Hello,

We have a specific usage case for dual WAN VLAN tagged traffic with two DHCP servers & LLDP med. I’ve got some experience with Juniper devices but having a hard time finding a working config for Mikrotik.

We are using the RB2011UiAS-2HnD-IN


I would like to use Ether1 as a master port with two VLAN’s VLAN 1100 which will have a public IP for data, and VLAN 1101 which will have a private vlan for VoIP traffic. Ports 2-8 will be DHCP ideally with LLDP-MED enabled to hand out an internal to phones VLAN 100 for data (default) and 200 for voip. A DHCP would sit on the data side issuing internal IP’s and natting out VLAN 1100’s public IP and the DHCP server on vlan 200 would be handing out a DHCP pool without nat out the IP on VLAN 1101. We have static routes for a /26 or /24 at each site on the voip vlan to route to the VLAN 1101 IP assigned. We would also like to remask DSCP & 802.1p outgoing on VLAN 1100 to DSCP 00 VLAN priority 0 and outgoing on VLAN1101 to DSCP 46 vlan priority 6.


Would anyone be kind enough to point me on the right way or let me know a good estimate on what I could expect to pay for freelance help?

Thanks,

Tim

If you want the phones to be completely, 100% separate from the data vlan, and no possibility of cross-feeding them, then you could put the phone_wan, and phone_lan interfaces into a VRF and that will handle it.

More detailed version:

make a LAN bridge:
bridge-lan
(the default 2011 config already includes a bridge called bridge-local, which should be fine to just use this one)

Add a voice VLAN to this bridge:
/interface vlan add name=voice-vlan vlan-id=200 interface=bridge-lan

Put the LAN IP for each network on each interface, and configure DHCP as normal for both interfaces.
(bridge-lan = data, voice-vlan = voice)

Make two vlan interfaces on ether1:
/interface vlan add name=data-wan interface=ether1 vlan-id=1100
/interface vlan add name=voice-wan interface=ether1 vlan-id=1101
Put the router’s wan IP for each network on those interfaces.

Configure the hardware switch ports:
ether1 master=none
ether2 master=none
ether3-ether5 master=ether2
ether6 master=none
ether7-ether10 master=ether6
Connect the two switches and wlan1 interface to your bridge-lan bridge.
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether6
add bridge=bridge-lan interface=wlan1

Create default GW routes:
/ip route
add dst=0.0.0.0/0 gateway=x.x.x.x (data default GW)
add dst=0.0.0.0/0 gateway=y.y.y.y routing-mark=voice

Set the voice interfaces as a VRF:
/ip route vrf
add interfaces=voice-vlan,voice-wan routing-mark=voice

You’ll need to create the proper DHCP option to assign the voice vlan, and use it on the data lan’s DHCP scope.

As for NAT, the default behavior is no nat, so only add a masquerade rule for the data wan interface:
/ip firewall nat add chain=srcnat action=masquerade out-interface=data-wan

Of course any firewall filter rules that reference the default ether1 (usually named ether1-gateway) should be modified to use data-wan as the interface - just replace all appearances of “ether1” with “data-wan” and you’ll be set.

Thanks a lot for the help, I've got the dual DHCP working with correct VLAN tagging but I'm not getting any data coming out the voice-wan. Oddly I can use the web interface on the voice IP of 172.16.65.252 but it doesn't answer pings. The data IP does answer pings 172.16.64.248 and works for web transport.



Here is export of current config

mar/08/2016 14:29:02 by RouterOS 6.33.3

software id = QH2H-DQES

/interface bridge
add admin-mac=4C:5E:0C:06:BA:6E auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=
MikroTik-06BA77 wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
/interface vlan
add interface=ether1-gateway l2mtu=1594 name=data-wan vlan-id=23
add interface=bridge-local l2mtu=1594 name=voice-vlan vlan-id=200
add interface=ether1-gateway l2mtu=1594 name=voice-wan vlan-id=24
/ip dhcp-server option
add code=132 name=VoiceVLAN value="s'200'"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcpvoip ranges=172.16.65.249-172.16.65.251
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
add address-pool=dhcpvoip disabled=no interface=voice-vlan name=dhcpvoip
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=bridge-local network=192.168.88.0
add address=172.16.64.246/24 interface=data-wan network=172.16.64.0
add address=172.16.65.252/24 interface=voice-wan network=172.16.65.0
add address=172.16.65.248/29 interface=voice-vlan network=172.16.65.248
/ip dhcp-server network
add address=172.16.65.248/29 dns-server=64.246.100.1,64.246.115.1 gateway=172.16.65.254
add address=192.168.88.0/24 comment="default configuration" dhcp-option=VoiceVLAN dns-server=64.246.100.1,64.246.115.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat out-interface=data-wan
/ip route
add distance=1 gateway=172.16.65.254 routing-mark=voice
add distance=1 gateway=172.16.64.254
/ip route vrf
add interfaces=voice-vlan,voice-wan routing-mark=voice
/system clock
set time-zone-name=America/New_York
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local