecessarily advertise the router.

For internet access, You need to NAT both subnets via 2 rules (from LAN1 to !LAN, from LAN 2 to !LAN) where LAN is the IP list of both subnets, this logic has to be followed exactly to avoid inter NAT happening that would allow inter routing if segmenting. Under route, Set 2 routers LAN1 to LAN 2 and LAN2 to LAN1 as prohibited, or blackhole or any other similar action you wish in routing.
 
Similar threads
Thread starter Title Forum Replies Date
F Question re: router that doesn't require compromising security Routers 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top