Few question on how to configure CRS

RouterOS General
1

Hello!

I just got my CRS and after some reading and trial&error, I think I got the concept of it. I will show you what I want to achieve and if I did it correctly.

What I want to achieve is this:

Steps:

  • created PPPoE connection and it works
  • set up NAT to have access to ethernet
  • set ether1 port as master and 2-22 as slave
  • in Interfaces->VLAN I created VLANs 10,20,30 and added them to ether1 port
  • I assigned IPs to VLAN interfaces in IP->Addresses
  • created DHCP server for each vlan
  • I went to Switch->VLAN
  • under VLAN I added each vlan and corresponding ports to it (to VLAN10, I added ports 1-8 and switch-cpu,..)
  • under VLAN tagging I added each vlan and switch-cpu as port
  • under Ingress vlan translation, I added all vlans, corresponding ports and set Customer VID to 0 and New Customer VID to vlan id port belongs to.

Config file (just nessassery lines):

/interface ethernet
set [ find default-name=ether2 ] master-port=ether1 name=ether2-m1
set [ find default-name=ether3 ] master-port=ether1 name=ether3-m1
set [ find default-name=ether4 ] master-port=ether1 name=ether4-m1
set [ find default-name=ether5 ] master-port=ether1 name=ether5-m1
set [ find default-name=ether6 ] master-port=ether1 name=ether6-m1
set [ find default-name=ether7 ] master-port=ether1 name=ether7-m1
set [ find default-name=ether8 ] master-port=ether1 name=ether8-m1
set [ find default-name=ether9 ] master-port=ether1 name=ether9-m1
set [ find default-name=ether10 ] master-port=ether1 name=ether10-m1
set [ find default-name=ether11 ] master-port=ether1 name=ether11-m1
set [ find default-name=ether12 ] master-port=ether1 name=ether12-m1
set [ find default-name=ether13 ] master-port=ether1 name=ether13-m1
set [ find default-name=ether14 ] master-port=ether1 name=ether14-m1
set [ find default-name=ether15 ] master-port=ether1 name=ether15-m1
set [ find default-name=ether16 ] master-port=ether1 name=ether16-m1

/interface vlan
add interface=ether1 l2mtu=1584 name=vlan10-zaposleni vlan-id=10
add interface=ether1 l2mtu=1584 name=vlan20-gosti vlan-id=20

/ip address
add address=192.168.10.1/24 comment=Zaposleni interface=vlan10-zaposleni network=192.168.10.0
add address=192.168.11.1/24 comment=gosti interface=vlan20-gosti network=192.168.11.0

/ip pool
add name=Pool-Zaposleni ranges=192.168.10.100-192.168.10.200
add name=Pool-Gosti ranges=192.168.11.100-192.168.11.200

/ip dhcp-server
add address-pool=Pool-Zaposleni disabled=no interface=vlan10-zaposleni lease-time=1d name=DHCP-Zaposleni
add address-pool=Pool-Gosti disabled=no interface=vlan20-gosti lease-time=1d name=DHCP-Gosti

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1

/interface ethernet switch vlan
add ports=ether12-m1,ether14-m1,switch1-cpu vlan-id=20
add ports=ether2-m1,ether4-m1,switch1-cpu vlan-id=10

/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=20
add tagged-ports=switch1-cpu vlan-id=10

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=20 ports=ether12-m1,ether14-m1 sa-learning=yes service-vlan-format=\
    untagged-or-tagged
add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=10 ports=ether2-m1,ether4-m1 sa-learning=yes service-vlan-format=\
    untagged-or-tagged

The above code is only for VLAN10 and 20 and for port 2,4,12,14. Just as a proof of concept. As far as I tested it works. Did I miss something?

I still have some questions:

  • Ingress vlan translation: if I understand correctly, this part marks incoming packets with vlan tag. Customer VID 0 means packet is untagged. If I want to mark it with vlan id 20, I have to set new customer VID to 20. That translate to “if you receive untagged package, tag it with vlan id 20”. Do I understand that correctly?

  • Egress vlan translation is probably the same, but for when packages are leaving port? How come I don’t need any settings here? I would expect I have to strip vlan tags here, so packages leave the port untagged.

  • VLAN tagging (I think this is named egress-vlan-tag in CLI): I added vlan IDs and switch1-cpu in here. If I understand correctly, that is needed so packages with certain vlans are “forwarded” to main cpu for DHCP,Hotspot,… usage? I would not need egress-vlan-tag if I only needed to switch certain vlans?

  • Add wifi to vlan20: I created a bridge, added ports wlan1 and vlan20 to the bridge and moved DHCP server. It seems that this configuration works. Is that the correct way?
    To which interface do I have to assign IP, vlan20 oz bridge?

  • what changes if I put ports 1-8 together(ether1 being master and all other slaves) and adding vlan10 to ether1 and port 9-16 together(ether9 being master and all other slaves) and adding vlan20 to ether9? It works just like the first example, but what’s the difference? Why is any solution better or when would I need one and when the other?

Thanks for all the help, Matej