CRS - Mac Based VLAN and routing on the same device

xpegenaute · February 28, 2018, 2:02pm

Hi All,

I am thinking to configure on a CRS125 some ports (let’s say from 10-16 port numbers) to be used with MAC based VLANs and I don’t want to use a trunk port, I want all the logic on the same CRS device.

In the example shown in “CRS examples” [1], they configure:

A group of switched ports on the “bridge1”. I group the 10-16 ports.
Enable MAC based VLAN tranlsation on access ports (on the ports from 10 to 16).
Add MAC-to-VLAN mapping entries in MAC based VLAN table. OK, let’s say split them on two VLANs 100 and 200, therefore I isolate the machines on every VLAN.

X 4) Add VLANS on the trunk port. Well I don’t need this.

Now I want to decode the packages on the “bridge1” and be able to provide routing and firewall rules to the VLANs, for example packages from VLAN 100 can communicate to Internet and VLAN 200 remain insolated on it’s network. Is it possible to do ?

I thought I could decode the VLANs tags adding VLAN interfaces to the “bridge1” to later provide routing and firewall rules based on these VLAN interfaces. It does not work. Anyone know how I could solve it ? or may be I should design the network in any other way ?

Thanks & Regards

[1] - https://wiki.mikrotik.com/wiki/Manual:CRS_examples#MAC_Based_VLAN

xpegenaute · March 1, 2018, 12:36pm

Hi all,

I've been thinking and now, as a test, I can tag the packages coming from the ether port for a specific VLAN-Mac mapping, decode the package to use routing but the packages going back to the source pc are sent tagged. How I could remove the tag when the package is going from the CRS to the computer ?, this is my basic example configuration.

RouterOS 6.41

model = CRS125-24G-1S-2HnD

/interface bridge add fast-forward=no name=bridge-vlan-200 protocol-mode=none
/interface vlan add interface=ether10 name=ether10-vlan200 vlan-id=200
/interface bridge port add bridge=bridge-vlan-200 interface=ether10
/interface ethernet switch mac-based-vlan add new-customer-vid=200 src-mac-address=90:2B:34:A3:6C:AF
/interface ethernet switch port set 9 allow-fdb-based-vlan-translate=yes
/ip address add address=192.168.21.1/24 interface=ether10-vlan200 network=192.168.21.0
/ip pool add name=dhcp_pool0 ranges=192.168.21.2-192.168.21.254
/ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=ether10-vlan200 lease-time=2d10m name=dhcp1
/ip dhcp-server network add address=192.168.21.0/24 dns-server=8.8.8.8 gateway=192.168.21.1