I’ve spent far longer than expected to set up an VLAN on my network for IoT devices which I don’t want to have access to the internet. I’m running RB4011iGS+ router with RouterOS 6.48.4 and what I thought was a simple change took the whole network down for a while.

Granted, I’m not the most skilled network admin around, but I have built networks in the past and I’m (partly) maintaining them at work, but apparently I’m approaching this somehow from the wrong angle.

The current setup is a single subnet (172.17.0.0/24) where Mikrotik manages firewalling and DHCP without VLAN. WAN side has SPF module for the uplink, couple of bridged ports for that to provide raw internet to my server, some static mappings on the DHCP and things like that, pretty basic stuff. Other hardware includes Unifi access points, manageable switch and various stuff which just connects to the network.

Now, I’d like to add a VLAN (id 20, not that it matters) on the setup so I could have another /24 subnet for IOT devices. What I tought would be enough to take couple of ports from the existing LAN bridge, create a new bridge, set up an VLAN interface with IP, DHCP server and just connect tagged port on my switch, connect laptop for testing for untagged port and configure switch so that I could have another SSID on access points on that VLAN and connect couple of other things directly on the switch.

There’s plenty of guides around the net, but when I attempted to follow them I ended up in a situation where untagged port just would not work with ARP. I could dump traffic on my laptop with wireshark and there’s ARP ‘who-has’ requests running, but Mikrotik won’t reply on those no matter what I do. Same of course goes with DHCP requests and all traffic in general. My laptop would receive ARP query when attempting to ping it from the router, and laptop would respond, but sniffing traffic from the mikrotik port the reply just disappears somewhere. No matter if I have the switch in between to untag VLAN for the port or directly connecting cable to the mikrotik or even moving the laptop to VLAN20 and using that as a test setup.

What I’m currently assuming is that the problem is with non-tagged “general” network I’m running. As in VLAN20 and VLANnothing somehow are fundamentally incompatible on RouterOS, but that seems kind of backwards.

The end goal would be to have a trunk port on the router and on the switch and distribute VLAN to ports as needed. Or even a port for generic use and another for VLAN networks. Maybe someone here is more experienced with RouterOS and could point me to the right direction?

  • Oisteink@feddit.nl
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    I’m no routeros guy but I don’t trust mixing default and tagged packets. I do believe on UniFi stuff you can mix as default is tagged 1 on trunk ports. I’d just make a vlan for each network. Raw internet, IoT and LAN

  • ScandalFan85@feddit.de
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    I’m fairly new to MikroTik and no expert either, but I don’t think you need a second bridge. You can add your VLANs to the default bridge and handle internet access through firewall rules. Depending on your existing firewall logic, you may have to drop/reject all traffic from the IoT subnet to the internet and all other subnets. Make sure that you add the bridge also as a tagged interface to the VLAN! Else, the DHCP server and all services on the router can not reach the IoT subnet.

    I would also recommend to segregate all traffic into different VLANs (WAN, LAN, IoT, …). This makes it easy to manage firewall rules because you can then use either VLAN interfaces or interface lists containing multiple VLAN interfaces for similiar firewall rules. You can simply untag outgoing traffic on specific ports if you want and add a specific tag for incoming traffic.

    I have a similiar setup running. Everything is separated into VLANs and these VLANs are configured on the default bridge. Routing/allowing and denying traffic to/from the internet is handled by firewall rules. And I have defined interface lists like NO_INTERNET_ACCESS, NO_LAN_ACCESS, etc. These lists are then used by the firewall rules. If you later want to add another VLAN that should not get access to the internet you can simply add it to the NO_INTERNET_ACCESS list and you do not have to alter your firewall rules for that specific VLAN.

    Take this advice with a grain of salt. If possible, do not test this on your production network but on a separate, isolated router.

    • IsoKiero@sopuli.xyzOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I dug out an old RB750 and tested the setup with just single bridge for VLANs + single normal interface as WAN and it worked flawlessly at the first time. Either I missed something (not unlikely at all) or the issue is with non-tagged network which causes problems or the third option that the switch chip on my main router just isn’t capable of switching VLANs as expected (which I doubt). I even created the lists like you suggested and based on a short test it seems like a good way to manage things.

      I need to warn my family that internet will be a bit unreliable today evening and try similar config with the main router and see how that goes. There’s just a bit more things to take care of than setting up a fresh setup, but it shouldn’t be too complicated to manage as long as I remember to assign a port for separate access so that I don’t lock myself out of the thing.

      Thank you for your reply, it nudged me to the correct path.

  • tsz@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    15 years of ros experience if you need help. Just dm me and we’ll set something up.

    • IsoKiero@sopuli.xyzOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thank you for the offer, but I got it figured out and now I’ve got a separate network for Gree heatpumps (among other things) which would love to send all of their data to the manufacturer. Even the adoption process was pretty complicated where it required an account (of course) and wouldn’t connect to my separate wifi at all if I didn’t permit a temporary internet access trough it.

      At the end the biggest issue was actually EdgeRouter which is runnign as glorified PoE -switch (I have older 24V passive POE unifi hardware still around). It should manage VLANs without any issues, but apparently even two separate IP addresses is enough to cause various issues on the thing. When I got that one out of the way the rest was pretty straightforward.