Hi everyone,
I’ve been trying to get my head around this but pratically doing this, is beyond my Mikrotik knowledge. Please bear with me here and ask questions if my explanation is unclear.
PART A
-
I want to keep my WAN-facing interface at L2 and plug my cable modem into the WAN-interface. Moreover, I want the WAN-port to be in the NATIVE VLAN.
-
Another port on the Mikrotik-router will operate as a trunk (so tagged) port and it will trunk VLAN10 and also the NATIVE VLAN to a switch.
-
Devices I put in the NATIVE VLAN on the abovementioned switch, will receive a public IP from my ISP (why? The DHCP-request goes through the modem to the ISP’s DHCP-server). All this via layer 2.
So this is not all to hard in theory, I think.
PART B
I do not know follwing is then possible but I hope my intention will become clear:
I then just want VLAN 10 traffic to be masqueraded out of the WAN-interface. So I’ll need some virtual interface with a public IP address routing between (L3 here obviously) between the internet and my 192.168.0.0/24 LAN. I believe this is a switched virtual interface in Cisco terminology.
So the virtual interface with, for instance, IP address 192.168.0.250 will receive traffic from devices in VLAN10, and route/switch it out the WAN-port.
So, native VLAN => just forward out of the WAN-port on L2
VLAN 10 => routing and masquerading out of the WAN port on L3
And I know a port can’t be both L2+L3 but the WAN-port is not on L3, only on L3. The switched virutal interface is the one on L3.
Can this sort of thing be done?
Thanks for your thoughts.
You can make a new virtual ethernet interface that acts as a dhcp client so it gets a public ip address (you might want to check the ‘default route’ option for this interface). You should then be able to use this interface to masquerade to/from. Your vlan 10 bridge interface can then act as the gateway for vlan 10.
Does the modem use vlan tagging? If not, you’re free to use any vlan you want on the trunk to the switch, which would simplify things a bit since you’re only dealing with tagged traffic in that case, not a ‘native vlan’. Just make your (unnumbered) wan interface and virtual interface (with ip address) untagged members of that vlan. If the modem does use tagging, just use that vlan number instead.
If your virtual interface gets a gateway set, see what that means for your routing table. If you don’t have a default route, you should add one of course. If you checked the ‘default route’ option for the virtual interface but no default route is set, just add one manually using your wan interface as the target.
Those are my 2 cents, anyway 
Edit: never mind the virtual ethernet interface. I thought it was basically a loopback interface but it’s used for metarouter configs instead. For the above to work a bridge interface should be substituted. And below comments suggest other, possibly better paths anyway. Just though I should correct my post in case confusion is caused by it.
Hi Pellaeon
Thanks for your thoughts, I appreciate it. Your summary is kind off how I imagine things but it still has to become real for it to be able to fall together. First restriction, my ISP does not do any L2 VLAN-tagging whatsoever.
And so, I’m stuck at first base:
You can make a new virtual ethernet interface that acts as a dhcp client so it gets a public ip address (you might want to check the ‘default route’ option for this interface)
Do you mean a VLAN-interface here? When I attach a VLAN-interface to the WAN-facing port, I cannot get it to receive a public IP via DHCP from the ISP. I used VLAN-ID 1 for the interface as “1” means native (untagged). Seeing my ISP does not do tagging at all, I cannot use anything else but “1” I suppose.
If I just use the real physical WAN-port it get an address immediately.
No - VLAN 1 does not necessarily mean untagged or native. It is common for Cisco equipment to be shipped with VLAN 1 set to the native VLAN (untagged) on trunks but they are not the same thing. Think of the native VLAN on a Cisco trunk as the VLAN to which untagged traffic will be sent when it enters a switch environment. It is possible for VLAN 1 to be tagged and also possible for (say) VLAN 147 to be the native VLAN.
This isn’t really true since Ethernet interfaces commonly operate at both L2 & L3! For what you are trying to do you could simply bridge the WAN and LAN interface, add the VLAN 10 interface to the bridge and add a DHCP client to the bridge - the bridge will then get an IP from your ISP. The one slight problem is that VLAN 10 traffic would still potentially be visible on the WAN interface so you could use bridge filter to block it.
Whether this is the best way to achieve your goals is unclear - perhaps you could clarify the goals.
Clarifying is always hard. Perhaps I can create and upload a drawing if this attempt here is a bit unclear:
Forget about the 192.168.0.0/24 LAN and VLAN10 for a minute.
- My cable modem is 50 metres away from a TV setup box. This box NEEDS L2 access to the WAN-port of the cable modem in order to get the proper public IP address.
What I basically could do is connect a switch to the cable modem’s WAN-port and run an UTP-cable from the TV box to the switch. And then also connect the Mikrotik router to the same switch.
The goal is: give the TV BOX L2 access to the cable modem as if I was to connect the box directly to the cable modem WAN-port.
What I did instead is:
- Connect Mikrotik’s ether5-port (the router’s WAN-Port) to the WAN-port of the cable modem
- Create VLAN20 on ether1. Ether1 = the trunk port from the Mikrotik to my switch (VLAN10 is also on ether1 which is what makes this port a trunk, but forget about VLAN10 for now)
- Bridge VLAN20 and ether5 on the Mikrotik
- Set the bridge as DHCP client
All this works fine. Please see the screenshot I attached.
Right know I’m interested in getting rid of the bridge. I either want a full L2 wirespeed path to the WAN or use routing. I hope I did a good job explaining?
ps: I’ve got gmail too. Perhaps we can chat about it some time. I’ve got a working setup but I like to improve all the time:))
Your RB450G has a switch built in:
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
A better plan would be to have one Ethernet port connected to the ISP and slave another Ethernet port to the ISP port (i.e. set its master port parameter). That would give you wire speed L2 switching from the ISP to the TV box with no CPU load. You can then place a DHCP client on the ISP Ether port and acquire an IP for the routerboard itself and route any VLAN or LAN interface traffic in the normal way.
I thought of that, but that would require the tv box to be connected to the slaved port directly? So without any VLANs involved, right?
Yes - long cable… The alternatives are really feeding the WAN interface via a VLAN to the IPTV box (which you may have already done) or getting the IPTV box to work on a private IP on the LAN side of the router. If it operates using IGMP then you could run the IGMP proxy on the routerboard.
I’m doing the VLAN-solution using the setup above with the screen shot. Unfortunately, it involves a bridge as you can see. Getting it to work inside the LAN is a no go. The ISP decides its IP based on the MAC-address.
The only other way I can think of is by using the solution Pellaeon suggested, as getting the Mikrotik switch chip to play nice is nigh on impossible (so wire speed it out of the window).
Trading routing for bridging would be a step in the right direction. But thank you for thinking along, I knew this isn’t easy to crack. But maybe I’ll nail it sometime:)
You can clone the MAC address of the STB on the router - but whether it will work or not depends on which protocols they use for the IPTV service.
Which provider are you using, Jeroen? I’m connected to KPN myself and have done away with their equipment except for the POTS function. Both internet and IPTV are done through my RB2011. KPN uses vlans to seperate the traffic though - 4 for IPTV, 6 for internet and 7 for POTS/SIP.
By the way, I think switching on the Mikrotiks is just too much of a pain to set up properly. I’m CCNP certified and it still took me 3 days to figure out how to use VLANs effectively! I swear I’m smart enough 
but the switching setup is too alien for me to easily get the hang of. I’m sure my own setup is nowhere near optimized, but it works well, so I’m not going to bother for a while - at least until I get some more equipment to experiment with.
Yes, cloning works as I’ve tried it with a Draytek router once. Result: the STB had “internet” (read: access to ISP servers) access but non-ISP devices will not be able to reach the internet through that range of course. Using the clone trick, I could give the STB an address in a private range and masquerade it out via the WAN-interface.
Or are you saying I can get 2 IP’s (1 from the special STB range and another from the “internet” range) on the same WAN-port acquired using difference MAC’s? 1 MAC from the STB and the default MAC from the STB.
@Palleon, ik neem aan dat je van Nederland bent? Ik zit bij Telenet in België.
But I’ll go on in English. I got my CCNA in college (many years ago lol) but respect for getting your CCNP. I’ve litteraly spent weeks with that darned switch chip so I’ve also given up on switching.
The way we would do this on Cisco gear is to make the WAN-port a L2 access port (let’s say we put it in VLAN20). Then we would throw in a SVI for VLAN20 doing a DHCP-request to the modem. The SVI would end up with a public routable IP. We can then route and masquerade traffic via the SVI. Am I correct thusfar?
Step 2 is to trunk my VLANs to the Cisco router on some other port, and trunked VLAN20 traffic (coming from other switches) would flow nicely to the L2 WAN port as it has no reason for visiting the, slow path, routing logic.
I think that is the same as you proposed earlier? And I have no idea how to get this going with Mikrotik stuff either:-)
In short, I think the issue here is that any VLAN-interface on a Mikrotik is a routed interface by default. And it only accepts tagged traffic from then on. It seems to have no notion of PVID and other concepts. Unless I’m really badly mistaken here.
In RouterOS in general you have to bridge a VLAN port to an Ethernet port to make the equivalent of an access port. However the RB450G also includes the Atheros 8316 switch chip which can create wire speed VLAN trunk or access ports within the switch group.
CelticComms is filling in the blanks in my knowledge gap.
So by bridging VLAN20 (attached to ETHER1 if you refer to my screenshot) with the WAN port, I’m basically defining VLAN20 on ETHER5 as an access port (untagged port). At the same time VLAN10+VLAN20 on ETHER1 both remain tagged ports?
Make sense. I should be able to do this using the switch chip, but it is hell to work with and I was unable to get it right.
EDIT: added drawing of network. The computer with the RED line is the TV box in VLAN20 needing L2 access to the modem.
The port names aren’t on the diagram so I wasn’t sure of your description, but I think you have the idea.
A VLAN interface attached to a physical port always sends tagged VLAN traffic on that physical port. Bridging the VLAN interface to another physical port will cause that second physical port to behave like an access port for the corresponding VLAN.
It is of course better if it can be done at wire speed on a switch chip but the bridge approach should work fine in this case.
You certainly have a strong handle on the matter. The port left of the router is ether1 (Trunk port). The port to the right is ether5 (WAN-port). But you already figured this out.
I’ve haven’t tested this (not at my home so danger of locking myself out) but I think it is also possible to create VLAN20 on the WAN-port and bridge it with VLAN20 on the trunk port. I did say should, so sorry if anyone reading this finds out it does not work;)
You can certainly bridge the two VLAN interfaces - that would carry tagged VLAN traffic between the two ports and that traffic would appear tagged on both ports.