2 Mikrotik behind firewall

dragan123 · April 30, 2019, 6:59am

hi,
i have a question:
I have a firewall with some VLAN configured.
Behind the firewall i have a Mikrotik configured as a switch like written here: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples

My special requirement is: I have to connect a second Mikrotik behind the first one (i need to “duplicate” the Port2)

I tried some things, Mikrotik 1 is working, but Mikrotik 2 is not working.

Any idea?

Thanks.

sebastia · April 30, 2019, 8:26am

List your config on Tik1 (/export hide-senstive compact) and indicate who you want to connect: from what interface to which?

dragan123 · April 30, 2019, 9:15am

That is Mikrotik 1:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes

/interface ethernet switch vlan
add ports=ether2,ether3 switch=switch1 vlan-id=21
add ports=ether2,ether4 switch=switch1 vlan-id=22
add ports=ether2,ether5 switch=switch1 vlan-id=23

/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=21
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=22
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=23

I would like to connect from Mikrotik 1 Port 3 to Mikrotik 2 Port 2.
I only need VLAN 22 + 23 on Mikrotik 1 and Mikrotik 2

sebastia · April 30, 2019, 11:15am

Tik1 Port3 is access port: only untagged traffic for vlan 21 will pass.

If you want vlan 21 & 22 on Tik2, you’ll need to use Port2 of Tik1 as this one is trunk port.

Note: “set ether2 vlan-mode=secure vlan-header=add-if-missing” without saying which id doesn’t make sense

dragan123 · April 30, 2019, 11:40am

I understand.

But how to configure port3 on Mikrotik 1?

anav · April 30, 2019, 1:06pm

I cannot fathom how anyone could actually answer your question without a diagram of what you are trying to accomplish and a complete config (not just select snippets).
Sebastia must be a mind reading God!

/export hide-sensitive file=yourconfig

dragan123 · April 30, 2019, 1:34pm

Here is the code from Mikrotik 1:

/interface bridge
add name=bridge1
/interface ethernet switch port
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=22 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=23 vlan-header=always-strip vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.20.20-192.168.20.25
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface ethernet switch vlan
add ports=ether2,ether4 switch=switch1 vlan-id=22
add ports=ether2,ether5 switch=switch1 vlan-id=23
/ip address
add address=192.168.20.1/24 interface=ether1 network=192.168.20.0
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1

Firewall —> Mik1 Port 2
Mik1 Port 3 —> Mik2 Port2

on Mik 1 and Mik 2 Port 4 i need VLAN 21
on Mik 1 and Mik 2 Port 5 i need VLAN 22

sebastia · April 30, 2019, 6:20pm

if firewall doing the vlan routing?

and both Tik’s are used as smart switches then?

If you use Tik1Port3 for connection to Tik2, then this port has to be cofigured as trunk too, just like Port2: so all vlans (or the relevant ones) present and all tagged.

dragan123 · May 1, 2019, 6:29am

That means only add this Code?

/interface bridge port
add bridge=bridge1 interface=ether3

sebastia · May 1, 2019, 8:59am

You’ll also need to:
indicate in which vlans it partiipates under /interface ethernet switch vlan
change from access to trunk under /interface ethernet switch port

anav · May 1, 2019, 5:47pm

Sits back eating melba toast and caviar drinking dry champagne watching Sebastia play whackamole!

dragan123 · May 1, 2019, 7:05pm

Thanks to sebastia!
He is trying to help.

dragan123 · May 2, 2019, 5:40am

That’s it! Everything works!
Here the code of both Mikrotik

/interface bridge
add name=bridge1
/interface ethernet switch port
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 default-vlan-id=22 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=23 vlan-header=always-strip vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.20.20-192.168.20.25
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether3
/interface ethernet switch vlan
add ports=ether2,ether3,ether4 switch=switch1 vlan-id=22
add ports=ether2,ether3,ether5 switch=switch1 vlan-id=23
/ip address
add address=192.168.20.1/24 interface=ether1 network=192.168.20.0
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1

Thank you for helping me!

sebastia · May 2, 2019, 5:20pm

You’re welcome.