Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328

RouterOS General
1

Hi,

I'm trying to build a new network with VLAN and bonding and i'm having a lot of trouble getting it up and running.


I have a RB3011 as the main router, which has been working fine for the last 3 years. The current network setuped on this router is 10.50.0.1/24

I just bought a new CRS328-24P-4S+RM to use as my main switch.

I want to create 2 new VLAN where i will move all my machines to eventually. VLAN 100 (10.80.0.0/22) and VLAN 200 (10.80.4.0/22)
Also want a bonding interface between both the switch and router.

Here is a diagram of how i would like things plugued.

Blank Diagram.jpeg
Blank Diagram.jpeg1120×720 34.4 KB

I have tried this. Here is my current config:


RB3011

jul/28/2019 18:16:05 by RouterOS 6.45.1

software id = LM13-4QY3

model = RouterBOARD 3011UiAS

/interface bridge
add admin-mac=xx arp=proxy-arp auto-mac=no fast-forward=no
name=bridge-local vlan-filtering=yes

/interface bonding
add mode=802.3ad name=router-switch slaves=
ether4-slave-local,ether5-slave-local

/interface vlan
add interface=router-switch name=vlan-srv-100 vlan-id=100

/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local ingress-filtering=yes interface=router-switch

/interface bridge settings
set use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=bridge-local tagged=router-switch vlan-ids=100

/ip address
add address=10.13.37.1/16 comment="default configuration" interface=
ether2-master-local network=10.13.0.0
add address=69.70.215.78/30 interface=ether1-internet network=69.70.215.76
add address=10.80.0.1/22 interface=vlan-srv-100 network=10.80.0.0

CRS328

jan/02/1970 00:30:35 by RouterOS 6.45.1

software id = R141-ZR7S

model = CRS328-24P-4S+

/interface bridge
add admin-mac=xx auto-mac=no comment=defconf name=bridge
vlan-filtering=yes

/interface ethernet
set [ find default-name=ether2 ] mac-address=xx

/interface vlan
add interface=bridge name=vlan-srv-100 vlan-id=100

/interface bonding
add mode=802.3ad name=router-switch slaves=ether1,ether2

/interface wireless security-profiles

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes
interface=router-switch

/interface bridge vlan
add bridge=bridge tagged=bridge,router-switch vlan-ids=100

/ip address
add address=10.80.0.2/22 interface=vlan-srv-100 network=10.80.0.0

/ip route
add distance=1 dst-address=0.0.0.0/32 gateway=10.80.0.1
The bonding seems to work fine and i'm able to ping to 10.80.0.1 which is the adress of the router VLAN 100. However i cannot ping the switch or anything else on this network.

Anything i'm missing ? Let me know if you need more information.



Thank you.

2

Hey

There is an extensive vlan how-to on this forum, have a look. (http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1)

Some remarks:

  • why need for proxy-arp on bridge?
  • vlan-filtering=yes (on non-CRS3xx hardware) is in software, if you want it hardware, you’ll need to do it through “switch” functions
  • if only vlan should pass over bond, why make it part of bridge and then filter everything away? just keep it independent interface
  • do you plan on using that “use-ip-firewall-for-vlan=yes”?
  • in “/interface bridge vlan” bridge-local should also be in the tagged list of interfaces (like you did for crs config)

Added info: vlan howto + vlan-filtering clarification

3

Thanks for the reply,

I forgot to mention that I tried to follow this guide : https://wiki.mikrotik.com/wiki/Manual:CRS3xx_VLANs_with_Bonds
Can you link to the VLAN howto you mentioned ? Thanks.

  • proxy-arp, I don’t remember when and why I activated this, could it be because of VPN or mDNS ? should I remove it ?
  • Ok that’s what I tough, but that weren’t mentioned in the how-to linked above. But i think the RB3011 cannot do VLAN over the bonding interface.
  • I followed the how-to above, and it adds bond to the bridge if I understand it correctly.
  • I plan on using rules in firewall to block some traffic between subnets, isn’t it what this does ?
  • OK I will try to add this in bridge vlan.
4
  • proxy-arp will result in transmission of every packet through bridge. Could be useful for vpn, but for bridge??? I would remove / disable for time being, until specific usecase arrises.
  • clarified that its in software for all non-CRS3xx hardware: you’re fine on the switch, but not on router
  • there is no bridging of bond on the router in the how-to. anyway you always have to evaluate such examples on what YOU need
  • between subnets → routing firewall, what you have now is bridge firewall = filtering of traffic within same subnet
5

Hey, i was able to make it work ! thank you. I’ll do more testing tonight but at least i’m able to use vlan between a bonding interface with the switch and router.

However i kept software vlan on the router because i don’t think the rb3011 support this feature on a bonding interface. See: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading

Thanks again for your help !