VLAN configuration help

RouterOS Beginner Basics
1

Hi, I have the following scenario and I have been having a lot of issues working on the VLAN configuration. I am not sure whether to use switching (I tried using the wiki but with no luck), or bridging (also tried, but lost access to mikrotik on the attempt).

Any help will be more than appreciated, just need to know the logic on how to do it so that I can try, but I am not sure how to even begin.
MikrotikSetup.jpg

2

I’m writing, wait 5 min

3

I’ll let him post.. but I would use the switch chip for most of that. It will be faster.

4

I help you only on VLAN and NAT:
I suppose you set all the other parameters, like IPs and routes correctly.
[the IPs must be setted on the bridge, not on the single interface]
And also you do not have set already any port as master or slave.

/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] name=ether3-slave master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master2
set [ find default-name=ether7 ] name=ether7-slave2 master-port=ether6-master2
set [ find default-name=ether8 ] name=ether8-slave2 master-port=ether6-master2
set [ find default-name=ether9 ] name=ether9-slave2 master-port=ether6-master2

/interface vlan
add interface=ether1 name="eher1-vlan-id-90" vlan-id=90
add interface=ether1 name="eher1-vlan-id-92" vlan-id=92
add interface=ether1 name="eher1-vlan-id-199" vlan-id=199

/interface bridge
add name="bri-untag-vlan-id-90" protocol-mode=rstp
add name="bri-untag-vlan-id-92" protocol-mode=rstp
add name="bri-untag-vlan-id-199" protocol-mode=rstp

/interface bridge port
add bridge=bri-untag-vlan-id-90 interface=eher1-vlan-id-90
add bridge=bri-untag-vlan-id-90 interface=ether2-master
add bridge=bri-untag-vlan-id-92 interface=eher1-vlan-id-92
add bridge=bri-untag-vlan-id-199 interface=eher1-vlan-id-199
add bridge=bri-untag-vlan-id-199 interface=eher4

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for vlan-id-92" out-interface=bri-untag-vlan-id-92 in-interface=ether6-master2
5

[…]

6

I’d actually use the switch chip. It will be much faster and will put basically no load on to the switch… I’ll post a config after I put my son to bed.

7

Thank you very much guys!!! this is just what I needed…

8

I have fix my misreading on first post, please check now the script, it use both switch chips.

1st for 2-3 [but you can add also the 5 and sfp1 (or add the 4 and use the 5 as 4 before]

/interface ethernet
set [ find default-name=ether5 ] name=ether5-slave master-port=ether2-master
set [ find default-name=sfp1 ] name=sfp1-slave master-port=ether2-master

and
2nd for 6-7-8-9 [but you can add also the 10!!!]

/interface ethernet
set [ find default-name=ether10 ] name=ether10-slave2 master-port=ether6-master2

If you find useful, please add Karma!


efaden, please edit your post and remove the script inside, is fixed now.

9

If you are going to use the switch chip for this you actually have to set the settings, not just set the master port.

See my config:
/interface ethernet switch
set switch-all-ports=yes

/interface bridge
add name=bridge-local protocol=rtsp

/interface bridge port
add bridge=bridge-local interface=ether6

/interface ethernet
set [ find default-name=ether1 ] name=ether1
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1

set [ find default-name=ether6 ] master-port=none
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6

/interface vlan
add interface=ether1 l2mtu=1594 name=Vlan90 vlan-id=90
add interface=ether1 l2mtu=1594 name=Vlan92 vlan-id=92
add interface=ether1 l2mtu=1594 name=Vlan199 vlan-id=199

/ip pool
add name=local-pool ranges=192.168.0.100-192.168.0.254

/ip dhcp-server
add address-pool=local-pool interface=bridge-local name=local-dhcp

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=Vlan92

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

/interface ethernet switch port
add vlan-id=90 switch=switch1 ports=ether1,ether2,ether3,cpu
add vlan-id=92 switch=switch1 ports=ether1,cpu
add vlan-id=199 switch=switch1 ports=ether1,ether4,cpu

/interface ethernet switch vlan
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=90
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=90
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=199
set ether5 vlan-mode=secure

/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=Vlan92

add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Vlan92 in-interface=bridge-local

10

rextended: you need to actually have settings in /interface ethernet switch port and vlan to control the vlans if you are going to set the master-port. Just setting the master-port won’t actually work since some of them need to be tagged/untagged and modified… your config as it is wouldn’t actually work.

11

Thank you very much for your help on this, reading the configuration on both methodologies gives me a better understanding on how to work with VLANs and the switching feature. Coming from a Cisco background I need to get used to the new way.

12

Yeah. Not gonna lie, it’s odd.

Sent from my SCH-I545 using Tapatalk

13

Reworked config:

/interface ethernet switch
set switch-all-ports=yes

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6

/interface vlan
add interface=ether1 name=Vlan90 vlan-id=90
add interface=ether1 name=Vlan92 vlan-id=92
add interface=ether1 name=Vlan199 vlan-id=199

/ip pool
add name=local-pool ranges=192.168.0.101-192.168.0.199

/ip dhcp-server
add address-pool=local-pool interface=> ether6 > name=local-dhcp

/ip dhcp-client
add disabled=no interface=Vlan92

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8,8.8.4.4

/interface ethernet switch port
add vlan-id=90 switch=switch1 ports=ether1,ether2,ether3,cpu
add vlan-id=92 switch=switch1 ports=ether1,cpu
add vlan-id=199 switch=switch1 ports=ether1,ether4,cpu

/interface ethernet switch vlan
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=90
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=90
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=199

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Vlan92 in-interface=> ether6

Removed:

/interface bridge
add name=bridge-local protocol=rtsp

/interface bridge port
add bridge=bridge-local interface=ether6

/interface ethernet
set [ find default-name=ether1 ] name=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=none

/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=Vlan92
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid

On the DNS the allow-remote-requests default value is “no”
must be set to yes and must be added some DNS, if you specify dns-server=192.168.0.1 on DHCP server
[DHCP client DNS or PPPoE peer DNS not always working.]

About switch and VLAN: I must check again later, if I remember wrong. Thanks.

14

I am running routeros 6.9 and some of the commands in your configuration example are a bit different. I think I have covered, but I don’t have the masquerading working just yet.

One main difference is that my box has two switches, one for the gig ports and one for the fast ethernet ports. I will post what I got once I am done with the configuration. So far the VLAN ports on the “outside” portion are working.

Thanks again for your help guys.

15

Post your config. My example had nat working.

Sent from my SCH-I545 using Tapatalk

16

I hope you solve the problems, but first of all, install 6.11 and update bios to 3.12

Too much bug on 6.8 / 6.9 / 6.10

17

Exactly. :exclamation:

18

Won’t vlan92 need an IP address assigned to it for NAT to work?

None of the router interfaces have the gateway address on them either.

19

Read with attention the previous post:

I suppose you set all the other parameters, like IPs and routes correctly.
[the IPs must be setted on the bridge, not on the single interface]
And also you do not have set already any port as master or slave.

Because “benitton” has not specified the IP needed.
I hope he know the IP…

20

I actually get the IP address assigned via DHCP. I got this working w/o any problem. My main issue with the setup was to get the switching/bridging part of the setup going… Thanks again for your help guys!