CRS125, Metals, and vlans

RouterOS Beginner Basics
1

Hi,
I’ve had lots of trouble trying to understand how to properly use vlans on the CRS125. I’m looking for some guidance as to how to appropriately configure the following network:

There are the following devices:
CRS125
Modem
5 GHz Metal
2.4 GHz Metal
Server
Desktop
Mobile phone

I’d like to do the following:
Have the server on vlan id 2
Have the desktop on vlan id 7
Have the two metals have an authenticated wlan that is on vlan id 7 and a guest vwlan on vlan id 8

I’ve tried to configure this following the CRS Examples page but cannot seem to get the metals to operate properly with the CRS125. Here’s my CRS125 config currently. I dont have the desktop or server tagged yet.

# jan/01/2002 16:10:17 by RouterOS 6.13
# software id = D52M-IL3U
#
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] comment="2.4 GHz AP" master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] comment=server master-port=ether2
set [ find default-name=ether7 ] master-port=ether2
set [ find default-name=ether8 ] comment=Desktop master-port=ether2
set [ find default-name=ether9 ] master-port=ether2
set [ find default-name=ether10 ] master-port=ether2
set [ find default-name=ether11 ] master-port=ether2
set [ find default-name=ether12 ] master-port=ether2
set [ find default-name=ether13 ] master-port=ether2
set [ find default-name=ether14 ] master-port=ether2
set [ find default-name=ether15 ] master-port=ether2
set [ find default-name=ether16 ] master-port=ether2
set [ find default-name=ether17 ] master-port=ether2
set [ find default-name=ether18 ] master-port=ether2
set [ find default-name=ether19 ] master-port=ether2
set [ find default-name=ether20 ] master-port=ether2
set [ find default-name=ether21 ] master-port=ether2
set [ find default-name=ether22 ] master-port=ether2
set [ find default-name=ether23 ] master-port=ether2
set [ find default-name=ether24 ] comment="5 GHz AP" master-port=ether2
/ip neighbor discovery
set ether1 comment=WAN
set ether4 comment="2.4 GHz AP"
set ether6 comment=server
set ether8 comment=Desktop
set ether24 comment="5 GHz AP"
/interface vlan
add comment=Servers interface=ether2 l2mtu=1584 name=vlan2 vlan-id=2
add comment=Management interface=ether2 l2mtu=1584 name=vlan3 vlan-id=3
add comment="Security Cameras" interface=ether2 l2mtu=1584 name=vlan4 vlan-id=4
add comment=Streaming interface=ether2 l2mtu=1584 name=vlan5 vlan-id=5
add comment=Voice interface=ether2 l2mtu=1584 name=vlan6 vlan-id=6
add comment=Users interface=ether2 l2mtu=1584 name=vlan7 vlan-id=7
add comment=Guests interface=ether2 l2mtu=1584 name=vlan8 vlan-id=8
add comment=VPN interface=ether2 l2mtu=1584 name=vlan9 vlan-id=9
/ip neighbor discovery
set vlan2 comment=Servers
set vlan3 comment=Management
set vlan4 comment="Security Cameras"
set vlan5 comment=Streaming
set vlan6 comment=Voice
set vlan7 comment=Users
set vlan8 comment=Guests
set vlan9 comment=VPN
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=pool0 ranges=10.0.0.2-10.0.0.254
add name=pool7 ranges=10.0.7.2-10.0.7.254
add name=pool2 ranges=10.0.2.2-10.0.2.254
add name=pool8 ranges=10.0.8.2-10.0.8.254
add name=pool3 ranges=10.0.3.2-10.0.3.254
add name=pool4 ranges=10.0.4.2-10.0.4.254
add name=pool5 ranges=10.0.5.2-10.0.5.254
add name=pool6 ranges=10.0.6.2-10.0.6.254
add name=pool9 ranges=10.0.9.2-10.0.9.254
/ip dhcp-server
add add-arp=yes address-pool=pool7 disabled=no interface=vlan7 name=dhcp7
add add-arp=yes address-pool=pool0 disabled=no interface=ether2 name=dhcp1
add add-arp=yes address-pool=pool2 disabled=no interface=vlan2 name=dhcp2
add add-arp=yes address-pool=pool8 disabled=no interface=vlan8 name=dhcp8
add add-arp=yes address-pool=pool3 disabled=no interface=vlan3 name=dhcp3
add add-arp=yes address-pool=pool4 disabled=no interface=vlan4 name=dhcp4
add add-arp=yes address-pool=pool5 disabled=no interface=vlan5 name=dhcp5
add add-arp=yes address-pool=pool6 disabled=no interface=vlan6 name=dhcp6
add add-arp=yes address-pool=pool9 disabled=no interface=vlan9 name=dhcp9
/port
set 0 name=serial0
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=2
add tagged-ports=switch1-cpu vlan-id=3
add tagged-ports=switch1-cpu vlan-id=4
add tagged-ports=switch1-cpu vlan-id=5
add tagged-ports=switch1-cpu vlan-id=6
add tagged-ports=switch1-cpu vlan-id=7
add tagged-ports=switch1-cpu vlan-id=8
add tagged-ports=switch1-cpu vlan-id=9
/interface ethernet switch vlan
add ports=switch1-cpu vlan-id=2
add ports=switch1-cpu vlan-id=3
add ports=switch1-cpu vlan-id=4
add ports=switch1-cpu vlan-id=5
add ports=switch1-cpu vlan-id=6
add ports=switch1-cpu vlan-id=7
add ports=switch1-cpu vlan-id=8
add ports=switch1-cpu vlan-id=9
/ip address
add address=10.0.7.1/24 interface=vlan7 network=10.0.7.0
add address=10.0.2.1/24 interface=vlan2 network=10.0.2.0
add address=10.0.8.1/24 interface=vlan8 network=10.0.8.0
add address=10.0.3.1/24 interface=vlan3 network=10.0.3.0
add address=10.0.4.1/24 interface=vlan4 network=10.0.4.0
add address=10.0.5.1/24 interface=vlan5 network=10.0.5.0
add address=10.0.6.1/24 interface=vlan6 network=10.0.6.0
add address=10.0.9.1/24 interface=vlan9 network=10.0.9.0
add address=10.0.0.1/24 interface=ether2 network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24
add address=10.0.2.0/24 gateway=10.0.2.1 netmask=24
add address=10.0.3.0/24 gateway=10.0.3.1 netmask=24
add address=10.0.4.0/24 gateway=10.0.4.1 netmask=24
add address=10.0.5.0/24 gateway=10.0.5.1 netmask=24
add address=10.0.6.0/24 gateway=10.0.6.1 netmask=24
add address=10.0.7.0/24 gateway=10.0.7.1 netmask=24
add address=10.0.8.0/24 gateway=10.0.8.1 netmask=24
add address=10.0.9.0/24 gateway=10.0.9.1 netmask=24
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 to-addresses=0.0.0.0
/ip upnp
set allow-disable-external-interface=no

Here’s the 5 GHz AP’s configuration:

# jan/01/2002 01:03:32 by RouterOS 6.13
# software id = 3QHR-LE3I
#
/interface bridge
add l2mtu=1594 name=vlwan1-vlan8
add comment=Users l2mtu=1594 name=wlan1-vlan7
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n bridge-mode=disabled channel-width=20/40mhz-ht-below country="united states" disabled=no frequency=5200 l2mtu=2290 mode=ap-bridge ssid="5 GHz" \
    wireless-protocol=802.11
/ip neighbor discovery
set wlan1-vlan7 comment=Users
/interface vlan
add interface=ether1 l2mtu=1594 name=vlan7 vlan-id=7
add interface=ether1 l2mtu=1594 name=vlan8 vlan-id=8
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=mypw wpa2-pre-shared-key=\
    mypw
add name=none supplicant-identity=MikroTik
/interface wireless
add bridge-mode=disabled disabled=no l2mtu=2290 mac-address=00:0C:42:B2:16:63 master-interface=wlan1 name=vwlan1 security-profile=none ssid="5 GHz Guest"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/interface bridge port
add bridge=wlan1-vlan7 interface=vlan7
add bridge=wlan1-vlan7 interface=wlan1
add bridge=vlwan1-vlan8 interface=vwlan1
add bridge=vlwan1-vlan8 interface=vlan8
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
/ip upnp
set allow-disable-external-interface=no
/system identity
set name="5 GHz WAP"

When I try to connect to the 5 GHz wlan, my devices hang at “Obtaining IP address…”. Help please! I’d also love to see how to appropriately configure the server and desktop ports. I thought tagging was all that I’d need, but that didn’t seem to work.

2

I spent some time sniffing packets, and it seems that the DHCP request gets from the wireless clients to the DHCP server on vlan7, but no packets are sent on ether24 with the lease. Therefore the lease hangs at “Offered” and the wireless client hangs at “obtaining IP address”. I moved vlan7’s interface from ether2 to ether24, and I set master-port to none on ether24, which immediately resolved the problem. So that leads me to believe that the CRS switch stuff is misconfigured. What am I missing?

3

Hi, anyone with ideas? I’ve spent a few more hours trying to figure this out but not had any success.

4

If you need to send tagged VLAN7 and VLAN8 frames from CRS125 ether24 port, ether24 should be added to egress VLAN tagging and VLAN table.

/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,ether24 vlan-id=7
add tagged-ports=switch1-cpu,ether24 vlan-id=8
/interface ethernet switch vlan
add ports=switch1-cpu,ether24 vlan-id=7
add ports=switch1-cpu,ether24 vlan-id=8
5

Why tag the switch1-cpu port instead whatever specific port you’re using for each vlan?

Like if VLAN7 goes from ether1 to ether24, do you still tag the switch1-cpu? Or is that just if you want all ether1-ether23 to be trunked to ether24?

6

In your configuration switch1-cpu port needs to be included in tagged ports to allow access to VLAN id 7 interface (comment=Users) in RouterOS which has a DHCP server configured.