CRS309 Setup Guest VLAN with VLAN hardware offloading

mixmax · December 25, 2024, 12:31am

Hello!

I set up my CRS309 and it works fine, but I cannot figure the correct way to add VLANs after few days of reading.
I’d like to use chip’s “Bridge VLAN Filtering” hardware feature, so non-Guest traffic does not go to CPU.

The current setup is very basic:

Ether1 port is WAN, interface is not on the bridge.
SFP ports 1-8 are on the bridge (LAN)
LAN DHCP server is on “bridge” interface

Changes:

SFP port 8 (sfp-sfpplus8) will have WiFi Guest AP connected.
All devices on Guest AP should not be able to see LAN traffic
A new DHCP server for guests, all devices on Guest AP should access internet

From my reading, it seems that after setting up VLANs, I have to turn it on, and it seems to have global effect:
/interface bridge set bridge vlan-filtering=yes

Does it mean I have to reconfigure all other ports to be VLANed too?
Will this sequence break my existing LAN traffic?

/interface vlan add name=GUEST_VLAN interface=sfp-sfpplus8 vlan-id=20
/ip address add address=10.10.20.1/24 interface=GUEST_VLAN
/interface bridge set bridge vlan-filtering=yes

Or should I use:
/interface bridge port add bridge=bridge interface=sfp-sfpplus8 pvid=20 frame-types=admit-only-untagged-and-priority-tagged
/interface bridge vlan …

I really tried to dig through all the docs … Please help

mixmax · December 25, 2024, 1:32am

So far I did:
/interface bridge port set [find interface=sfp-sfpplus8] pvid=20 frame-types=admit-only-untagged-and-priority-tagged
/interface bridge port print (shows sfp-sfpplus8 PVID = 20)

What are next steps? I think this below line will bump everything to L3, I want to stay in L2 for hardware offloading…
/interface vlan add name=GUEST_VLAN interface=sfp-sfpplus8 vlan-id=20

gigabyte091 · December 25, 2024, 7:28pm

First thing you should do BEFORE messing with the VLANs on the switch is to use one port off bridge so you don’ lock yourself out.

Then export your configuration in full so we can see what did you do.

One question, are you using your CRS as a router ?

mixmax · December 26, 2024, 12:58am

Yes, as all-in-one home router plus switch.

Too late for that My backup plan was WinBox by MAC if this happens.
Anyway, I went ahead with this sequence:

/interface bridge port set [find interface=sfp-sfpplus8] pvid=20 frame-types=admit-only-untagged-and-priority-tagged
/interface bridge port print   (shows sfp-sfpplus8 PVID = 20)
/interface vlan add interface=bridge vlan-id=20 name=GUEST_VLAN
/ip address add address=10.10.20.1/24 interface=GUEST_VLAN
/ip pool add name=GUEST_POOL ranges=10.10.20.10-10.10.20.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=10.10.20.0/24 dns-server=10.10.20.1 gateway=10.10.20.1
/interface bridge set bridge vlan-filtering=yes
/interface bridge vlan print
	Flags: D - DYNAMIC
	#   BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
	;;; added by pvid
	0 D bridge         1                  bridge          
	                                      sfp-sfpplus1    
	;;; added by pvid
	1 D bridge        20                  sfp-sfpplus8    
	;;; added by vlan on bridge
	2 D bridge        20  bridge

It seems to be working as expected, but I’m not sure it is the right way. Could you have a look please?

Also this one shows all ports have H flag, so I did not screw up hardware offloading?
/interface bridge port print

mixmax · December 26, 2024, 1:08am

Im very curious what is the purpose of this command. I did not execute it, yet all seems working…

/interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=20

Thanks!!

felixka · December 26, 2024, 2:05am

This includes the bridge interface in the VLAN 20 as a tagged member.
RouterOS does this automatically if you create a tagged VLAN interface on top of another interface, so it’s not strictly necessary.

In fact, you can see that happening here in the output that you posted:

mixmax · December 26, 2024, 2:36am

Thank you!
I also added a firewall rule, it seems working partially, it does block guests to any other hosts on LAN, but it does not block guests to CRS router itself.
/ip firewall filter add chain=forward action=drop in-interface=GUEST_VLAN out-interface=!ether1 comment=“drop Guest to LAN”

I need to add some more rules, to allow only DNS (and DHCP?) from Guest to Router itself…

And is it normal to see that physical iface stats much higher than VLAN stats on the iface? Do some packets escape being tagged?

/ interface print stats         
 #    NAME                  RX-BYTE          TX-BYTE    RX-PACKET    TX-PACKET  RX-DROP  TX-DROP  T  RX-ERROR  TX-ERROR
...                
 8 RS sfp-sfpplus8       16 005 067      417 250 576      154 885    3 329 048                    0                    
 9 R  GUEST_VLAN          5 346 605       20 320 852       32 469       30 341        0        0  0         0         0

Btw, attaching the whole config export. Would appreciate much if you find any missing or wrong configuration!
vlan-done-forum.rsc (2.62 KB)

gigabyte091 · December 26, 2024, 5:45am

First of all CRS devices are not meant to be routers, they are switches and while they can perform routing functions they don’t have CPU power to do so. Your device can route about 340 Mbps (When looking at the the table on the product page) so not so much.

Second thing, you should really really create off port bridge. You are messing with firewall rules and VLANs and you can easily get locked out and I wouldn’t rely on Winbox and MAC connection. Better safe than sorry, trust me… Also ether1 interface is meant for mgmt purposes so you should make that port as off bridge mgmt.

Third thing, if you go VLANs, go VLANs all the way so your 192.168.0.0/24 subnet should be on another VLAN and VLAN1 shlould be running in the background.

Forth thing your configuration is a mess… Default configuration with default firewall is more than enough and then you can block inter-VLAN communication.

holvoetn · December 26, 2024, 6:41am

This is completely true but it is still good practice to include it yourself in config because default or dynamic settings are not exported.
Manually changed things are.
Otherwise it might be easy to miss that part when you look at exported config with only default settings.
But as you said, not strictly necessary.

mixmax · December 26, 2024, 6:44am

But switching between other bridged ports will still be at 10Gbps, correct? This fits my use case, I would never expect 10Gbps on WAN or Guest VLAN, so why not use it for inet access too? Please keep in mind that this is home device, not datacenter setup.

Yes, this is valid point, I might redo it later to have LAN (SFP 1-7) on VLAN 10.

Which specific part, please, is a mess? I tried to keep it as simple as possible…

gigabyte091 · December 26, 2024, 7:41am

I would leave firewall rules as they are and start from there, or, what I do is drop everything and passing only needed things.

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=Winbox dst-port=6749 in-interface-list=\
    MGMT protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=DNS_UDP dst-port=53 in-interface-list=\
    LAN protocol=udp
add action=accept chain=input comment=DNS_TCP dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add chain=forward comment=Internet in-interface-list=LAN out-interface-list=\
    WAN
add action=accept chain=forward comment=PORT_FWD connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else" connection-nat-state=\
    dstnat connection-state="" in-interface-list=WAN

By default all inter-VLAN communication is blocked on L3 so you have to add it yourself, also you can create interface lists and for eg create trusted or mgmt network and set discovery list to just that one MGMT list.

If you configure VLANs correctly then yes, switching should be done at 10Gbps rate. But what is your connection speed ? You must think of that, 340 Mbps in today world is nothing.

holvoetn · December 26, 2024, 7:54am

I wouldn’t put it that generic…
For the customer I work for, we have NO (ZERO) ISP connections passing 200/200. Most are even sub-100.
And that’s perfectly fine for their business needs (36 sites ranging from 3 to about 30 PCs and printers connecting to/from Azure).
Fiber is not really mainstream here in Belgium (yet, it’s being worked on) due to the fact we were one of the first to follow ADSL/VDSL developments via PSTN network and we also have a large coax network.

A lot of places on this globe have no access to 100+ Mbps connections.

At home I have 500/50 (coax) but I limit it to 350/40 for bufferbloat reasons.
And I’m totally fine with that.

Also, I am always surprised by everyone’s obsession about “the need for speed”. Stability and what works for you is far more important.
IMHO …

mixmax · December 26, 2024, 8:09am

I just ran a speedtest and got 920 Mbps somehow, lol, not sure about 340 Mbps figure… https://ibb.co/C5fCjSX
In Australia, it is mostly 1Gbps tops for residential anyway.

Thanks a lot for firewall tips! I followed this article when I bought it:
https://help.mikrotik.com/docs/spaces/ROS/pages/328151/First+Time+Configuration

gigabyte091 · December 26, 2024, 8:23am

I agree with you on that one, stability is much more important and me personally for basic home user 100/100 is more than enough. For eg. in Croatia they really started using EU money to build fibre infrastructure so speeds in excess of 300 Mbps are not so uncommon.

@mixmax, good rule of thumb is to look at how capable is device when it comes to routing is to look at the table on the product page under Routing/25 ip filter rules/512byte and you will see that for your device they stated it’s capable of 340.4 Mbps.

You don’t have much of a firewall rules but this speed will drop once you start adding FW rules etc. What is CPU load once you start speedtest ?

anav · December 26, 2024, 7:11pm

My question is on these devices with bridge vlan filtering, is what will the performance of vlan to vlan traffic be, when typically access between vlans is done at Layer 3.
So for example with the CRS309 what will be:
a. the speed from user on ether4 to user on ether5 if both are on same vlan.
b. the speed from user on ether4 in one vlan, to another user on ether5 on a different vlan.

I get that crossing the router boundary from vlan out to internet and back will be limited to the ethernet tests of approx 384 based on 25 filter rules.

mixmax · December 26, 2024, 11:28pm

It was about 70%, have a look. Weird that main item was “networking”, not “firewall”.
CRS309 CPU usage at 900Mbps.png

mixmax · December 27, 2024, 12:41am

I just discovered a rabbit hole, Fasttrack HW Offloading, and CRS309 supports it.
I’ll be back in few weeks

mixmax · September 6, 2025, 1:01am

Hey gigabyte, Im back
Could you tell why you have "untracked" in this rule? Everywhere I checked, incl First Time Setup guide, it does not have "untracked in this forward rule.

BTW, I recreated my config from scratch, using explicit VLAN for LAN traffic, not implicit VLAN 1!
I'd love if you could look at it!
The ports tag untagged traffic with vlan10, and process vlan20 if traffic is tagged with it. (I set some of SSIDs on Access Point to use vlan20).
Cheers!

/interface bridge
add name=bridge vlan-filtering=yes

/interface vlan
add interface=bridge name=main_vlan vlan-id=10
add interface=bridge name=guest_vlan vlan-id=20

/ip address
add address=192.168.0.1/24 interface=main_vlan
add address=10.10.20.1/24 interface=guest_vlan

/interface bridge port
add bridge=bridge interface=sfp-sfpplus1 pvid=10
add bridge=bridge interface=sfp-sfpplus2 pvid=10
add bridge=bridge interface=sfp-sfpplus3 pvid=10
add bridge=bridge interface=sfp-sfpplus4 pvid=10
add bridge=bridge interface=sfp-sfpplus5 pvid=10
add bridge=bridge interface=sfp-sfpplus6 pvid=10
add bridge=bridge interface=sfp-sfpplus7 pvid=10
add bridge=bridge interface=sfp-sfpplus8 pvid=10

/interface bridge vlan
add bridge=bridge vlan-ids=10 tagged=bridge untagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8
add bridge=bridge vlan-ids=20 tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8

/interface list
add name=MAIN
add name=GUEST

/interface list member
add interface=main_vlan list=MAIN
add interface=guest_vlan list=GUEST

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept Management MAIN" in-interface-list=MAIN
add action=drop chain=input comment="block everything else"

add chain=forward action=fasttrack-connection connection-state=established,related hw-offload=yes comment="fasttrack established,related"
add chain=forward action=accept connection-state=established,related comment="accept established,related"
add chain=forward action=drop connection-state=invalid comment="drop invalid"
add chain=forward action=accept in-interface-list=MAIN out-interface=ether1 comment="accept MAIN to internet"
add chain=forward action=accept in-interface-list=GUEST out-interface=ether1 comment="accept GUEST to internet"
add chain=forward action=accept in-interface-list=MAIN out-interface-list=GUEST comment="allow Main to Guest"
add chain=forward action=accept in-interface=ether1 connection-state=new connection-nat-state=dstnat comment="accept internet to dstnat"
add action=drop chain=forward comment="block everything else"

CGGXANNX · September 6, 2025, 5:10am

You've not checked everywhere, because MikroTik has untracked mentioned all over their Building Avanced Firewall guide.

And your CRS309 has a bare minimum default setup, but the "home-oriented" devices from MikroTik all have

add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked

as part of their default configuration (defconf) firewall setup.

As for why untracked is listed as one of the connection states in this rule (and the similar rule in the input chain, as well as the versions of those two rules in the IPv6 firewall defconf filter table):

In the RAW firewall table, whose rules are checked before the rules in the Filter table, you have the ability to apply action=notrack on the packet being processed. This disables connection tracking on the packet. No conntrack entry will be created, the router will not try to associate this packet with previous or future packets. This save a lot of CPU and memory resources.

Normally you use RAW rule to handle a particular high-volume traffic, that is either dropped immediately by the RAW action=drop rules (and will never arrive at the filter rules) for case like DDoS mitigation, or for traffics that you want to let pass but don't want to track with conntrack to save resources, for which you apply action=notrack. Those packets that had action=notrack applied to in the RAW table will have connection-state=untracked when arriving in the Filter tables (and other tables after RAW).

You most certainly wanted those packets to go through when you applied action=notrack, because if you needed to drop them, then you would have written RAW rules to drop them as fast as possible before that. Which means usually the filter table should let those packet go through almost immediately, without spending further resources to check other filter rules on it. That is achieved by having an action=accept rule at or near the top of the chain in the Filter table with the condition connection-state=untracked.

But there is usually already an action=accept rule near the top of the chain for connection-state=established,related. If you need a rule that accepts connection-state=untracked, then there is no reason no not combine both of them. That's why the defconf firewall has those four action=accept rules that included untracked.

But all this also means that if you never need RAW rules, or only use RAW rules with action=drop or action=accept and never with action=notrack, then you don't need to bother with connection-state=untracked in the other places of your firewall and only need connection-state=established,related in those action=accept rules.

mixmax · September 6, 2025, 10:11am

Thanks a lot! I dont use RAW, i think, so I dont need untracked there.

This is not default config, btw. I erased the system with defaults=no.
I handwritten this whole thing line by line. Anything I missed or can be improved, please?
Thanks for the Advanced Router link, I will build up the RAW part.