Hello,
I’m trying to configure my network as in the image bellow, but I am unable to configure the port from ether1 to forward traffic to port ether3.
So basically i would like ether3 to become a hybrid port to receive all the traffic from ether1 and to sent back traffic from other vlans.
I have been able to configure tagged traffic using the help mikrotik docs
Can anyone please help me with this situation ?
Please start with http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Looks doable, post your config and this will help.
Here is my config
# 1970-01-02 00:07:12 by RouterOS 7.11.2
# software id = IEFQ-RNUW
#
# model = RB760iGS
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BR1 name=MGMT_VLAN vlan-id=18
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether1 pvid=187
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether5 pvid=18
add bridge=BR1 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=BR1 tagged=ether3,BR1 vlan-ids=18
add bridge=BR1 tagged=ether3 vlan-ids=187
/ip address
add address=10.87.2.28/28 interface=MGMT_VLAN network=10.87.2.16
/ip route
add distance=1 gateway=10.87.2.30
/system identity
set name=SwitchHybrid
/system note
set show-at-login=no
So i’m getting everything right on VLAN18 , i’m able to ping the devices.
But when trying to connect the PPOE port on the generic router it’s telling me it’s timed out and when looking on the other side… I have asked my ISP if they see any attempt for me to connect and they told me basically there are NO attempts which means the traffic it’s not reaching the ISP.
So i’m stuck at the level that whatever i’m getting on port ether1 it’s not getting passed over to port ether3 using VLANS
Before fixing the config,
Is the ISP giving you two WANIPs ???
WHY the second router doing pppoe. ( why do you need it, all could be done via hex for example )
Is the hex acting as a switch or router?
I am thinking without a proper understanding of the setup and your intent, this could be a chasing game.
So only one device connected to pppoe router?
the topology is simple :
ISP → [ether1]HEX (acting as a switch) → [ether3] 2nd router (pppoe connection) → my internal devices behind the firewal/router
Also then on port ether5 will be an access point which should receive tagged traffic for the LAN as in my picture above.
Please do let me know if I haven’t been clear enough.
Like i said, the hex I want to be used as a managed switch with vlans only.
Remove serial number from your posted config!!
Ether3 has to be a trunk port carrying all vlans between hex switch and Router.
Ether1 and Ether5 are access ports, untagged as required when leaving the port.
I dont understand this nomenclature
add address=10.87.2.28**/28** interface=MGMT_VLAN network=10.87.2.16
I think the .16 should be .0 and the subnet mask is fine if you really only wanted 14 usable IP addresses!!
If you wanted to keep your setup as is, …close to what you have now…
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BR1 name=MGMT_VLAN vlan-id=18
/interface list
add name=TRUSTED
/interface bridge port
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=187 comment=“internet from isp”
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=18
add bridge=BR ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether3 comment=“trunk port to router”
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan { untagged entries not required, but I put them in manually so visible on printed export }
add bridge=BR1 tagged=BR1,ether3 untagged=ether5 vlan-ids=18 comment=“trusted LAN subnet”
add bridge=BR1 tagged=ether3 untagged=ether1 vlan-ids=187 comment=“vlan for carrying internet”
/interface list member
add interface=MGMT_VLAN list=TRUSTED
/ip address
add address=10.87.2.28/28 interface=MGMT_VLAN network=10.87.2.0
/ip route
add distance=1 gateway=10.87.2.30
/system identity
set name=SwitchHybrid
/system note
set show-at-login=no
/ip dns
set server=10.87.2.30
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Personally I would actually have a management VLAN and an off bridge port for for actual vlan configurating from a safe spot on both MT devices…
Management vlan is not the normal LAN subnet you are using for all users…keep management separated.
Would look like.Changes in green from your config for easy comparison.
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
set [ find default-name=ether4 ] name=OffBridge4
/interface vlan
add interface=BR1 name=MGMT_VLAN vlan-id=99
/interface list
add name=TRUSTED
/interface bridge port
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=187 comment=“internet from isp”
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=18
add bridge=BR ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether3 comment=“trunk port to router”
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=BR1 tagged=ether3 untagged=ether5 vlan-ids=18 comment=“normal LAN subnet”
add bridge=BR1 tagged=ether3 untagged=ether1 vlan-ids=187 comment=“vlan for carrying internet”
add bridge=BR1 tagged=BR1,ether3, vlan-ids=99 comment=“management subnet”
/interface list member
add interface=MGMT_VLAN list=TRUSTED
add interface=OffBridge4 list=TRUSTED
/ip address
add address=192.168.99.2/30 interface=MGMT_VLAN network=192.168.99.0 { increase subnet size if have additional smart devices }
add address=192.168.44.1/30 interface=OffBridge4 network=192.168.44.0
/ip route
add distance=1 gateway=192.168.99.1
/system identity
set name=SwitchHybrid
/system note
set show-at-login=no
/ip dns
set server=192.168.99.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
Note: make changes for ether4 first, then one can plug in laptop to either4, change IPV4 settings to 192.168.44.2 and you should be in and working.
if the .16 is changed to .0 the .28 will be outside the subnet.
IP Address: 10.87.2.28
Network Address: 10.87.2.16
Usable Host IP Range: 10.87.2.17 - 10.87.2.30
Broadcast Address: 10.87.2.31
Total Number of Hosts: 16
Number of Usable Hosts: 14
Subnet Mask: 255.255.255.240
…CIDR Notation: /28
IP Type: PrivateShort: 10.87.2.28 /28
I only know so much, more to learn.
I managed to get it working eventually, only one problem i have:
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether1 pvid=187
add bridge=BR1 interface=ether3 pvid=187 - [i]if I add this admit-only-vlan-tagged i'm losing access to the other VLAN's[/i]
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5
my current config looks like :
# 1970-01-02 15:32:40 by RouterOS 7.11.2
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BR1 name=VLAN1 vlan-id=49
add interface=BR1 name=GUEST_VLAN vlan-id=51
add interface=BR1 name=IOT_VLAN vlan-id=13
add interface=BR1 name=MGMT_VLAN vlan-id=18
add interface=BR1 name=VLAN2 vlan-id=40
add interface=BR1 name=VLAN3 vlan-id=44
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether1 pvid=187
add bridge=BR1 interface=ether3 pvid=187
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5
/interface bridge vlan
add bridge=BR1 tagged=ether3,ether5,BR1 vlan-ids=18
add bridge=BR1 tagged=ether3,ether5,BR1 vlan-ids=40
add bridge=BR1 tagged=ether3,ether5,BR1 vlan-ids=44
add bridge=BR1 tagged=ether3,ether5,BR1 vlan-ids=49
add bridge=BR1 tagged=ether3,ether5,BR1 vlan-ids=13
add bridge=BR1 tagged=ether3,ether5,BR1 vlan-ids=51
/ip address
add address=10.87.2.28/28 interface=MGMT_VLAN network=10.87.2.16
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.87.2.30 pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
But currently it’s working just fine.
Should I change anything ?
try setting the PVID to 1 (or 4094 when not used otherwise) → 187 coming in tagged and also PVID set to that VLAN ID does not go well in ROS … still
What do you mean exactly??
ETher1 is simply capturing the internet traffic stuffing the untagged traffic into vlan187 through the hex and bringing it to your router to be terminated as vlan187 traffic.
VLAN 18 is your managment subnet and also your main subnet.
The hex gets its address from here.
You should be able to access the hex for managment purposes via winbox from any vlan18 device.
At your generic router coming from ether3 on the hex are two VLANs, 187 which should be terminated on the pppoe router and vlan18 which should be handled appropriately.
Its not our problem that you havent identified said router or what its capable of doing,
Perhaps its the wrong type of device for this setup.
Also final point your comment makes zero sense, there are no other vlans to access…
+++++++++++++++
confirm, the ISP device provides untagged traffic to the hex ( not already tagged with 187)
a. if its not tagged, no changes required
b. if its already tagged then ether1 becomes a trunk port and you would need to modify /interface bridge vlan to show tagged on ether1 and ether3 for 187
confirm the pppoe router can accept
either
a. tagged vlans for both main vlan and internet vlan
OR
b. tagged vlan for main vlan and untagged traffic.
OR
c. untagged traffic for main vlan and tagged vlan for internet.
If none of the above, then its time to ditch the router and let the hex do it all.