Ok, this might be a bit of a long winded post, so ill try my best to keep it concise. I have two issues here that are directly related.
The current setup in this ROBO is a RB3011, with a unmanged Consumer L2 Switch (Netgear i believe), a Cisco ATA for VOIP, Ubiquiti AP (currently only running one WLAN on the untagged network). All these devices are directly connected to Switch1 (AP was connected in Eth9, now moved to Switch 1, config below doesnt represent this) on the RB3011, with the remainder of the network connected via the unmanaged switch.
Im trying to achieve the following two outcomes
Add vlan trunking on the Mikrotik RB3011 to support a Ubiquti AP with multiple WLAN. The remainder of the network, including the core switch (ROBO office) does NOT support VLANs. Im trying to work out how to create two vlans and add tag the switch ports the correct way. ONLY the AP needs trunking (VLANS 10/20), everything else will be left as untagged using VLAN10.
Setting up a new DHCP Server, for the second VLAN (20). When trying to set this up, clients on VLAN 20 are recieving an IP address from the first DHCP server instead of the second one.
Here is the config, appreciate if anyone can point out where im going wrong with the tagging, etc. Im aware i need to move the GW (10.253.11.1) into VLAN 11, however i disconnect clients from the network when i do this. I assume im missing something with the UNTAGGED for VLAN10.
There are a few conceptual and practical problems with your setup.
First practical problem: although you did configure VLANs, it’s done slightly wrong (interface vlan20 on ether9 which is member of bridge … if ether ports are members of bridge, no other configuration should touch those ports directly it should rather be bound to bridge) and incomplete (bridge should have vlan-filtering=yes to enable any of vlan-related functionality).
The conceptual problem is more serious though: you can not have a port to be both tagged and untagged member of same VLAN at the same time.
While it might even work on ingress (untagged packets get tagged with selected VLAN ID and tagged packets pass unaltered), it can’t work on egress (how’s switch/bridge supposed to know which packets of same VLAN should get untagged and which should remain tagged?).
The solution would be to have, say, tagged part of that L2 broadcast domain use different VLAN ID (say 11) and then you’d perform an otherwise wrong configuration of bridging two vlan interfaces (you’d need additional bridge for that … meaning that all the communication between WAP and wired devices would pass RB’s CPU instead of dealing it within switch chip).
If it’s possible, I’d advise to keep WAP connected directly to RB so you could properly use tagged-only approach for WAP and all-untagged for the rest of LAN … this way you could avoid playing with additional VLAN and you could configure things on switch chip enabling wire-speed operations.
If you can keep physical connections as mentioned, then there are a few things to fix in your posted config to make it work.
Thx for the great reply MKX, i understand networking, tagging/etc, however im still learning my way around the Mikrotik. I certinally didnt intend to run the same vlan (10) and both tagged/untagged. Are you able to offer me some examples of how to correct this config. If I understand correctly, can i create a new bridge with all the switch ports (except the AP trunk port) currently being used, and add VLN 10 to that? Do i need to move the IP address from he Eth2-Master to the VLAN10 Interface or if its bridge associated can the LAN GW remain on the Interface?
At the end of the day, the existing L2 domain (which i intended to merge into VLAN 10), needs to be untagged on the the AP, and the new VLAN tagged for the AP. Then all traffic in VLAN 20 needs to be routeable (FW rules dependent) to the internet.
Appreciate any help here, i know what im trying to achieve, im just trying to understand how to make it happen on the Mikrotik. Thx!
I’d rather not prepare you some half-baked recipe for migration phase … It’d be much simpler if you reconfigured LAN in one big leap … but I can understand that might not be desirable and smooth migration (invisible to users) might be preferred. So, if some fellow forum member is willing to help you with that …
I’m not worried about migration, just end state configuration. This is more about a learning experience to better understand Mikrotik. Thx for your help.
OK, I can try to give some ideas about how to get to the end state.
If I understand right, the intended end state will include one untagged and one tagged VLAN. This should be possible even if only single physical connection will connect whole LAN with router.
If you don’t intend to use other ether ports on the router ever, you could even remove ether2 (if that’s the single port connecting to LAN) from bridge and configure stuff directly on the port … such config would be something like this:
/interface bridge port
remove [ find name=ether2 ] # remove ether2 from any bridge
/interface vlan
add name=vlan10 interface=ether2 vlan-id=10
/ip address
add interface=ether2 address=<untagged LAN IP address with mask>
add interface=vlan10 address=<VLAN10 IP address with mask>
# similarly you'd bind DHCP servers with appropriate DHCP network and DHCP pool settings to ether2 and vlan10 interfaces
If, however, you will use additional ports on RB for LAN (either trunk or access), setup would be slightly different:
# configuration changes in two steps
# first step: preparation of VLAN L3 settings
# before running commands in this step, be sure you're using ether4 or ether5 to connect
/interface vlan
add name=vlan10 interface=bridge vlan-id=10
add name=vlan20 interface=bridge vlan-id=20 # we'll use this one for what's untagged VLAN in the example above
/ip address
add interface=vlan10 address=<VLAN10 IP address with mask>
add interface=vlan20 address=<VLAN20 IP address with mask>
/interface bridge port
add bridge=bridge interface=ether2 ingress-filtering=yes pvid=20 # hybrid port
add bridge=bridge interface=ether3 ingress-filtering=yes frame-types=admit-untagged-and-priority-tagged pvid=20 # access port
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether2,ether3 vlan-ids=20
# End of first step. Now you should disconnect.
#
# Start of second step: connect via either ether2 or ether3 to <VLAN20 IP address with mask>
# enable safe mode now
/interface bridge
set [ find name=bridge ] vlan-filtering=yes
# if connectivity to router is still fine, disable safe mode
#
# now you can reconfigure other ether ports so that they will become either trunk or access ports for right VLAN
# or you can leave that for the future when you'll actually need those ports
Ok so big thanks to MKX for your help, im 99% there. I configued all the vlans/bridges/trunks/etc today and its all working ok. The only problem i have is with the DHCP server.
When a client connects on VLAN10, they receive an IP from the address range 10.253.11.0/x, this is exactly what i expect. However when a client connects on VLAN20, instead of getting an IP from the 10.253.12.x range, they get an IP address from the 10.253.11.0/x range. How do i map the address pool back to each unique DHCP server? Thx
Yoh have to create two DHCP address pools and assign each to corresponding DHCP server (with matching DHCP network). DHCP server doesn’t check if served DHCP lease corresponds to other DHCP lease parameters …
Right now you’re using same DHCP address pool for both DHCP server instances …
Thx, I actually stumbled across the ip pools tonight, the “dhcp” pool name threw me off track. I’d created my networks under the dhcp server, didn’t realise the IP Pools was a separate section.
Just one small clarification, does the DNS get assigned from the Networks section under the DHCP Server?
A small correction to my previous post: DHCP server actually auto-selects correct DHCP network settings, matching the interface to which server instance is bound. One has to set the correct (matching) address pool though.