I have a MikroTik RB493G. Is it possible to configure the following setup on this unit, or would it be better to use an additional switch for L2 functions and let the RB493G handle just the routing? I’ve tried various approaches, but they often result in ‘invalid’ configuration errors or incomplete functionality, such as the RB493G not sending out its own MAC via ARP for one of the VLANs.
What I need: The intranet has two VLANs that enter the RB493G via a trunk port, while other ports are set to access mode for one of the VLANs. Both VLANs connect to other sites via IPsec tunnels, requiring the RB493G to have IP addresses on both VLANs for routing and IPsec processing.
What I’ve done and where I’m stuck: I can set up the RB493G for two VLANs (L2 layer), but I can only assign one IP address. The IP address assigned to the first VLAN works correctly, but the IP address assigned to the second VLAN is ignored and does not respond to ARP requests. Attempts to use virtual adapters for the second IP address result in ‘invalid’ assignment errors.
What is the optimal configuration for the RB493G for this setup, if it is feasible?
Here is the relevant snippet of the configuration. If you need additional portions, please let me know. The complete configuration is about 90 KB, so I’ve excluded unrelated sections to keep this post concise. Thank you.
VLAN 200 is the most critical segment, so I assigned its RB’s IP address to the bridge interface. This was the only configuration that allowed me to operate this VLAN.
Description:
ether11 - admin port, excluded from anything
ether12 - trunk for VLAN100+VLAN200
ether13-ether18 - access ports for VLAN200
You should be able to set an IP address on each of the VLAN interfaces, but of course it works only when the bridge config allows traffic to and from some port, and you test from that port.
When you use the default firewall you may also need to add the VLAN interfaces to the LAN interface list.
Setting the pvid on a port should also make the port an untagged member of the VLAN, but to avoid ambiguous situations I do that manually anyway (in the bridge vlan menu).
The bridge-to-CPU port settings are incorrect - you are trying to use it simultaneously untagged, by /interface bridge having pvid=200, and tagged, by having an /interface vlan attached to the bridge with vlan-id=200). It is also missing from the /interface bridge vlan entries.
Furthermore none of the /interface vlan attached to the bridge will work as tagged packets are blocked (by /interface bridge having frame-types=admit-only-untagged-and-priority-tagged.
I’m unclear about your last point regarding VLAN functionality. Does it relate to the configuration I provided? If so, please note that the presented configuration supports VLAN200.
I attempted to implement your suggestions, but the unit stopped responding to ARP requests from either VLAN after the changes. It seems I’m unable to resolve this issue without a reference configuration. Given that the unit has been in operation for several years, there may be underlying factors contributing to this problem.
Considering the cost of my time, it might be more efficient to replace the unit with one from a different brand used in corporate solutions and design the solution from scratch. Thank you for your time and suggestions!
Well, considering the age of this unit it certainly is questionable if you want to spend much effort on it.
That would only be useful when you consider using MikroTik equipment in other places of your network, and want to build experience.
There is documentation about VLAN config in help.mikrotik.com and also in forum articles written by others.
But it will always require some study and I am not that good in spotting mistakes in config that others have made.
In my earlier years, I frequently worked with Mikrotik due to its excellent price-to-performance ratio. I initially thought that configuring VLANs, ports, and IP addresses would be straightforward. However, the unit is behaving unexpectedly: while it correctly learns and assigns MAC addresses from VLAN clients (and everything is properly listed under the correct VLAN in the hosts table), it fails to respond with its own MAC address to ARP requests from clients. I’m puzzled by this issue and wonder if a modern unit of the same brand would encounter the same problem.
The issue is likely due to misconfiguration, it works on MikroTik but it requires some study of how to configure VLANs, which can be done in a couple of different ways.
When you do not want to invent time in that you can buy another device, but unless you have experience with the configuration methods of that different brand, you are likely to run into the same or similar issues.
There are two different approaches to configuring VLANs (configure VLANs per port or configure ports per VLAN) but both of them require a fully consistent configuration or it will not work.