CRS and RB2011 vlan configuration

RouterOS Beginner Basics
1

Could anyone point me in the right direction regarding my vlan setup.

I have port1 on my RB2011 as WAN with DHCP client, and I have setup 3 vlan interfaces on port2 (vlan 10, 172 and 192). I have configured one DHCP server for each vlan. I have configured a firewall, and basic NAT.

On my CRS125-24G-1G-RM I have setup a switchgroup where ether2-24 has ether1-master as master. I have setup egress vlan tag for vlan 10, 192 and 172 on port1, and also port 2 & 3 for vlan 172. Ether2-16 has ingress vlan translation for vlan 192 - working great and equipment is getting IP from DHCP in 192.168.73.0 subnet, as wanted. Ether23&24 has ingress vlan translation for vlan 10 - also working, getting IP from DHCP in 10.0.0.0 subnet - as wanted

The problem is, I have my Ubiquiti AP AC Lite on port 2 & 3, and have configured a SSID for my private network, and wifi equipment is recieving IP 192.168.73.0 adresses as wanted - there is no vlan settings configured in Ubiquiti controller for this SSID, so this SSID is broadcasting in untagged vlan 192 - perfect. Then I have a second SSID in vlan 172 - where i want 172.16.26.0 adresses - but when connecting to this WiFi, I am not getting IP…

I have tested to configure a ingress vlan translation for vlan 172 on port17 - and then everything is OK - so my problem I am quite shure is on my hybrid vlan config of ether2 & 3

Here is some of my setup on my CRS switch:

[root@MikroTik_Switch] /interface ethernet> print
Flags: X - disabled, R - running, S - slave 
 #    NAME            MTU MAC-ADDRESS       ARP        MASTER-PORT          SWITCH         
 0 R  ether1-master  1500 E4:8D:8C:A8:56:72 enabled    none                 switch1        
 1 RS ether2         1500 E4:8D:8C:A8:56:73 enabled    ether1-master        switch1        
 2 RS ether3         1500 E4:8D:8C:A8:56:74 enabled    ether1-master        switch1        
 3  S ether4         1500 E4:8D:8C:A8:56:75 enabled    ether1-master        switch1        
 4  S ether5         1500 E4:8D:8C:A8:56:76 enabled    ether1-master        switch1        
 5  S ether6         1500 E4:8D:8C:A8:56:77 enabled    ether1-master        switch1        
 6  S ether7         1500 E4:8D:8C:A8:56:78 enabled    ether1-master        switch1        
 7  S ether8         1500 E4:8D:8C:A8:56:79 enabled    ether1-master        switch1        
 8  S ether9         1500 E4:8D:8C:A8:56:7A enabled    ether1-master        switch1        
 9  S ether10        1500 E4:8D:8C:A8:56:7B enabled    ether1-master        switch1        
10  S ether11        1500 E4:8D:8C:A8:56:7C enabled    ether1-master        switch1        
11 RS ether12        1500 E4:8D:8C:A8:56:7D enabled    ether1-master        switch1        
12  S ether13        1500 E4:8D:8C:A8:56:7E enabled    ether1-master        switch1        
13  S ether14        1500 E4:8D:8C:A8:56:7F enabled    ether1-master        switch1        
14  S ether15        1500 E4:8D:8C:A8:56:80 enabled    ether1-master        switch1        
15  S ether16        1500 E4:8D:8C:A8:56:81 enabled    ether1-master        switch1        
16  S ether17        1500 E4:8D:8C:A8:56:82 enabled    ether1-master        switch1        
17  S ether18        1500 E4:8D:8C:A8:56:83 enabled    ether1-master        switch1        
18  S ether19        1500 E4:8D:8C:A8:56:84 enabled    ether1-master        switch1        
19  S ether20        1500 E4:8D:8C:A8:56:85 enabled    ether1-master        switch1        
20  S ether21        1500 E4:8D:8C:A8:56:86 enabled    ether1-master        switch1        
21 RS ether22        1500 E4:8D:8C:A8:56:87 enabled    ether1-master        switch1        
22  S ether23        1500 E4:8D:8C:A8:56:88 enabled    ether1-master        switch1        
23 RS ether24        1500 E4:8D:8C:A8:56:89 enabled    ether1-master        switch1        
24  S sfp1           1500 E4:8D:8C:A8:56:8A enabled    ether1-master        switch1




[root@MikroTik_Switch] /interface ethernet switch vlan> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   VLAN-ID PORTS                 SVL LEARN FLOOD INGRESS-MIRROR QOS-GROUP                
 0 D    4095 switch1-cpu           no  no    no    no             none                     
 1        10 ether1-master         no  yes   no    no             none                     
             ether23              
             ether24              
 2       172 ether1-master         no  yes   no    no             none                     
             ether2               
             ether3               
 3       192 ether1-master         no  yes   no    no             none                     
             ether2               
             ether3               
             ether4               
             ether5               
             ether6               
             ether7               
             ether8               
             ether9               
             ether10              
             ether11              
             ether12              
             ether13              
             ether14




[root@MikroTik_Switch] /interface ethernet switch ingress-vlan-translation> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ports=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,
      ether13,ether14 
     service-vlan-format=any customer-vlan-format=any new-customer-vid=192 
     pcp-propagation=no sa-learning=yes 

 1   ports=ether23,ether24 service-vlan-format=any customer-vlan-format=any 
     new-customer-vid=10 pcp-propagation=no sa-learning=yes 

 2 D ports="" service-vlan-format=any customer-vlan-format=any new-customer-vid=4095 
     pcp-propagation=no sa-learning=no




[root@MikroTik_Switch] /interface ethernet switch egress-vlan-tag> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   VLAN-ID TAGGED-PORTS                                                                  
 0 D    4095
 1        10 ether1-master                                                                 
 2       192 ether1-master                                                                 
 3       172 ether1-master                                                                 
             ether2                                                                        
             ether3

Please ask if more info is needed to help me out!

2

Looks like this ingress would override any incomming tagged packets from 172 as well. Maybe change it to only only set the new-customer-vid when Customer-vid is 0?

3

I have now tested with following:

[root@MikroTik_Switch] /interface ethernet switch ingress-vlan-translation> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ports=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,
      ether13,ether14 
     service-vlan-format=any customer-vlan-format=any customer-vid=0 new-customer-vid=192 
     pcp-propagation=no sa-learning=yes 

 1   ports=ether23,ether24 service-vlan-format=any customer-vlan-format=any 
     new-customer-vid=10 pcp-propagation=no sa-learning=yes 

 2 D ports="" service-vlan-format=any customer-vlan-format=any new-customer-vid=4095 
     pcp-propagation=no sa-learning=no

This did absolutely nothing. I have also tryed rebooting the AP`s. I have never rebooted the CRS, as any other settings I have done has worked instantly - should i perhaps try to reboot the CRS as well?

4

I have still not figured this out.

I would really appresiate if anyone would take their time to help me out!

Regards,
Torstein

5

Maybe add switch1-cpu to your individual vlans? See below:
/interface ethernet switch egress-vlan-tag add tagged-ports=sfp1,switch1-cpu vlan-id=20

-tp

6

This did not do the trick :frowning: This only “locked me out” off the switch from my vlan 192. I had to connect to one off the ports not configured in any vlan and use winbox and mac adresse to connect to it and make it reverse…

-Torstein

7

I have still not figured this out.

Are there any way to get support from Mikrotik, or some other way to get help to sort this out?

Regards,
Torstein

8

The following ingress VLAN translation rule has missing “customer-vid=0” parameter therefore it translates VLAN172 to VLAN192 on ether2 and ether3 as well.

[root@MikroTik_Switch] /interface ethernet switch ingress-vlan-translation> print
Flags: X - disabled, I - invalid, D - dynamic
 0   ports=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,
      ether13,ether14
     service-vlan-format=any customer-vlan-format=any new-customer-vid=192
     pcp-propagation=no sa-learning=yes
9

I think I already have tried that, if you read my reply from 13/2-2016?

Regards,
Torstein

10

Try flushing the Unicast Forwarding Database after modifying the Ingress VLAN Translation rule to make CRS relearn correct VLAN ids.

/interface ethernet switch unicast-fdb flush
11

Hi,

I have CRS with working vlan config. My trunk ports look like that:

print

VLAN-ID TAGGED-PORTS

0 10 bond0
ether17
ether23
switch1-cpu
1 96 bond0
ether17
ether23
switch1-cpu
2 15 bond0
ether23
switch1-cpu
3 2 ether1
switch1-cpu
4 D 4095

So I'm using egress-vlan-tag instead translation

My access ports:

print
Flags: X - disabled, I - invalid, D - dynamic
0 ports=ether9,ether16,ether21,ether18 service-vlan-format=any
customer-vlan-format=any new-customer-vid=10 pcp-propagation=no
sa-learning=yes

1 D ports=ether2,ether3,ether4,ether5,ether6,ether10,ether11,ether12,ether13,
ether14,ether15,ether19,ether20,ether22,sfp1
service-vlan-format=any customer-vlan-format=any new-customer-vid=4095
pcp-propagation=no sa-learning=no

and as was mentioned before:

Hopefully this will help you