Beginning RouterOS 7 config- need help with enabling vlan filtering

RouterOS Beginner Basics
1

Just building this out but got stuck when i put on vlan filtering on the bridge. Did some searching but never found a complete answer.

There is no IP on MGMT as I use a direct connect ethernet cable to the MGMT/BOOT port and connect via MAC.

I could not find a similar config.

I have HW offload turned on in the winbox interface but it does not seem to show up in the config.

Been a while since i did a bunch of command line stuff.

So removing the vlan filtering using an RJ45 serial console cable was interesting :slight_smile:

Just trying to get the admin port to work when i turn on vlan filtering.

Thanks



/interface bridge
add admin-mac=18:FD:74:3F:15:B7 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface vlan
add interface=bridge name=VLAN7-VVID vlan-id=7
add interface=bridge name=VLAN8-VPLX vlan-id=8
add interface=bridge name=VLAN17-VIOT vlan-id=17
add interface=bridge name=VLAN20-VCST vlan-id=20
add interface=bridge name=VLAN21-VSEC vlan-id=21
add interface=bridge name=VLAN22-VRK vlan-id=22
add interface=bridge name=VLAN23-VPRN vlan-id=23
add interface=bridge name=VLAN24-VMSC vlan-id=24
add interface=bridge name=VLAN99-MGMT vlan-id=99
add interface=bridge name=VLAN111-CORE vlan-id=111
add interface=bridge name=VTRUNK1111-QSFP1-4 vlan-id=1111
add interface=bridge name=VTRUNK1112-QSFP15-8 vlan-id=1112
/interface list
add name=LAN
add name=MGMT
add name=VTRUNK1
add name=VLAN111
add name=VLAN7
add name=VLAN8
add name=VLAN17
add name=VLAN20
add name=VLAN21
add name=VLAN22
add name=VLAN23
add name=VLAN24
add name=VLAN99
add name=VTRUNK2
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge filter
add action=drop chain=input dst-port=68 in-interface=!ether1 ip-protocol=udp mac-protocol=ip
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=qsfpplus1-1 internal-path-cost=10 path-cost=10 pvid=1111
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=qsfpplus1-2 internal-path-cost=10 path-cost=10 pvid=1111
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=qsfpplus1-3 internal-path-cost=10 path-cost=10 pvid=1111
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=qsfpplus1-4 internal-path-cost=10 path-cost=10 pvid=1111
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=qsfpplus2-1 internal-path-cost=10 path-cost=10 pvid=1112
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=qsfpplus2-2 internal-path-cost=10 path-cost=10 pvid=1112
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=qsfpplus2-3 internal-path-cost=10 path-cost=10 pvid=1112
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=qsfpplus2-4 internal-path-cost=10 path-cost=10 pvid=1112
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10 pvid=111
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10 pvid=111
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10 pvid=111
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10 pvid=111
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus5 internal-path-cost=10 path-cost=10 pvid=111
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus6 internal-path-cost=10 path-cost=10 pvid=111
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus7 internal-path-cost=10 path-cost=10 pvid=7
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus8 internal-path-cost=10 path-cost=10 pvid=8
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus9 internal-path-cost=10 path-cost=10 pvid=7
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus10 internal-path-cost=10 path-cost=10 pvid=7
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus11 internal-path-cost=10 path-cost=10 pvid=7
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus12 internal-path-cost=10 path-cost=10 pvid=7
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus13 internal-path-cost=10 path-cost=10 pvid=7
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus14 internal-path-cost=10 path-cost=10 pvid=7
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus15 internal-path-cost=10 path-cost=10 pvid=7
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus16 internal-path-cost=10 path-cost=10 pvid=7
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus17 internal-path-cost=10 path-cost=10 pvid=17
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus18 internal-path-cost=10 path-cost=10 pvid=17
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus19 internal-path-cost=10 path-cost=10 pvid=17
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus20 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus21 internal-path-cost=10 path-cost=10 pvid=21
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus22 internal-path-cost=10 path-cost=10 pvid=22
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus23 internal-path-cost=10 path-cost=10 pvid=23
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus24 internal-path-cost=10 path-cost=10 pvid=24
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=VLAN111-CORE vlan-ids=111
add bridge=bridge tagged=VLAN7-VVID vlan-ids=7
add bridge=bridge tagged=VLAN8-VPLX vlan-ids=8
add bridge=bridge tagged=VLAN17-VIOT vlan-ids=17
add bridge=bridge tagged=VLAN20-VCST vlan-ids=20
add bridge=bridge tagged=VLAN21-VSEC vlan-ids=21
add bridge=bridge tagged=VLAN22-VRK vlan-ids=22
/interface list member
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface=sfp-sfpplus10 list=LAN
add interface=sfp-sfpplus11 list=LAN
add interface=sfp-sfpplus12 list=LAN
add interface=sfp-sfpplus14 list=LAN
add interface=sfp-sfpplus15 list=LAN
add interface=sfp-sfpplus16 list=LAN
add interface=sfp-sfpplus17 list=LAN
add interface=sfp-sfpplus18 list=LAN
add interface=sfp-sfpplus19 list=LAN
add interface=sfp-sfpplus20 list=LAN
add interface=sfp-sfpplus21 list=LAN
add interface=sfp-sfpplus22 list=LAN
add interface=sfp-sfpplus23 list=LAN
add interface=sfp-sfpplus24 list=LAN
add interface=qsfpplus1-1 list=VTRUNK1
add interface=qsfpplus1-2 list=VTRUNK1
add interface=qsfpplus1-3 list=VTRUNK1
add interface=qsfpplus1-4 list=VTRUNK1
add interface=qsfpplus2-1 list=VTRUNK2
add interface=qsfpplus2-2 list=VTRUNK2
add interface=qsfpplus2-3 list=VTRUNK2
add interface=qsfpplus2-4 list=VTRUNK2
add interface=ether1 list=MGMT
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.111.1.0/24 interface=VTRUNK1111-QSFP1-4 network=10.111.1.0
add address=10.7.0.0/24 interface=VLAN7-VVID network=10.7.0.0
add address=10.8.0.0/24 interface=VLAN8-VPLX network=10.8.0.0
add address=10.17.0.0/24 interface=VLAN17-VIOT network=10.17.0.0
add address=10.20.0.0/24 interface=VLAN20-VCST network=10.20.0.0
add address=10.21.0.0/24 interface=VLAN21-VSEC network=10.21.0.0
add address=10.22.0.0/24 interface=VLAN22-VRK network=10.22.0.0
add address=10.23.0.0/24 interface=VLAN23-VPRN network=10.23.0.0
add address=10.24.0.0/24 interface=VLAN24-VMSC network=10.24.0.0
add address=10.99.0.0/24 interface=VLAN99-MGMT network=10.99.0.0
add address=10.112.1.0/24 interface=VTRUNK1112-QSFP15-8 network=10.112.1.0
add address=10.1.1.0/24 interface=VLAN111-CORE network=10.1.1.0
/ip arp
add address=10.1.0.100 interface=bridge mac-address=54:E1:AD:E6:04:9C
/ip dhcp-client
add disabled=yes interface=bridge
/ip dhcp-relay
add dhcp-server=10.1.1.1 disabled=no interface=VLAN111-CORE local-address=10.1.1.3 name=VLAN111-CORE-Relay
add dhcp-server=10.24.0.1 disabled=no interface=VLAN24-VMSC local-address=19.24.0.3 name=VLAN24-MSC-relay
add dhcp-server=10.23.0.1 disabled=no interface=VLAN23-VPRN local-address=10.23.0.3 name=VLAN23-VPRN-relay
add dhcp-server=10.22.0.1 disabled=no interface=VLAN22-VRK local-address=10.22.0.3 name=VLAN22-VRK-relay
add dhcp-server=10.21.0.1 disabled=no interface=VLAN21-VSEC local-address=10.21.0.3 name=VLAN21-VSEC-relay
add dhcp-server=10.20.0.1 disabled=no interface=VLAN20-VCST local-address=10.20.0.3 name=VLAN20-VCST-relay
add dhcp-server=10.17.0.1 disabled=no interface=VLAN17-VIOT local-address=10.17.0.3 name=VLAN17-VIOT-relay
add dhcp-server=10.8.0.1 disabled=no interface=VLAN8-VPLX local-address=10.8.0.3 name=VLAN8-PLX-Relay
add dhcp-server=10.7.0.1 disabled=no interface=VLAN7-VVID local-address=10.7.0.3 name=VLAN7-VVID-relay
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/New_York
/system identity
set name=CORE
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
2

You can use code commands to encapsulate your config! ( black square with white square brackets on the same line as Bold Underline etc…)

Typically when first setting up bridge vlan filtering and later on if I screw something up on the bridge, I setup an off bridge access. Makes life much easier!
https://forum.mikrotik.com/viewtopic.php?t=181718

In terms of interface lists…
Used for 2 or more interfaces that will have the same rules (except management subnet which can be a single interface but also needs to be a list entry )
Typically WAN is included as well,

/interface list
add name=WAN
add name=LAN
add name=MGMT
add name=VTRUNK

Same with list members, these are the working interfaces not all the ports!!
/interface list member
EACH VLAN interface is a member of the LIST=LAN
The two Trunk vlan interfaces are also members of LIST=VTRUNK
Vlan99 interface is a member of the LIST=MGMT
ETHERPORT?? is a member of the LIST=WAN

No idea what this is doing here… bridge should not have any address or dhcp etc…
/ip arp
add address=10.1.0.100 interface=bridge mac-address=54:E1:AD:E6:04:9C

Where is the WAN ( internet ) coming from??

Finally, all your /interface bridge ports and bridge vlans settings are wrong, highly suggest you read this…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

3

First thanks for the quick reply. This is more of a bulletin board than a forum too many hard coded formatting fields and the quick buttons at the top do not work for me either :slight_smile: As you can see by the time stamp on my message i don’t really have time for formatting :slight_smile:

  1. Yes the interface lists are there for rules - i assume i can use them in the FW rules
    a) I deleted WAN and I am not referring to lists currently so that need to be cleaned up most of it is from the default config
    b) the interface and structure is a bit odd with regards to vlans, interfaces, lists, etc.. my past experience with other vendors products was more structured
    c) I did not have a chance to remove the LAN lists stuff as i locked myself out of the MGMT Interface
  2. There is no WAN here this is an internal network sitting behind an existing firewall - that is what the trunk ports are for
    internet → Firewalla Gold → Mikrotik switch → VLANs
  3. The two trunk lists are for the two QFSP+ ports which I will use part of one to uplink to my Firewalla 2.5gb port. Don’t need much more than that as my bandwidth is only 1.4gb
  4. The other VLANs are for various segmentation which i want to HW offload and use the firewall rules/filters to secure. I am trying to segment as much as possilbe.
  5. the ip/ARP was from the last config also - i have not deleted it but will
  6. the older posts you refer to do not encompass the newer switches and using HW offloading they are simple configs which do not really apply except to learn a basic config which will completely change to implement bridge/routing HW offloading with stateless inspection. But I read them for base level knowledge.
  7. I need to find a config where the MGMT interface is added so that I can use the dedicated Ether1 port only for mgmt with no IP and no routing of MAC. I have yet to find one.

I need a sample config which has HW offloading using router OS and VLAN trunking setup so I can mirror and learn.

I also posted a question about using two switches or a router @ wire speed to accomplish what i can’t do with one switch because I am limited to either HW offloading for VLANs with filtering and stateless inspection or HW offloading for FW and stateful inspection.

Hopefully that makes sense.

4

I suggest you read the post in the link anav provided at the end of his answer.
Read it.
Digest it.
Read it again.
Test. Fail.
Read again.
Rince and repeat until it sinks in.

You may not have time to use proper formatting but you will need to spend time to learn how to apply vlans or it will never work.

5

To be clear, you have to communicate more accurately.
What device do you have,
Provide a network diagram.

It may very well be that you are talking about a switch not a router and I was giving advice thinking it was a router etc…

6

Although you have not explicitly provided information about the hardware you are using from the

/interface list member

part of your partial configuration export it is deductible that you are working on a CRS326-24S+2Q+RM switch.

The documentation’s CRS3xx, CRS5xx, CCR2116, CCR2216 switch chip features part provides an overview of the equipment’s capability and also sample configurations also for VLAN. The L3 Hardware Offloading part of the documentation provides more specific examples on hardware accelerated setup scenarios.

7

https://www.youtube.com/watch?v=YLtGQAQ8iS0

8

Another thing not to forget about is to setting up of the bridge priority, and path costs. Working costs:
for 100 Mbps port(s):

internal-path-cost=100000 path-cost=100000

for 1 Gbps port(s):

internal-path-cost=10000 path-cost=10000

for 10 Gbps port(s) (like sfp-sfpplus1 to sfp-sfpplus24 and qsfpplus1-1 to qsfpplus2-4):

internal-path-cost=1000 path-cost=1000

for 40 Gbps port(s):

internal-path-cost=600 path-cost=600

Also don’t forget setting up the properties of the bridge (an example if there is a multicast router is already present on the network) on

/interface bridge
set 0 add-dhcp-option82=yes  comment="SFP+ 1 to SFP+ 24 and \
    QSFP 1 to QSFP 2 are bridged" dhcp-snooping=yes igmp-snooping=yes \
    igmp-version=3 mld-version=2 name=bridge \
    priority=0x6000 protocol-mode=mstp region-name=NAME_OF_YOUR_MSTP_REGION \
    arp=enabled arp-timeout=auto auto-mac=no \
    admin-mac=THE_MAC_ADDRESS_OF_YOUR_PREFERRED_PORT \
    disabled=no ether-type=0x8100 ingress-filtering=yes \
    mtu=10218 to multicast-querier=no multicast-router=temporary-query \
    port-cost-mode=long vlan-filtering=yes

Tough not related, nevertheless set the temperature limits for the used SFP+ and QSFP modules to match their specifications at

/interface ethernet

with the

sfp-shutdown-temperature=the_limit_in_C

parameter.


Since ether1 is not attached to the 98DX8332 switch chip rather the QCA9531 CPU it is not necessarily a good idea to add it to the bridge which contain the SFP+ and QSFP ports of the switch.