Hi! After many years of using Mikrotik devices finally I need to implement VLANs, and with no luck. I read a lot of materials but because my network is not as simple as in the examples, and because my different devices need different VLANs implementations (some through bridges, some through switches), I’m stuck.
Here is a diagram of what I want to achieve.
So, I need two VLANs. VLAN1 - is a main home network (also a management network) and VLAN2 - is a guest network with less access.
DHCP, DNS, NAT, VPNs, common firewall rules, and all other main network services are on the R1 router, it’s my central router. R2 - it’s dumb AP. R3 - it’s a dumb switch.
Because I need DHCP on R1, I can’t configure it like a dumb switch with VLANs through a switch chip as in most of the examples. I tried to make two bridges (CRS112 can do hw-offload on many bridges) with VLANs in them but with no luck. I tried to make one bridge with two VLANs on it, but also with no luck. I tried to make VLANs on a switch chip, again with no luck.
Taking into account the weak CPU on R1, I need to use hw-offload whenever I can.
So I’ll be very pleased if anybody helps me. I do not need help with DNS, DHCP, and other services, all I need is to figure out how to make VLANs on R1 and R2 taking into account device models. Cause as I understand CRS112 - is a special guy in the case of VLANs.
What you are proposing is pretty straight forward. Unfortunately I don’t use bridges in RouterOS so I can’t help you with that part. You should only need one bridge.
One thing I will strongly suggest. Do not use VLAN 1. Too many devices out there that treat VLAN 1 as “special”. It will potentially cause unexpected results. Not a problem with either RouterOS or SwitchOS, but depending on what other devices get connected to the network, it could be an issue. Use any other valid number, but avoid VLAN 1.
Oh, yeah, I know. I didn’t use vlanID = 1. By labels VLAN1 and VLAN2 on the network diagram, I mean that there is one VLAN, and there is another. Actual values for VLAN ID were 10 and 20.
ONE bridge on each device.
All vlans with interface bridge (bridge does no dhcp).
Each device has a MANAGE interface list, with the trusted subnet as the only member
AP is simply an AP/Switch, only vlan identified is the trusted vlan and IP address is a static IP on the trusted vlan
Do not use vlan id=1. Stick to anything but, thus something like vlan10-trusted, vlan20-guest
hapac example… assuming vlan10 is 192.168.10.0/24 and vlan20 is 192.168.20.0/24 and IP of hap is 192168.10.84/24
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=emergaccess5
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=10 { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=management
/interface wireless
/interface bridge port
add bridge=bridgegym frame-types=admit-only-tagged vlans ingress-filtering=yes interface=ether1 comment="trunk to router"
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=20
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=homeWLan pvid=10
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=guestWLAN pvid=20
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=ether2,homeWLan vlan-ids=10
add bridge=bridgegym tagged=ether1 untagged=ether3,guestWlan vlan-ids=20
/interface list members
add interface=homeVlan list=management
add interface=emergaccess5 list=management
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0 comment="IP of capac on trusted subnet"
add address=192.168.55.1/24 interface=emergaccess network=192.168.55.0 comment="ether5 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
The CCR would not be significantly different other than you need firewall rules.
You need two define all the vlans, including IP pool, ip address, dhcp server, dhcp-server-network.
Also define interface LAN, WAN, management.
AP [R2] configuration. Here I have vlan10 and vlan20. vlan10 is a main/management vlan, so it has DHCP client and made by /interface vlan, not only /interface bridge vlan, vlan20 - is a guest vlan, ether3 - is a trunk port to main router [R1].
Firewalls are completely disabled on both devices.
Router [R1] configuration. Here I have vlan10, and vlan20 configured via /interface vlan, /interface bridge vlan, and via switch chip, ether3 - is a trunk port to AP [R1].
I think issue somewhere in the switch chip configuration. Manuals say that CRS series need to be configured in a special way in cases of VLAN. But all examples I found end with port switching, and neither of them shows how to pass VLAN traffic to the CPU.
