Having a hard time setting up "router on a stick" with RB4011 and CRS326

RouterOS General
1

Hi all,
I’ve been slaving away for 4-5 hours trying to figure out how to get my configurations working. I haven’t even gotten past pinging between the two devices. It’s frustrating me! :slight_smile:

The RB4011 should have 3 networks.

  • Private LAN - 10.0.1.0/24 - bridged to BRIDGE-LAN which includes ether5-Switch.


  • Internal Services/Devices - 10.0.10.0/24 - IP set on the bridge-vlan10


  • External Services/Devices - 10.0.20.0/24 - IP set on bridge-vlan20


  • ignore the IoT network, it’s an afterthought until I get basic functionality working.

The CRS3xx device has ether1-Trunk as the trunk, with the bridge port vlans set i assume correctly.
ether2-8 is VLAN 10
9-12 is VLAN 20

Troubleshooting:

  • I try pinging from switch (10.0.1.128) to router bridge-vlan10 interface (10.0.1.1) and I get timeouts.
  • Same as above but in reverse router->switch
  • I put DHCP servers on vlan 10 and vlan 20 bridge interfaces and plugged a laptop into switchport ether3, but did not get an IP (probably dhcp relay issue maybe?), same with ether10 (vlan 20).
  • the devices show up next to each other in IP-Neighbours as well.
  • the devices are plugged in and powered on! :stuck_out_tongue:


    I very very much appreciate the help! I haven’t even set up anything like firewall rules, nat, security hardening, etc. etc because I want to get this basic part down. (don’t worry its not in production :slight_smile: )


    Configuration of RB4011
/interface bridge
add comment=10.0.1.0/24 name=bridge-PrivateLAN
add comment=10.0.10.0/24 name=bridge-vlan10-Internal
add comment=10.0.20.0/24 name=bridge-vlan20-External
add comment=10.0.30.0/24 name=bridge-vlan30-IoT
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] comment="bridged with bridge-PrivateLAN" \
    name=ether2--PrivateLAN
set [ find default-name=ether3 ] name=ether3-spare
set [ find default-name=ether4 ] name=ether4-spare
set [ find default-name=ether5 ] comment="This is on ether5 because ether6-10 \
    are on 2nd switch chip with only 2.5Gbps throughput to/from" name=\
    ether5-Switch
set [ find default-name=ether6 ] name=ether6-spare
set [ find default-name=ether7 ] name=ether7-spare
set [ find default-name=ether8 ] name=ether8-spare
set [ find default-name=ether9 ] name=ether9-spare
set [ find default-name=ether10 ] name=ether10-spare
/interface vlan
add interface=ether5-Switch name="vlan5.10 - Internal Devices and Services" \
    vlan-id=10
add interface=ether5-Switch name="vlan5.20 - External Devices/Services" \
    vlan-id=20
add interface=ether5-Switch name="vlan5.30 - IoT" vlan-id=1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.10.10-10.0.10.254
add name=dhcp_pool1 ranges=10.0.20.10-10.0.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge-vlan10-Internal \
    name=dhcp-vlan10
add address-pool=dhcp_pool1 disabled=no interface=bridge-vlan20-External \
    name=dhcp-vlan20
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge-vlan10-Internal interface=\
    "vlan5.10 - Internal Devices and Services"
add bridge=bridge-vlan20-External interface=\
    "vlan5.20 - External Devices/Services"
add bridge=bridge-vlan30-IoT interface="vlan5.30 - IoT"
add bridge=bridge-PrivateLAN interface=ether5-Switch
add bridge=bridge-PrivateLAN interface=ether2--PrivateLAN
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.0.10.1/24 interface=bridge-vlan10-Internal network=10.0.10.0
add address=10.0.20.1/24 interface=bridge-vlan20-External network=10.0.20.0
add address=10.0.30.1/24 interface=bridge-vlan30-IoT network=10.0.30.0
add address=10.0.1.1/24 interface=bridge-PrivateLAN network=10.0.1.0
/ip dhcp-client
add disabled=no interface=ether1-WAN
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=8.8.4.4,8.8.8.8 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=8.8.4.4,8.8.8.8 gateway=10.0.20.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=<OMMITTED>
/system identity
set name=RB4011



Configuration of CRSxxx - borrowed from https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Port_Based_VLAN

/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=10.0.1.128 name=ether1-Trunk
set [ find default-name=ether2 ] comment=\
    "Spare port - access to main, non-vlanned network (10.0.1.0/24 network)" \
    name=ether2-PrivateLAN
set [ find default-name=ether3 ] comment=\
    "Dell Server - Internal Servers/Devices" name=ether3-DellVLAN10
set [ find default-name=ether4 ] name=ether4-vlan10
set [ find default-name=ether5 ] name=ether5-vlan10
set [ find default-name=ether6 ] name=ether6-vlan10
set [ find default-name=ether7 ] name=ether7-vlan10
set [ find default-name=ether8 ] name=ether8-vlan10
set [ find default-name=ether9 ] name=ether9-vlan20
set [ find default-name=ether10 ] name=ether10-vlan20
set [ find default-name=ether11 ] name=ether11-vlan20
set [ find default-name=ether12 ] name=ether12-vlan20
set [ find default-name=ether13 ] name=ether13-vlan30
set [ find default-name=ether14 ] name=ether14--vlan30
set [ find default-name=ether15 ] name=ether15-vlan30
set [ find default-name=ether16 ] name=ether16-vlan30
set [ find default-name=ether17 ] name=ether17-spare
set [ find default-name=ether18 ] name=ether18-spare
set [ find default-name=ether19 ] name=ether19-spare
set [ find default-name=ether20 ] name=ether20-spare
set [ find default-name=ether21 ] name=ether21-spare
set [ find default-name=ether22 ] name=ether22-spare
set [ find default-name=ether23 ] name=ether23-spare
set [ find default-name=ether24 ] name=ether24-spare
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge vlan
add bridge=bridge tagged=ether1-Trunk untagged="ether3-DellVLAN10,ether4-vlan1\
    0,ether5-vlan10,ether6-vlan10,ether7-vlan10,ether8-vlan10" vlan-ids=10
/ip address
add address=10.0.1.128/24 interface=ether1-Trunk network=10.0.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
add dhcp-options=hostname,clientid disabled=no interface=ether1-Trunk
/ip route
add distance=1 dst-address=10.0.1.0/24 gateway=ether1-Trunk
/system identity
set name=OMMITTED
/system routerboard settings
set boot-os=router-os
2

On CRS access (untagged) ports should have pvid set.

E.g.

/interface bridge port
set  [ find default-name=ether4 ] pvid=10

and repeat the above for all ports listed as untagged in /interface bridge vlan. After you do it, you may omit listing ports as untagged, they get added automatically (listing them helps readability of exported config though).

Re RB4011 config: VLANs should really be configured similarly to how it’s done on CRS, i.e. using single VLAN-aware bridge. With multiple bridges and configuring it as a router (not a switch) you’re loosing HW offload anyway. It would only make sense to have separate bridge which would span ports ether6-ether10 which would be used as non-VLAN switched ports.

3

Thank you! This worked! I’ll try and look at the proper way to do the RB4011 vlans soon.