Desperately need help on RB2011UI vlans (taggged and untagged)

wasbak · December 1, 2015, 3:17pm

Hello all,

I wonder if somebody could help us out on the following issue. My colleague and i spent literally 10 hours searching, troubleshooting and experimenting without success.

Job description: We are trying to add 3 vlans to the Mikrotik. Vlan 10, 20 and 30. We want to make Eth5 the trunk port with all 3 vlans tagged. Also we want to make Eth2 an access port in vlan20 and Eth3 an access port in vlan30.

This are the steps we followed so far:

1. Rename the ethernet interfaces to something that makes sense and clear the master/slave memberships on ports 1 trough 5
/interface ethernet
set [ find default-name=ether1 ] master-port=none name=eth1
set [ find default-name=ether2 ] master-port=none name=eth2
set [ find default-name=ether3 ] master-port=none name=eth3
set [ find default-name=ether4 ] master-port=none name=eth4
set [ find default-name=ether5 ] master-port=none name=eth5
set [ find default-name=ether6 ] name=eth6
set [ find default-name=ether7 ] name=eth7
set [ find default-name=ether8 ] name=eth8
set [ find default-name=ether9 ] name=eth9
set [ find default-name=ether10 ] name=eth10

2. Add the VLAN interfaces
/interface vlan
add interface=eth5 l2mtu=1594 name=vlan-10 vlan-id=10
add interface=eth5 l2mtu=1594 name=vlan-20 vlan-id=20
add interface=eth5 l2mtu=1594 name=vlan-30 vlan-id=30

3. Add the IP addresses
/ip address
add address=192.168.10.254/24 interface=vlan-10 network=192.168.10.0
add address=192.168.20.254/24 interface=vlan-20 network=192.168.20.0
add address=192.168.30.254/24 interface=vlan-30 network=192.168.30.0

3. Add the DHCP networks
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254 netmask=24
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.254 netmask=24
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.254 netmask=24

4. Add the DHCP pools
/ip pool
add name=vlan-10-dhcp-pool ranges=192.168.10.10-192.168.10.50
add name=vlan-20-dhcp-pool ranges=192.168.20.10-192.168.20.50
add name=vlan-30-dhcp-pool ranges=192.168.30.10-192.168.30.50

5. Add the DHCP Servers
/ip dhcp-server
add address-pool=vlan-10-dhcp-pool disabled=no interface=vlan-10 name=vlan-10-dhcp-server
add address-pool=vlan-20-dhcp-pool disabled=no interface=vlan-20 name=vlan-20-dhcp-server
add address-pool=vlan-30-dhcp-pool disabled=no interface=vlan-30 name=vlan-30-dhcp-server

Break: @ this point we have 3 vlans, 3 networks, 3 DHCP servers and one trunk port. All 3 vlans are added to Eth 5. Now; lets configure the untagged vlan ports eth2 and eth3.

6. This command sets the access ports. VLAN 20 on port eth2 and VLAN 30 on eth3
/interface ethernet switch port
set eth2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set eth3 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure

7.This command allows the router (CPU) to talk to the switch
/interface ethernet switch vlan
add independent-learning=yes ports=eth5,eth2,eth3,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=eth5 switch=switch1 vlan-id=20
add independent-learning=yes ports=eth5 switch=switch1 vlan-id=30

8. Remove eth2 from bridge local
/interface bridge port
remove 0

9. Tie ports 2,3 and 5 together with master / slave config
/interface ethernet
set [ find default-name=ether2 ] master-port=eth5 name=eth2
set [ find default-name=ether3 ] master-port=eth5 name=eth3

The result of all of this is a little bit disappointing. The trunk port works flawlessly. The access ports don’t. We really hope that somebody can help us out and explain the relation between the switchchip - CPU and vlan interfaces.

Attached is the complete configuration and a very simple diagram.

Many thanks,

Kind regards,

Patrick

skuykend · December 2, 2015, 2:56am

Seems to be a couple things slightly off, here are a few of my observations:

/interface ethernet switch vlan
vlan-id 20 will need to be able to have access to eth2 and switch1-cpu as well as eth5
vlan-id 30 will need to be able to have access to eth3 and switch1-cpu as well as eth5

switch1-cpu is the Ethernet port that is tied directly to your set master-port (eth5). So it’s referred to as eth5 in most of RoS, but in the switch menu it’s actually switch1-cpu. Any vlan interface attached to eth5 in RoS needs switch1-cpu access in the switch menu.

/interface ethernet switch port
I seem to need to set the switch1-cpu vlan-mode to fallback instead of disabled (even though manual says fallback is default it isn’t)
I also set the uplink (eth5) vlan-header to add-if-missing so everything is tagged coming out.

wasbak · December 2, 2015, 2:54pm

After one more hour of research and experimenting we got it to work. Hereby the working config on the RB2011 UiAS-RM RouterOS v6.33.2. This method works for us on switch chip 1 but we were unable to get it to work on switch chip 2.

Connect your management station to port 10 to avoid connection problems.

remove interface ether2 from the bridge

/interface bridge port
remove 0

clear the default master/slave configuration, rename the interfaces and make eth2 and eth3 slave of eth5 and clear slave relation from eth5

/interface ethernet
set [ find default-name=ether1 ] master-port=none name=eth1
set [ find default-name=ether2 ] master-port=none name=eth2
set [ find default-name=ether3 ] master-port=none name=eth3
set [ find default-name=ether4 ] master-port=none name=eth4
set [ find default-name=ether5 ] master-port=none name=eth5
set [ find default-name=ether6 ] name=eth6
set [ find default-name=ether7 ] name=eth7
set [ find default-name=ether8 ] name=eth8
set [ find default-name=ether9 ] name=eth9
set [ find default-name=ether10 ] name=eth10
set [ find default-name=ether2 ] master-port=eth5
set [ find default-name=ether3 ] master-port=eth5
set [ find default-name=ether5 ] master-port=none

add the vlans to trunkport eth5

/interface vlan
add interface=eth5 l2mtu=1594 name=vlan10 vlan-id=10
add interface=eth5 l2mtu=1594 name=vlan20 vlan-id=20
add interface=eth5 l2mtu=1594 name=vlan30 vlan-id=30

set the vlan (tagged/untagged) configration on the switchchip

/interface ethernet switch port
set [find name=eth2] vlan-mode=secure default-vlan-id=20                              		
set [find name=eth3] vlan-mode=secure default-vlan-id=30                               		
set [find name=eth5] vlan-header=add-if-missing vlan-mode=secure                       		
set [find name=switch1-cpu] default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure

add the vlans to the switch ports

/interface ethernet switch vlan
add independent-learning=yes ports=eth5,eth2,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=yes ports=eth5,eth3,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=yes ports=eth5,switch1-cpu switch=switch1 vlan-id=10

add the DHCP Pools

/ip pool
add name=vlan10-pool ranges=192.168.10.10-192.168.10.50
add name=vlan20-pool ranges=192.168.20.10-192.168.20.50
add name=vlan30-pool ranges=192.168.30.10-192.168.30.50

add the DHCP servers

/ip dhcp-server
add address-pool=vlan10-pool disabled=no interface=vlan10 name=vlan10-dhcp
add address-pool=vlan20-pool disabled=no interface=vlan20 name=vlan20-dhcp
add address-pool=vlan30-pool disabled=no interface=vlan30 name=vlan30-dhcp

add the DHCP networks

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.254
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.254

add the IP addresses

/ip address
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
add address=192.168.30.254/24 interface=vlan30 network=192.168.30.0
add address=192.168.20.254/24 interface=vlan20 network=192.168.20.0

If someone has any luck ore advice for switch chip 2 we are eager to know. Thanks

skuykend · December 2, 2015, 8:08pm

Different ways to do it, but if the VLAN’s are basically the same on both switches you can simply bridge the two master ports and move the vlan interfaces to the bridge. Then just make sure the switch2 setup including switch2-cpu is setup correctly.

Another way is to create duplicate vlan interfaces directly on the switch2 master port then bridge all vlans independently.

adastein · December 3, 2015, 9:48am

Hello, I need to setup VLAN’s aswell,
My setup is quite similar with yours, I did the exact same steps, but my router and any device connected to it cannot ping anything external, which is weird, checked the IP configuration as well as the GW, it is correct, but I get a “Timeout” message even from the router’s terminal.

Any suggestions did you configure anything specific related to the WAN?

Thanks in advance