I have a RB4011 that does all the heavy lifting, DHCP etc around the house. IOT, phones, cameras, switches and APs are all running on the same subnet, and I would like to finally get around to fixing that.
I've read the guide, and tried essentially to integrate what I have already got that works and the Router-Switch-AP, with the goal of getting the guest VLAN working, and then replicating from there the other VLANs I want to create. Not stopping everything from working all at once also has very high wife acceptance factor while I try to make the VLANs work.
Ether10 goes to a Unifi wireless bridge and on to another RB4011 a couple of Km away that provides my internet access. That unit has the firewall on it, hence mine is really bare.
RB4011 lives out in a workshop. Ether 1 connects to an Aruba switch which is in the house, as well as an Aruba AP, configured to create an SSID that is tagged with VLAN40. If I connect a wireless device to the VLAN40 SSID, I get an IP address from the VLAN40 pool on the RB4011, so I think I have got that part sorted and working. What I don't seem to be able to sort is getting VLAN40 to the internet - and I can't quite work out what I'm missing - trying to combine my working setup with the wireless bridge and the VLAN guide is obviously not going quite to plan.
It would be great if some of the wiser and more learned members here could point out any obvious errors that I've made, so I can build the rest of the VLANs from there.
Thanks.
I've read the guide, and tried essentially to integrate what I have already got that works and the Router-Switch-AP, with the goal of getting the guest VLAN working, and then replicating from there the other VLANs I want to create. Not stopping everything from working all at once also has very high wife acceptance factor while I try to make the VLANs work.
Ether10 goes to a Unifi wireless bridge and on to another RB4011 a couple of Km away that provides my internet access. That unit has the firewall on it, hence mine is really bare.
RB4011 lives out in a workshop. Ether 1 connects to an Aruba switch which is in the house, as well as an Aruba AP, configured to create an SSID that is tagged with VLAN40. If I connect a wireless device to the VLAN40 SSID, I get an IP address from the VLAN40 pool on the RB4011, so I think I have got that part sorted and working. What I don't seem to be able to sort is getting VLAN40 to the internet - and I can't quite work out what I'm missing - trying to combine my working setup with the wireless bridge and the VLAN guide is obviously not going quite to plan.
Code:
# 2025-03-28 11:38:52 by RouterOS 7.17.1# software id = XNUF-D3YG## model = RB4011iGS+# serial number = /interface bridgeadd name=bridge1 port-cost-mode=short/interface vlanadd interface=bridge1 name=BASE_VLAN vlan-id=99add comment="Guest VLAN" interface=bridge1 name=vlan40 vlan-id=40/interface listadd name=LANadd name=WANadd name=VLANadd name=BASE/interface lte apnset [ find default=yes ] ip-type=ipv4 use-network-apn=no/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp_pool1 ranges=192.168.100.200-192.168.100.254add name=dhcp_pool40 ranges=192.168.140.2-192.168.140.254add name=BASE_POOL ranges=192.168.110.10-192.168.110.254/ip dhcp-serveradd address-pool=dhcp_pool1 interface=bridge1 lease-time=10m name=dhcp1add address-pool=dhcp_pool40 comment="Guest VLAN" interface=vlan40 name=\ dhcp40add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP/ip smb usersset [ find default=yes ] disabled=yes/portset 0 name=serial0set 1 name=serial1/routing bgp templateset default disabled=no output.network=bgp-networks/routing ospf instanceadd disabled=no name=default-v2add disabled=no name=default-v3 version=3/routing ospf areaadd disabled=yes instance=default-v2 name=backbone-v2add disabled=yes instance=default-v3 name=backbone-v3/interface bridge portadd bridge=bridge1 ingress-filtering=no interface=ether2 internal-path-cost=\ 10 path-cost=10add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus1 \ internal-path-cost=10 path-cost=10add bridge=bridge1 ingress-filtering=no interface=ether1 internal-path-cost=\ 10 path-cost=10add bridge=bridge1 interface=ether9 pvid=99/ip firewall connection trackingset udp-timeout=10s/ip settingsset max-neighbor-entries=8192/ipv6 settingsset max-neighbor-entries=8192 soft-max-neighbor-entries=8191/interface bridge vlanadd bridge=bridge1 tagged=bridge1 vlan-ids=40add bridge=bridge1 tagged=bridge1 vlan-ids=99/interface list memberadd interface=BASE_VLAN list=VLANadd interface=BASE_VLAN list=BASEadd interface=ether10 list=WANadd interface=vlan40 list=VLAN/interface ovpn-server serveradd auth=sha1,md5 mac-address=FE:9F:0C:A3:AF:3D name=ovpn-server1/ip addressadd address=192.168.120.1/24 interface=ether10 network=192.168.120.0add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0add address=192.168.140.1/24 interface=vlan40 network=192.168.140.0add address=192.168.110.1/24 interface=BASE_VLAN network=192.168.110.0/ip dhcp-server leaseadd address=192.168.100.4 client-id=1:f0:9f:c2:9:d4:6a comment=\ "Workshop Switch 8 150W" mac-address=F0:9F:C2:09:D4:6A server=dhcp1/ip dhcp-server networkadd address=192.168.100.0/24 dns-server=192.168.100.101 gateway=192.168.100.1add address=192.168.110.0/24 dns-server=192.168.100.101 gateway=192.168.100.1add address=192.168.140.0/24 dns-server=192.168.100.101 gateway=192.168.140.1/ip dnsset servers=114.23.1.1/ip firewall address-listadd address=192.168.120.0/24 list=Allowed_Internetadd address=192.168.100.0/24 list=Allowed_Internetadd address=192.168.140.0/24 list=Allowed_Internet/ip firewall filteradd action=accept chain=forward comment="Our Networks <-> Our Networks" \ dst-address-list=Allowed_Internet src-address-list=Allowed_Internetadd action=accept chain=forward comment="Our Networks -> Internet" \ out-interface=ether10 src-address-list=Allowed_Internetadd action=accept chain=forward comment="Internet -> Our Networks" \ dst-address-list=Allowed_Internet in-interface=ether10add action=accept chain=input comment="Allow Estab & Related" \ connection-state=established,relatedadd action=accept chain=input comment="Allow VLAN" in-interface-list=VLANadd action=accept chain=input comment="Allow Base_Vlan Full Access" \ in-interface=BASE_VLANadd action=accept chain=forward comment="Allow Estab & Related" \ connection-state=established,relatedadd action=accept chain=forward comment="VLAN Internet Access only" \ connection-state=new in-interface-list=VLAN out-interface-list=WANadd action=drop chain=forward/ip firewall natadd action=masquerade chain=srcnat dst-address=192.168.100.0/24 src-address=\ 192.168.120.0/24add action=masquerade chain=srcnat dst-address=192.168.120.0/24 src-address=\ 192.168.100.0/24add action=masquerade chain=srcnat dst-address=192.168.100.0/24 protocol=udp \ src-address=192.168.100.0/24add action=masquerade chain=srcnat comment="Default masquerade" \ out-interface-list=WAN/ip ipsec profileset [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5/ip routeadd disabled=no dst-address=0.0.0.0/0 gateway=192.168.120.6/ip serviceset telnet disabled=yesset www disabled=yesset ssh disabled=yes/ip smb sharesset [ find default=yes ] directory=/pub/ipv6 address# address pool error: pool not found: test (4)add from-pool=test interface=sfp-sfpplus1/ipv6 dhcp-clientadd add-default-route=yes interface=ether10 pool-name=test \ pool-prefix-length=56 request=prefix use-peer-dns=no/routing bfd configurationadd disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5/system clockset time-zone-name=Pacific/Auckland/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp serverset enabled=yes multicast=yes/system ntp client serversadd address=162.159.200.123add address=192.107.172.20/system resource irq rpsset sfp-sfpplus1 disabled=noThanks.
Statistics: Posted by ge0rge — Fri Mar 28, 2025 1:03 am