Hardware offload on RB4011 with VLAN-s

Z0ltan · September 21, 2019, 12:42pm

Wanted to ask for a little help in converting the below setup to hw offload on a 4011. I have 3 networks (internal=vlan1, iot=vlan2, guest=vlan3) and access points connected to ether3-4-5 that transmit vlan tagged & untagged packets, an internal device connected to ether2 & the top 3 ports (ether8-9-10) belong to iot devices. I have 3 DHCP servers for the 3 networks.

So in other words:
Ether1=WAN (pppoe)
Ether2=internal VLAN untagged
Ether3,4,5=all 3 networks, with internal VLAN untagged & guest/iot VLAN tagged
Ether8,9,10=iot VLAN untagged

The only way I was able to make this work was with bridge vlan filtering & hybrid trunk ports, but that took the hw offload with it. I was trying to configure the switch ports to support the vlan-s, but was unsuccessful so far, despite reading all the wiki articles. I can update the access points to send the internal VLAN packets tagged as well (so everything comes in tagged), but for some reason that never worked either (maybe because the pvid is the same as the tag, but not sure) and it’s getting somewhat frustrating.

If you can point me in the right direction how to configure the switch/bridge for hw offload with VLAN-s, I can try to figure out on my own, but I’m not sure what I’m doing wrong.

# sep/21/2019 14:22:27 by RouterOS 6.45.6
# software id = RCVB-WZGR
#
# model = RB4011iGS+
# serial number = 968A09C5D231
/interface bridge
add admin-mac=B8:69:F4:99:DC:1F auto-mac=no comment=defconf name=bridge protocol-mode=mstp vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes default-route-distance=2 disabled=no interface=ether1 max-mtu=1480 name=pppoe-out1 user=\
    user
/interface vlan
add interface=bridge name=guest-vlan vlan-id=3
add interface=bridge name=internal-vlan vlan-id=1
add interface=bridge name=iot-vlan vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add exchange-mode=ike2 name=peer1 passive=yes send-initial-contact=no
/ip ipsec policy group
add name=vpnpolicy
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024 \
    enc-algorithm=aes-256,3des hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm pfs-group=\
    none
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=vpnproposal pfs-group=none
/ip pool
add name=internal-pool ranges=172.16.24.10-172.16.24.250
add name=iot-pool ranges=192.168.1.100-192.168.1.250
add name=guest-pool ranges=192.168.192.100-192.168.192.200
add name=vpnpool ranges=10.9.8.2-10.9.8.10
/ip dhcp-server
add add-arp=yes address-pool=internal-pool disabled=no interface=internal-vlan name=internal-dhcp
add address-pool=iot-pool disabled=no interface=iot-vlan name=iot-dhcp
add address-pool=guest-pool disabled=no interface=guest-vlan name=guest-dhcp
/ip ipsec mode-config
add address-pool=vpnpool address-prefix-length=32 name=vpncfg static-dns=192.168.1.1 system-dns=no
/ppp profile
set *0 on-up=":local interfaceName [/interface get \$interface name];\
    \n:delay 10\
    \n:log info \"profile-pppoe-isp client up: ipv6 dhcp-client release\";\
    \n/ipv6 dhcp-client release [find interface=\$interfaceName];"
add local-address=10.9.8.1 name=vpnprofile remote-address=vpnpool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8 pvid=2
add bridge=bridge comment=defconf interface=ether9 pvid=2
add bridge=bridge comment=defconf interface=ether10 pvid=2
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=internal-vlan
add bridge=bridge interface=iot-vlan pvid=2
add bridge=bridge interface=guest-vlan pvid=3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no
/interface bridge vlan
add bridge=bridge comment=Internal tagged=bridge,ether3,ether4,ether5 untagged=internal-vlan vlan-ids=1
add bridge=bridge comment=IOT tagged=bridge,ether3,ether4,ether5 untagged=ether8,ether9,ether10,iot-vlan vlan-ids=2
add bridge=bridge comment=Guest tagged=bridge,ether3,ether4,ether5 untagged=guest-vlan vlan-ids=3
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=vpnprofile use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether2 list=LAN
add interface=internal-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=guest-vlan list=LAN
/interface ovpn-server server
set auth=sha1 certificate=ca.crt_0 cipher=aes256 require-client-certificate=yes
/ip address
add address=172.16.24.1/24 comment=defconf interface=internal-vlan network=172.16.24.0
add address=192.168.1.1/24 interface=iot-vlan network=192.168.1.0
add address=192.168.192.1/24 interface=guest-vlan network=192.168.192.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.1.10 client-id=1:0:1c:2a:1:33:c3 mac-address=00:1C:2A:01:33:C3 server=iot-dhcp
/ip dhcp-server network
add address=172.16.24.0/24 comment=defconf dns-server=172.16.24.1 gateway=172.16.24.1 netmask=24
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.192.0/24 dns-server=192.168.192.1 gateway=192.168.192.1
/ip dns
set allow-remote-requests=yes servers=172.16.24.2
/ip dns static
add address=172.16.24.1 name=styx
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="accept ipsec-esp" in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="accept ipsec udp ports" dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=22 protocol=tcp src-address=185.80.48.117
add action=accept chain=input in-interface=pppoe-out1 src-address=10.9.8.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix=\
    ipv4,inputnotlan
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Guest Smarthome control" dst-address=172.16.24.2 dst-port=8080 protocol=tcp \
    src-address=192.168.192.0/24
add action=drop chain=forward comment=GUEST2LAN dst-address=172.16.24.0/24 log=yes log-prefix=guest2lan src-address=\
    192.168.192.0/24
add action=drop chain=forward comment=GUEST2IOT dst-address=192.168.1.0/24 log=yes log-prefix=guest2iot src-address=\
    192.168.192.0/24
add action=drop chain=forward comment=IOT2GUEST dst-address=192.168.192.0/24 log=yes log-prefix=iot2guest src-address=\
    192.168.1.0/24
add action=drop chain=forward comment=IOT2LAN connection-state=new dst-address=172.16.24.0/24 log-prefix=iot2lan \
    src-address=192.168.1.0/24
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=styx.crt_0 generate-policy=port-strict mode-config=vpncfg peer=peer1 \
    policy-template-group=vpnpolicy remote-id=ignore
/ip ipsec policy
add dst-address=10.9.8.0/24 group=vpnpolicy proposal=vpnproposal src-address=0.0.0.0/0 template=yes
/ip service
set telnet address=172.16.24.0/24 disabled=yes
set ftp address=172.16.24.0/24 disabled=yes
set www address=172.16.24.0/24 disabled=yes
set ssh address=172.16.24.0/24,10.9.8.0/24
set www-ssl address=172.16.24.0/24,10.9.8.0/24 certificate=styx.crt_0 disabled=no
set api address=172.16.24.0/24 disabled=yes
set winbox address=172.16.24.0/24,10.9.8.0/24
set api-ssl address=172.16.24.0/24,10.9.8.0/24 certificate=styx.crt_0 disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ipv6 address
add from-pool=v6pool interface=internal-vlan
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=v6pool request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] interface=internal-vlan ra-interval=20s-1m20s
/ipv6 nd prefix default
set preferred-lifetime=1m30s valid-lifetime=1m30s
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=Styx
/system logging
set 2 disabled=yes
add topics=bridge
/system ntp client
set enabled=yes primary-ntp=148.6.0.1 secondary-ntp=62.112.194.60
/system ntp server
set enabled=yes
/system watchdog
set watch-address=8.8.8.8
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=all filter-ip-address=172.16.24.248/32 only-headers=yes

mkx · September 21, 2019, 12:57pm

The only way of configuring HW accelerated VLANs on all Routerboards except CRS3xx series is to use /interface ethernet switch configuration subtree. I don’t have any RB4011, but I heard that this configuration subtree is not available.

And yes, ports with tagged VLANs and PVID set to same value cause some trouble. And keep in mind that implicit default value of PVID for all ports is 1 making this VID particularly unusable for tagged VLANs.

Z0ltan · September 21, 2019, 1:01pm

It is available:

[z0l@Styx] /interface ethernet switch> print 
Flags: I - invalid 
 #   NAME                   TYPE             MIRROR-SOURCE                 MIRROR-TARGET                 SWITCH-ALL-PORTS
 0   switch1                Realtek-RTL8367  none                          none                         
 1   switch2                Realtek-RTL8367  none                          none                         
[z0l@Styx] /interface ethernet switch> 
host  port  port-isolation  rule  vlan  edit  export  find  print  reset-counters  set  unset
[z0l@Styx] /interface ethernet switch>

Let me see what documentation is available, thanks for the hint.

mkx · September 21, 2019, 1:08pm

Document regarding switch chip features states that VLAN tables are not available under ROS on RTL8367 switch chips. Making configuring VLANs on these switch chips impossible. (I’ve had something about that on my mind and I obviously created a shortcut of entire config subtree being unavailable … turns out it’s there but unusable).

But then there were inconsistencies in Mikrotik’s documentation before, so you should go forward and try to configure things never the less.

Z0ltan · September 21, 2019, 1:13pm

So it seems I can set some things but cannot set some others; will experiment a bit with it. Thanks again for the help!

[z0l@Styx] /interface ethernet switch vlan> add ports=ether6,ether7 vlan-id=1 switch=switch2 
[z0l@Styx] /interface ethernet switch vlan> add ports=ether6,ether7 vlan-id=2 switch=switch2  
[z0l@Styx] /interface ethernet switch vlan> print 
Flags: X - disabled, I - invalid 
 #   SWITCH                                                 VLAN-ID PORTS                                                
 0   switch2                                                      1 ether6                                               
                                                                    ether7                                               
 1   switch2                                                      2 ether6                                               
                                                                    ether7                                               
[z0l@Styx] /interface ethernet switch vlan> 
[z0l@Styx] /interface ethernet switch port> set default-vlan-id=2 ether10
[z0l@Styx] /interface ethernet switch port> print 
Flags: I - invalid 
 #   NAME                                 SWITCH                                 VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether1                               switch1                                                                       1
 1   ether2                               switch1                                                                       1
 2   ether3                               switch1                                                                       1
 3   ether4                               switch1                                                                       1
 4   ether5                               switch1                                                                       1
 5   ether6                               switch2                                                                       1
 6   ether7                               switch2                                                                       1
 7   ether8                               switch2                                                                       1
 8   ether9                               switch2                                                                       1
 9   ether10                              switch2                                                                       2
10   switch1-cpu                          switch1                                                                       1
11   switch2-cpu                          switch2                                                                       1
[z0l@Styx] /interface ethernet switch port> set vlan-mode=   
check  disabled  fallback  secure
[z0l@Styx] /interface ethernet switch port> set vlan-mode=secure ether10 
failure: vlan mode not supported
[z0l@Styx] /interface ethernet switch port> set vlan-header=always-strip ether10
failure: vlan header mode not supported
[z0l@Styx] /interface ethernet switch port>