Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

RouterOS General
1

Hi,

I would like to config my network with RB4011 router and CRS328 shown in below diagram.

I tried to apply the config as below. However the config doesn't work.

(Switch)

[admin@MikroTik] > /export

jan/02/1970 01:15:00 by RouterOS 6.48.1

software id = 801C-59LB

model = CRS328-24P-4S+

serial number = D7620CF6AE89

/interface bridge
add name=Bridge vlan-filtering=yes
/interface vlan
add interface=Bridge name=Vlan-PC vlan-id=10
add interface=Bridge name=Vlan-WiFi vlan-id=50
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=Bridge interface=sfp-sfpplus1
add bridge=Bridge interface=ether1 pvid=10
add bridge=Bridge interface=ether2 pvid=10
add bridge=Bridge interface=ether19 pvid=50
add bridge=Bridge interface=ether20 pvid=50
add bridge=Bridge interface=ether21 pvid=50
add bridge=Bridge interface=ether22 pvid=50
/interface bridge vlan
add bridge=Bridge tagged=sfp-sfpplus1 untagged=Bridge,ether1,ether2 vlan-ids=10
add bridge=Bridge tagged=sfp-sfpplus1 untagged=Bridge,ether19,ether20,ether21,ether22,ether23 vlan-ids=50
/system routerboard settings
set boot-os=router-os
/system swos
set address-acquisition-mode=static allow-from-ports=
p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28
identity=Switch static-ip-address=192.168.1.251


(Router)

[admin@MikroTik] > /export

jan/02/1970 00:52:51 by RouterOS 6.48.2

software id = MPYV-N028

model = RB4011iGS+

serial number = D4450C9894D9

/interface bridge
add name=Bridge vlan-filtering=yes
/interface vlan
add interface=Bridge name=Vlan-PC vlan-id=10
add interface=Bridge name=Vlan-WiFi vlan-id=50
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=Bridge interface=sfp-sfpplus1
/interface bridge vlan
add bridge=Bridge tagged=sfp-sfpplus1 vlan-ids=10
add bridge=Bridge tagged=sfp-sfpplus1 vlan-ids=50
/ip address
add address=192.168.10.254/24 interface=Vlan-PC network=192.168.10.0
add address=192.168.50.254/24 interface=Vlan-WiFi network=192.168.50.0

2

…did you see and read this: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 ?
There is no exception from what is stated there from your setup…you’ll want the router-on-a-stick scenario.

3

I think my scenario is (Switch with a separate router).

I was trying to config my switch from the command of the provided switch configuration.
Once I am enable vlan-filtering, I cannot be able to connect to the switch anymore.

4

I’ve not been through the configs in detail, but on the router
/interface bridge vlan
add bridge=Bridge tagged=sfp-sfpplus1 vlan-ids=10
add bridge=Bridge tagged=sfp-sfpplus1 vlan-ids=50
should be
/interface bridge vlan
add bridge=Bridge tagged=Bridge,sfp-sfpplus1 vlan-ids=10
add bridge=Bridge tagged=Bridge,sfp-sfpplus1 vlan-ids=50

Similarly on the switch the bridge port role should be included as a tagged VLAN member as required for management access to the switch - you do not need to have /interface vlan entries for every VLAN, only ones which are used for management access to the switch. There also do not appear to be any IP addresses attached to the VLANs for management access.

5

(1) You can improve the bridge ports
add bridge=Bridge interface=sfp-sfpplus1 frame-types=allow only tagged frames ingress filtering=yes
add bridge=Bridge interface=ether1 frame-types=allow priority and untagged frames ingress filtering=yes pvid=10
Repeat same for all access ports 2-22.

(2) The bridge must be tagged when bridge ports are heading towards other devices and to ensure the device itself (in this case a switch, can be assigned an IP from the main lan or management vlan). The bridge is not usually untagged, never seen it before. By the way the router automatically assignes untagged ports based on the bridge settings of PVID. So technically you do not have to physically add them as we are doing below. However I think its good practice to do so as it makes it far easier to read and understand a config.

/interface bridge vlan
add bridge=bridge tagged=one-bridge, sfp-sfpplus1 untagged=ether1,ether2 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether19,ether20,ether21,ether22,ether23 vlan-ids=50

In the case above I do not know which vlan contain the “MAIN” LAN or management vlan but which one IS that, 10 or 50, would need a Tagged Bridge. Since there are no smart devices on any of the other bridge ports, tagging the bridge is not required otherwise. There will always be one Trunk port (uplink to router in this case)a and it will carry the MAIN vlan or management vlan.

(3) TDW is correct on the Router Side, Since the Trunk port is carrying tagged vlans, the bridge must also be tagged.
What should be mentioned is the following.
a. any vlan-id that that has a unique set of tagged and untagged bridge ports requires a separate line
b. vlan-ids that have duplicate set of tagged and untagged bridge ports can be on the same line.

Thus the above can be configured like so.
interface bridge vlan
add bridge=Bridge tagged=Bridge,sfp-sfpplus1 vlan-ids=10,50

(4), However since none of the other ports are identified and no WLANS are identified and the rest of the config is not available, there is no guarantee anything will work.

6

Hi Anav,

I didn’t expected I need a management vlan. However, once I read some articles seem it is a must.
Also my network is including wlan, I still have no idea how to configurate 2 vlans for guest and home Wifi network.
I will have a try first. If I cannot make it, hope you can give me some further help.

Thank you!

Best regards

7

The management vlan can simply be your home LAN, no need to create another one.
The way I look at it, the management lan is the one, you as the admin are on all the time.
I also recommending taking one router port and making it its own ethernet interface with small pool, dhcp etc, OFF the bridge as an emergency access to the router in case something gets frigged on the bridge. All one needs to do is plug their laptop into it and have access to the router.
Make the main vlan you are on AND the etherX-Emerg interface members of an interface called MGMT
So bridge list=LAN
So etherX-emerg list =LAN
So vlanmain=MGMT
So etherX-emerg=MGMT

That way making firewall rules is simple and quick.
Also make an adminaccess firewall address list (assuming statically fixed IPs, done on the router)
for admin desktop IP
for admin laptop IP’
for admin smartphone IP
for admin emergX-IP

Therefore for input chain rules besides a few default rules…
add chain=input action=allow in-interface-list=MGMT src-address-list=adminaccess {ensure only the admin has full access to the router }
{will need DNS allow rules for Tcp.udp port 53}
and then a drop all else rule can be administered.

Therefore for forward chain rules, besides the first few default rules,
add action=input action=allow in-interface-list=MGMT out-interface=bridge src-address-list=adminaccess {gives admin access to all subnets}
add allow lan to wan traffic as appropriate
allow access to shared devices
allow port forwarding if required
drop all else.

As for WLANS on the router, wlans are considered bridge ports and since will be untagged when reach the users, it gets a PVID setting.
Wireless settings do not include Vlans.
However vlans are tied WLANS via the bridge port setting.

If you are connecting other wifi devices, MT wifi is similar per device (bridge setup etc) and other vendors have their own methods (assuming they are smart devices capable of handling tagged vlans if not they are dummy devices capable of hosting one subnet (WLAN) only.

8

Why use Bridge VLAN filtering on your router ?

9

A. because it works
B. because its easy to implement.
C. because there is no letter z in Bridge Vlan filtering :stuck_out_tongue_winking_eye:

10

A. Without bridge Vlan filtering it would work as well… just using software Vlans (/interface Vlan) would be enough…if there is only a trunk port on the router i dont see a reason as to why someone would enable bridge Vlan filtering..
B. It is easy indeed… but not necessary on this implementation…
C. Dont really understand this…

11

Ahh you were referring to the switch.
Well I am used to two methods,
SwOS or bridge vlan filtering, I know both well enough and both work,
If you have another method feel free to chime in…

12

No, i am referring to the router…
There are many examples, one is here https://wiki.mikrotik.com/wiki/Manual:CAPsMAN_with_VLANs#CAPsMAN_Router
If you take a look there, the Trunk port on the router is simply configured without any need of Bridge VLAN filtering or Switch configuration…Just software configuration of the VLANs…

13

That link shows no such thing but does show a full up bridgeport and bridgevlan configuration so whats your point.
In addition the example is missing the IP address assignments.

In summary, if you are using vlans, bridgeport is not necessary if its one vlan per interface, but in this case vlans are not required.
As soon as you mix two or more subnets per interface, vlans and bridge ports are very useful.

14

The link shows exactly what i ve posted earlier… if you look again under the CapsMAN router configuration there is no Bridge configuration at all…

Just the trunk port, ether1, configured with VLANs as a trunk port…

No, nothing is missing… check again…

I would setup a Router with Bridge Vlan filtering only if there was the need to act as a switch as well…

15

Ahh okay I kept reading to the next section.
Interesting but of no interest to me as I dont use capsman nor any of its functionality.
When and If Do (aka when hell freezes over) it would mean MT has useful WIFI products. :slight_smile:
Unless I have more than 3 wifi devices, I have no use for capsman as an xtra layer of extra config hassles and CPU overhead.

One only has to peruse the wifi forum to realize that capsman is not straightforward to implement and gets folks all tripped up.

16

Yet another disadvantage of cAPsMAN is that if the host router goes down, every AP goes down with it (bad news if you have VRRP)

17

@anav… the VLAN implementation of the example is not CapsMAN dependent…
I honestly do not understand how you made this conclusion…

It is a VLAN implemenation simply on a CapsMAN configuration… it could be anything else…
You could setup a Router with ether1 os Trunk Port or the SFP as Trunk port, you choose, and connect it on the Trunk port of a Switch that has Bridge VLAN Filtering… it will work just perfectly…!

Another example of InterVLAN Routing: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN#InterVLAN_routing
All VLANs are configured on ether1.. You set IP Addresses on the VLANs, DHCP etc and you are done…

18

all more simple like (not tested, writed at memory):

on RB4011iGS+

/interface vlan
add interface=sfp-sfpplus1 name=vlan-10 vlan-id=10
add interface=sfp-sfpplus1 name=vlan-50 vlan-id=50
/ip address
add address=192.168.10.254/24 interface=vlan-10 network=192.168.10.0
add address=192.168.50.254/24 interface=vlan-50 network=192.168.50.0

and on CRS328-24P-4S+

/interface vlan
add interface=sfp-sfpplus1 name=vlan-10 vlan-id=10
add interface=sfp-sfpplus1 name=vlan-50 vlan-id=50
/int bri
add name=bri-vlan-10
add name=bri-vlan-50
/int bri port
add interface=ether1 bridge=bri-vlan-10
add interface=ether2 bridge=bri-vlan-10
add interface=ether19 bridge=bri-vlan-50
add interface=ether20 bridge=bri-vlan-50
add interface=ether21 bridge=bri-vlan-50
add interface=ether22 bridge=bri-vlan-50
/ip address
add address=192.168.10.253/24 interface=bri-vlan-10 network=192.168.10.0
add address=192.168.50.253/24 interface=bri-vlan-50 network=192.168.50.0
19

Hi Rextended,

Thanks!

Is this the configuration need to rely the switch cpu not the switch chip?
I looked at many articles said it is prefer to use bridge vlan filtering to set up vlans.
BTW, To me, the Mikrotik is very very complicate. To set up vlan and trunk, it look to me there are 3 options.

  1. Setup in switch tab
  2. Setup in Bridge
  3. Setup in Interface tab

Hope someone can explain the different.

20

If the device has hardware support, vlan switch is better, but if one of your device are 4011, compared with CRS328, 4011 “switch” are useless.

The key is how many traffic you need to be inspected from 4011…

if more than 200Mbit/s is better you use switch chip, i do not have any 4011 to test, i do not know his switch chip.,
if lower, really if you use cpu or switch chip do not matter…

If hardware support that, the configuration on interface is applied from routeros with internal switching/fastpath if other parts of the configuration on the devices block that (like firewall activated on bridge)

if you do not disable hardware offload, is used automatically…