In the configuration example we will explain how to configure VLANs on an EnGenius Smart POE Family series of switches. We will create 3 VLANs and configure a combination of trunk and access ports for various devices including UniFi UAP Access Points, EAP600 or other EnGenius Access Points, Grandstream IP Phones as well as both wired and wireless laptops.
Network Diagram:
Configure the MikroTik / Core Router:
1. Create 3 bridges (management, voip, lan).
2. Create 3 VLANs (ether5.10, ether5.20, ether5.30) under ether5 interface.
3. Setup each bridge with its own IP Address and DHCP Server. (management = 192.168.10.1/24; voip = 192.168.20.1/24; lan = 192.168.30.1/24).
4. Configure the firewall (optional).
#START CONFIGURATION
/interface bridge
add mtu=1500 name=lan protocol-mode=none
add mtu=1500 name=management
add mtu=1500 name=voip
/interface vlan
add interface=ether5 l2mtu=1594 name=ether5.10 vlan-id=10
add interface=ether5 l2mtu=1594 name=ether5.20 vlan-id=20
add interface=ether5 l2mtu=1594 name=ether5.30 vlan-id=30
/ip pool
add name=dhcp_pool1 ranges=192.168.30.100-192.168.30.199
add name=dhcp_pool2 ranges=192.168.10.100-192.168.10.199
add name=dhcp_pool3 ranges=192.168.20.100-192.168.20.199
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=lan lease-time=3d name=\
dhcp1
add address-pool=dhcp_pool2 disabled=no interface=management lease-time=3d \
name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=voip lease-time=3d name=\
dhcp3
/interface bridge port
add bridge=management interface=ether2
add bridge=voip interface=ether3
add bridge=lan interface=ether4
add bridge=management interface=ether5.10
add bridge=voip interface=ether5.20
add bridge=lan interface=ether5.30
/ip address
add address=192.168.30.1/24 interface=lan network=192.168.30.0
add address=192.168.10.1/24 interface=management network=192.168.10.0
add address=192.168.20.1/24 interface=voip network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.10.200 client-id=1:0:16:d3:e8:d7:60 mac-address=\
00:16:D3:E8:D7:60 server=dhcp2
add address=192.168.10.4 client-id=1:0:27:22:6a:a:b9 mac-address=\
00:27:22:6A:0A:B9 server=dhcp2
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.0/24 list=internal
add address=192.168.20.0/24 list=internal
add address=192.168.30.0/24 list=internal
/ip firewall filter
add action=drop chain=input comment="drop invalid connections to the router" \
connection-state=invalid
add action=drop chain=input comment=\
"drop management vlan traffic bound for any gateway other than its own" \
dst-address=!192.168.10.1 src-address=192.168.10.0/24
add action=drop chain=input comment=\
"drop voip vlan traffic bound for any gateway other than its own" \
dst-address=!192.168.20.1 src-address=192.168.20.0/24
add action=drop chain=input comment=\
"drop lan vlan traffic bound for any gateway other than its own" \
dst-address=!192.168.30.1 src-address=192.168.30.0/24
add chain=input comment="allow new connections from internal lan" \
connection-state=new in-interface=lan
add chain=input comment="allow new connections from internal lan" \
connection-state=new in-interface=voip
add chain=input comment="allow new connections from internal lan" \
connection-state=new in-interface=management
add chain=input comment="allow established connections to the router" \
connection-state=established
add chain=input comment="allow related connections to the router" \
connection-state=related
add chain=input comment="allow icmp ping requests" protocol=icmp
add chain=input comment="allow winbox access" dst-port=8291 protocol=tcp
add action=drop chain=forward comment=\
"drop management vlan traffic destined for voip and lan vlan networks" \
dst-address=192.168.0.0/16 src-address=192.168.10.0/24
add action=drop chain=forward comment=\
"drop voip vlan traffic destined for management and lan vlan networks" \
dst-address=192.168.0.0/16 src-address=192.168.20.0/24
add action=drop chain=forward comment=\
"drop lan vlan traffic destined for management and voip vlan networks" \
dst-address=192.168.0.0/16 src-address=192.168.30.0/24
add action=drop chain=input comment="drop everything else hitting the router"
add chain=forward comment="allow new connections through the router from lan" \
connection-state=new in-interface=lan
add chain=forward comment="allow new connections through the router from lan" \
connection-state=new in-interface=voip
add chain=forward comment="allow new connections through the router from lan" \
connection-state=new in-interface=management
add chain=forward comment="allow established connections through the router" \
connection-state=established
add chain=forward comment="allow related connections through the router" \
connection-state=related
add action=drop chain=forward comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"masquerade management vlan traffic" out-interface=ether1 src-address=\
192.168.10.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade lan vlan traffic" \
out-interface=ether1 src-address=192.168.30.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade voip vlan traffic" \
out-interface=ether1 src-address=192.168.20.0/24 to-addresses=0.0.0.0
/system clock
set time-zone-name=Pacific/Auckland
/system ntp client
set enabled=yes primary-ntp=202.89.49.65
#END CONFIGURATION
Configure the EnGenius EGS7228P PoE Smart Switch:
1. Configure the IP Settings.
Configure the UniFi UAP Wireless Access Point:
1. Create the management wireless network:
Configure the EnGenius EAP600 Wireless Access Point:
1. Configure the IP Settings:
2. Ensure Operation Mode is Access Point:
3. Create 3 wireless networks (management, voip, lan):
4. Assign VLAN tags to the appropriate wireless networks created in the previous step:
5. Remember to Save/Reload to apply all settings.
Configure the Grandstream GXP2160 IP Phone:
1. Configure the QoS VLAN tag (voip network):
Testing:
Before testing please disable your windows firewall as this commonly blocks icmp (ping) packets by default.
1. Laptop should be able to ping Office PC and vice versa (192.168.30.11).
2. Laptop should be able to access the internet.
3. Laptop should not be able to ping UniFi Controller (192.168.10.200).
4. Laptop should not be able to ping GXP2160, EAP600 or UAP-PRO.
5. UniFi Controller PC is on the management vlan and should have full connectivity to EAP600, UAP-PRO, and EGS7228P.
Network Diagram:
Configure the MikroTik / Core Router:
1. Create 3 bridges (management, voip, lan).
2. Create 3 VLANs (ether5.10, ether5.20, ether5.30) under ether5 interface.
3. Setup each bridge with its own IP Address and DHCP Server. (management = 192.168.10.1/24; voip = 192.168.20.1/24; lan = 192.168.30.1/24).
4. Configure the firewall (optional).
#START CONFIGURATION
/interface bridge
add mtu=1500 name=lan protocol-mode=none
add mtu=1500 name=management
add mtu=1500 name=voip
/interface vlan
add interface=ether5 l2mtu=1594 name=ether5.10 vlan-id=10
add interface=ether5 l2mtu=1594 name=ether5.20 vlan-id=20
add interface=ether5 l2mtu=1594 name=ether5.30 vlan-id=30
/ip pool
add name=dhcp_pool1 ranges=192.168.30.100-192.168.30.199
add name=dhcp_pool2 ranges=192.168.10.100-192.168.10.199
add name=dhcp_pool3 ranges=192.168.20.100-192.168.20.199
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=lan lease-time=3d name=\
dhcp1
add address-pool=dhcp_pool2 disabled=no interface=management lease-time=3d \
name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=voip lease-time=3d name=\
dhcp3
/interface bridge port
add bridge=management interface=ether2
add bridge=voip interface=ether3
add bridge=lan interface=ether4
add bridge=management interface=ether5.10
add bridge=voip interface=ether5.20
add bridge=lan interface=ether5.30
/ip address
add address=192.168.30.1/24 interface=lan network=192.168.30.0
add address=192.168.10.1/24 interface=management network=192.168.10.0
add address=192.168.20.1/24 interface=voip network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.10.200 client-id=1:0:16:d3:e8:d7:60 mac-address=\
00:16:D3:E8:D7:60 server=dhcp2
add address=192.168.10.4 client-id=1:0:27:22:6a:a:b9 mac-address=\
00:27:22:6A:0A:B9 server=dhcp2
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.0/24 list=internal
add address=192.168.20.0/24 list=internal
add address=192.168.30.0/24 list=internal
/ip firewall filter
add action=drop chain=input comment="drop invalid connections to the router" \
connection-state=invalid
add action=drop chain=input comment=\
"drop management vlan traffic bound for any gateway other than its own" \
dst-address=!192.168.10.1 src-address=192.168.10.0/24
add action=drop chain=input comment=\
"drop voip vlan traffic bound for any gateway other than its own" \
dst-address=!192.168.20.1 src-address=192.168.20.0/24
add action=drop chain=input comment=\
"drop lan vlan traffic bound for any gateway other than its own" \
dst-address=!192.168.30.1 src-address=192.168.30.0/24
add chain=input comment="allow new connections from internal lan" \
connection-state=new in-interface=lan
add chain=input comment="allow new connections from internal lan" \
connection-state=new in-interface=voip
add chain=input comment="allow new connections from internal lan" \
connection-state=new in-interface=management
add chain=input comment="allow established connections to the router" \
connection-state=established
add chain=input comment="allow related connections to the router" \
connection-state=related
add chain=input comment="allow icmp ping requests" protocol=icmp
add chain=input comment="allow winbox access" dst-port=8291 protocol=tcp
add action=drop chain=forward comment=\
"drop management vlan traffic destined for voip and lan vlan networks" \
dst-address=192.168.0.0/16 src-address=192.168.10.0/24
add action=drop chain=forward comment=\
"drop voip vlan traffic destined for management and lan vlan networks" \
dst-address=192.168.0.0/16 src-address=192.168.20.0/24
add action=drop chain=forward comment=\
"drop lan vlan traffic destined for management and voip vlan networks" \
dst-address=192.168.0.0/16 src-address=192.168.30.0/24
add action=drop chain=input comment="drop everything else hitting the router"
add chain=forward comment="allow new connections through the router from lan" \
connection-state=new in-interface=lan
add chain=forward comment="allow new connections through the router from lan" \
connection-state=new in-interface=voip
add chain=forward comment="allow new connections through the router from lan" \
connection-state=new in-interface=management
add chain=forward comment="allow established connections through the router" \
connection-state=established
add chain=forward comment="allow related connections through the router" \
connection-state=related
add action=drop chain=forward comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"masquerade management vlan traffic" out-interface=ether1 src-address=\
192.168.10.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade lan vlan traffic" \
out-interface=ether1 src-address=192.168.30.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade voip vlan traffic" \
out-interface=ether1 src-address=192.168.20.0/24 to-addresses=0.0.0.0
/system clock
set time-zone-name=Pacific/Auckland
/system ntp client
set enabled=yes primary-ntp=202.89.49.65
#END CONFIGURATION
1. Configure the IP Settings.
2. Configure VLANs on the respective ports:
3. Configure PVID settings on respective ports:
4. Configure the management VLAN ID:
1. Create the management wireless network:
2. Create the voip wireless network:
3. Create the lan wireless network:
1. Configure the IP Settings:
Configure the Grandstream GXP2160 IP Phone:
1. Configure the QoS VLAN tag (voip network):
Testing:
Before testing please disable your windows firewall as this commonly blocks icmp (ping) packets by default.
1. Laptop should be able to ping Office PC and vice versa (192.168.30.11).
2. Laptop should be able to access the internet.
3. Laptop should not be able to ping UniFi Controller (192.168.10.200).
4. Laptop should not be able to ping GXP2160, EAP600 or UAP-PRO.
5. UniFi Controller PC is on the management vlan and should have full connectivity to EAP600, UAP-PRO, and EGS7228P.
Thank you so much. This post solved my trouble.
ReplyDelete