CRS: troubles understanding port isolations and vlans

RouterOS General
1

Hello!

I’m having some troubles understanding how port isolation and vlans work…

I have used VLANs before on HP switches but I’m having some troubles in new CRS serie.

What I want to achieve is 2 VLANs, isolated from each other, so they have go through main cpu and apply firewall rules, have separate DHCP servers on each VLAN and use one port for connecting to WAN(PPPoE).

So, how I’ve done it:

  • set ether1 port as master
  • set ether2-22 as slave
  • set ether24 as master-port=none
  • set dhcp-client on ether24 to get WAN IP
  • created 2 vlans under interfaces->VLAN (VLAN10 and VLAN20) and attached those two VLANs to ether1
    /interface vlan
    add interface=ether1 l2mtu=1584 name=vlan10-zaposleni vlan-id=10
    add interface=ether1 l2mtu=1584 name=vlan20-bralci vlan-id=20- added addresses, dhcp server… to vlans
  • under Switch->VLAN->VLAN I created 2 VLANs and added ports(8 ports to each vlan)
    /interface ethernet switch vlan
    add ports=
    ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,switch1-cpu
    vlan-id=20
    add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,switch1-cpu
    vlan-id=10- Under Switch->VLAN Tagging I added switch-cpu to vlan 10 and 20
    /interface ethernet switch egress-vlan-tag
    add tagged-ports=switch1-cpu vlan-id=20
    add tagged-ports=switch1-cpu vlan-id=10- In VLAN translattion I created two entries containing ports in each vlan
    /interface ethernet switch ingress-vlan-translation
    add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=20
    ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16
    sa-learning=yes service-vlan-format=untagged-or-tagged
    add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=10
    ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 sa-learning=
    yes service-vlan-format=untagged-or-tagged- under Switch->Port I set isolation-leakage-profile-override=2 for ports 1-8 and isolation-leakage-profile-override=3 for ports 9-16
    /interface ethernet switch port
    set 0 isolation-leakage-profile-override=2
    set 1 isolation-leakage-profile-override=2
    .
    .- under Switch->Port isolation I created 2 entries and added each port group to it’s own entry
    /interface ethernet switch port-isolation
    add port-profile=2 ports=ether1,ether2,ether4,ether5,ether6,ether7,ether8 type=dst
    add port-profile=3 ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 type=dstSo according to my settings I should achieve the following:
  • clients can communicate inside VLAN
  • they can’t reach clients in other VLANs and can’t reach DHCP server, since there is no uplink (all ports should be isolated)
    But it doesn’t seems that this works. I can reach clients in other vlans and almost (all) clients get IP from DHCP. Why?

As far as uplink goes, what do I specify as a uplink in port-isolation page? Switch1-cpu?
Do I have to set isolation-leakage-profile-override=0 to switch1-cpu?
I currently don’t have that set and everything seems to work anyway. Why? There isn’t suppose to be any uplink…
Also, there is still a dynamic port-isolation entry containing all ports. Why is that? Shouldn’t ports be removed from here and moved to “overwritten” profiles
2 D ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,
ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,switch1-cpu
type=dst forwarding-type=bridged,routed traffic-type=unicast,multicast,broadcast
registration-status=known,unknown protocol-type=arp,nd,dhcpv4,dhcpv6,ripv1 port-profile=29Thanks, MAtej

2

Anyone?

Matej

3

As far as uplink goes, what do I specify as a uplink in port-isolation page? Switch1-cpu?

Yes

Do I have to set isolation-leakage-profile-override=0 to switch1-cpu?

It is according to the best practice and wiki example and would prevent other unexpected results.

I currently don’t have that set and everything seems to work anyway. Why? There isn’t suppose to be any uplink…

Reboot CRS after changing ports in isolation profiles, there seems to be a problem with saving them. After reboot everything should work as you expect. Now we are looking how to fix it.

Also, there is still a dynamic port-isolation entry containing all ports. Why is that? Shouldn’t ports be removed from here and moved to “overwritten” profiles

Dynamic entries are for internal switch use and all user defined entries already override them, you should not worry about them.

4

Thanks for your help…

Is there an easy way to check if port isolation is working?

I’m having troubles understanding what port isolation actually does or what is it useful. Aren’t ports already separated by VLANs(in my case of course)?
I mean, ports 1-8 are vlan10 and 9-16 are vlan20. My knowledge tells me that ports are already isolated and I can’t see vlan20 traffic in ports 1-8.
Can traffic flow between vlan10 and vlan20 without going to main cpu in that case?
In that case port isolation forces traffic to go through main cpu and apply firewall and such?

I do understand the use of port-isolation type isolated, where you can have single port group(or vlan), but all ports must communicate via uplink (good for public access, client isolation and such).
But why would someone need community isolation, if I already separated them via vlan?

In case I don’t apply port isolation and only use VLAN and assign them to certain ports, what are the downsides?
What security issues can rise from that configuration?

Matej

5

Since you have different VLANs for each group, you have already ensured isolation and do not need isolation profiles in this case. Communication between VLAN10 and VLAN20 can occur only through CPU and there will not be any security issues or other downsides within switch-chip. I think it answers most of your questions.

Port isolation including community isolation configurations can be useful if the same VLAN needs to be used in multiple port groups which have to be isolated from each other. For example, split CRS in half and use it as two independent switches, each side could have the same VLANs, but they would be separated. For that you would need two different community profiles, because multiple master-ports do not allow such VLAN configuration.

6

Hey!

Thanks for clarifying things for me…

I just want to check the last part, if I understand it correctly:
I split my switch to 2 independent switches by setting first 16 ports with port-isolation 2 and second 16 ports with port-isolation 3.
Now I want to have the same VLAN on some ports in 1st “switch” and on some ports in 2nd “switch”. I go to Switch->VLAN and assign VLANs to ports I want to.

In case I wouldn’t have port isolation, all traffic inside VLAN would happen in switch chip.
In case I have port isolation, traffic from the same VLAN in one switch have to go through switch cpu to reach vlan in the other switch. Is that correct?

Matej

7

Correct. But since there is only one CPU port and in the second case traffic needs to go back and forth from it, there would be need for Local Proxy ARP.
Currently in RouterOS it is possbile with bridge NAT. Here is example which shows how ensure routing for the same VLAN between two isolated groups:
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
/ip address
add address=10.0.0.1/24 interface=vlan10 network=10.0.0.0
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=vlan10
/interface bridge nat
add action=arp-reply chain=dstnat mac-protocol=arp to-arp-reply-mac-address=

8

Thanks for help.

Matej

9

Correct. But since there is only one CPU port and in the second case traffic needs to go back and forth from it, there would be need for Local Proxy ARP.
Currently in RouterOS it is possbile with bridge NAT. Here is example which shows how ensure routing for the same VLAN between two isolated groups:
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
/ip address
add address=10.0.0.1/24 interface=vlan10 network=10.0.0.0
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=vlan10
/interface bridge nat
add action=arp-reply chain=dstnat mac-protocol=arp to-arp-reply-mac-address=

This dst-nat rule for local proxy-arp captures all incoming arp message types. This code doesn’t work well in case of running DHCP server on the same interface. Also windows machine on the LAN sometimes get false alarm as if there is a duplicate IP.