Hello,
I have a RB2011iL-RM and I need help with this setup :
eth1 - wan
eth2 - VLAN10
eth3 - VLAN20
eth4 - VLAN30
eth5 - TRUNK (goes into a HP switch already setup)
eth6-10 - not used
I need all VLANs to have access to the internet but keep them separated.
Are eth2, eth3, eth4 tagged traffic or access ports?
Basically what you will do is
/interface bridge
add comment=“VLAN 10 Bridge” l2mtu=1584 name=bridge-vlan10 protocol-mode=none
add comment=“VLAN 20 Bridge” l2mtu=1584 name=bridge-vlan20 protocol-mode=none
add comment=“VLAN 30 Bridge” l2mtu=1584 name=bridge-vlan30 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether01-gateway
set [ find default-name=ether2 ] name=ether02-vlan10
set [ find default-name=ether3 ] master-port=none name=ether03-vlan20
set [ find default-name=ether4 ] master-port=none name=ether04-vlan30
set [ find default-name=ether5 ] master-port=none name=ether05-trunk
set [ find default-name=ether6 ] master-port=none name=ether06-slave-local disabled=yes
set [ find default-name=ether7 ] master-port=none name=ether07-slave-local disabled=yes
set [ find default-name=ether8 ] master-port=none name=ether08-slave-local disabled=yes
set [ find default-name=ether9 ] master-port=none name=ether09-slave-local disabled=yes
set [ find default-name=ether10 ] master-port=none name=ether10-slave-local disabled=yes
/interface vlan
add interface=ether5-trunk name=vlan10-ether5-trunk vlan-id=10
add interface=ether5-trunk name=vlan20-ether5-trunk vlan-id=20
add interface=ether5-trunk name=vlan30-ether5-trunk vlan-id=30
/interface bridge port
add bridge=bridge-vlan10 interface=ether2-vlan10
add bridge=bridge-vlan10 interface=ether5-trunk
add bridge=bridge-vlan20 interface=ether3-vlan20
add bridge=bridge-vlan20 interface=ether5-trunk
add bridge=bridge-vlan30 interface=ether4-vlan30
add bridge=bridge-vlan30 interface=ether5-trunkThat gives you your three access ports and one trunk port. They all come back to bridge-vlan10, bridge-vlan20, and bridge-vlan30. This is also using the main CPU so you will take a performance hit. If you wanted to you “could” do this with the switch chip instead which would give you wirespeed… but it is a bit more confusing to setup.
Once all that is done assign your IPs to the bridges, setup DHCP, DNS, and whatever else you need. Then use the firewall to block traffic between the bridges.
Make sense?
-Eric
I’m ashamed to admit I don’t know what an access port is.
Eth2/3/4 should be able to communicate with the devices connected to the HP switch on their respective VLANs.
edit : maybe it helps to provide a bigger picture of what i’m trying to achieve :
Eth2/3/4 are connected at 1gbps to some servers. The trunk from port 5 goes to the 1gbps trunk port on the switch. The rest of the switch is setup with ports 1-8 VLAN10, 9-16 VLAN20, 17-24 VLAN30.
For example the server from eth2 should be able to communicate with ports 9 to 16 from the switch.
Access Port = Untagged traffic… usually for PCs, etc… things that don’t understand VLANs
Trunk Port = Tagged Traffic Only … used between managed devices.
Mixed Port = Untagged + Tagged
My guess would be you want what I did above… Ether2/3/4 are access ports for those vlans and ether5 is the trunk.
If you wanted to you “could” do this with the switch chip instead which would give you wirespeed… but it is a bit more confusing to setup.
-Eric
Eric,
Could you take the time to show how to do it using the internal switch chip? I for one appreciate the performance hit using ROS.
Thanks in advance,
tp
Lets try… The switch chip config is a little confusing… but I “think” it would look like this…
/interface bridge
add comment=“VLAN 10 Bridge” l2mtu=1584 name=bridge-vlan10 protocol-mode=none
add comment=“VLAN 20 Bridge” l2mtu=1584 name=bridge-vlan20 protocol-mode=none
add comment=“VLAN 30 Bridge” l2mtu=1584 name=bridge-vlan30 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether01-gateway
set [ find default-name=ether2 ] name=ether02-master-local
set [ find default-name=ether3 ] master-port=ether02-master-local name=ether03-slave-local
set [ find default-name=ether4 ] master-port=ether02-master-local name=ether04-slave-local
set [ find default-name=ether5 ] master-port=ether02-master-local name=ether05-slave-local
set [ find default-name=ether6 ] master-port=none name=ether06-slave-local disabled=yes
set [ find default-name=ether7 ] master-port=none name=ether07-slave-local disabled=yes
set [ find default-name=ether8 ] master-port=none name=ether08-slave-local disabled=yes
set [ find default-name=ether9 ] master-port=none name=ether09-slave-local disabled=yes
set [ find default-name=ether10 ] master-port=none name=ether10-slave-local disabled=yes
/interface vlan
add interface=ether02-master-local name=vlan10-ether02-master-local vlan-id=10
add interface=ether02-master-local name=vlan20-ether02-master-local vlan-id=20
add interface=ether02-master-local name=vlan30-ether02-master-local vlan-id=30
/interface bridge port
add bridge=bridge-vlan10 interface=vlan10-ether02-master-local
add bridge=bridge-vlan20 interface=vlan20-ether02-master-local
add bridge=bridge-vlan30 interface=vlan30-ether02-master-local
/interface ethernet switch port
set ether02-master-local vlan-mode=secure vlan-header=always-strip default-vlan-id=10
set ether03-slave-local vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether04-slave-local vlan-mode=secure vlan-header=always-strip default-vlan-id=30
set ether05-slave-local vlan-mode=secure vlan-header=add-if-missing
set switch1-cpu vlan-mode=secure vlan-header=add-if-missing
/interface ethernet switch vlan
add vlan-id=10 switch=switch1 ports=ether02-master-local,ether05-master-local,switch1-cpu
add vlan-id=20 switch=switch1 ports=ether03-master-local,ether05-master-local,switch1-cpu
add vlan-id=30 switch=switch1 ports=ether04-master-local,ether05-master-local,switch1-cpuNOTE: This will drop ALL Untagged traffic.
See: http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
This is basically http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Example_-_802.1Q_Trunking_with_Atheros_switch_chip_in_RouterOS_v6 … the trunk example except I extended it to use the switch1-cpu also which allows routeros (e.g. the CPU) to actually see the packets and allow you to route through to ether1 using nat or whatever.
You could actually even use the switch chip or bridge rules to block the intra-vlan traffic and it would be faster than the ip filter rules also. Switch chip would be the fastest… bridge second, and ip filter slowest.
Hi Guys,
Sorry for the hijack, I followed this for my 951G-2hng V6.28.
I only have 2 VLANS one for a private network and the other for a hotspot. I also have a WiFi VAP bridged to each VLAN
My issue is whenever I put this line in “set switch1-cpu vlan-mode=secure vlan-header=add-if-missing” I loose the wan port it won’t obtain an address from the bridged cable modem.
Can anyone help or suggest another/better way to do this?
Hi guys.
Can help me with setup vlan on mikrotik 5.26 installed on x86 with realtek RTL8111C.
I have problem with understanding how vlans need to setup on mikrotik.
I use schem:
cisco-vlan-mikrotik.jpg
Cloud is a interface of my PC and to PC connected the mikrotik.
my R2 router have swith module, which configured: port 1/0 as trunk(vlan20) and port 1/1 as access(vlan20).
On mikrotik config:
/interface vlan
add arp=enabled disabled=no interface=ether1 l2mtu=16379 mtu=1500 name=\
ether1.20 use-service-tag=no vlan-id=20
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=no forward-delay=15s l2mtu=16379 max-message-age=20s mtu=1500 \
name=br-vlan20 priority=0x8000 protocol-mode=none transmit-hold-count=6
add address=192.168.20.13/24 disabled=no interface=br-vlan20 network=\
192.168.20.0
and port
bridge-port.jpg
Then i start ping from linux-microcore-1 PC in GNS3 and launch wireshark on my PC and i can see the pakets with tag
wireshark1.jpg
where 192.168.20.20 IP of linux-microcore-1
and 192.168.20.13 IP of br-vlan int. mikrotik
But if I start ping on mikrotik, no matter what of interface use ether1.20(vlan) br-vlan20 ether1 i dont see pakets with tag: