Help with Basic VLAN

BassTeQ · July 31, 2018, 3:17am

Hi,

I’ve recently setup my router using the default settings and latest OS version, things are working well.
I’d now like to add a VLAN into the mix, the purpose of this VLAN is to create a separate network which will be utilised by Unifi Access Points

Current configuration
Eth1 = WAN
Eth2 = LAN (192.168.100.0/24) This goes into my main Unifi Switch where all devices are connected

Default Bridge

[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                     BRIDGE                                     HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2-LAN                                    bridge                                     yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       ether6-master                                 bridge                                     yes    1     0x80         10                 10       none
 2 I   ;;; defconf
       sfp1                                          bridge                                     no     1     0x80         10                 10       none
 3 I H ether3                                        bridge                                     yes    1     0x80         10                 10       none
 4 I H ether4                                        bridge                                     yes    1     0x80         10                 10       none
 5 I H ether5                                        bridge                                     yes    1     0x80         10                 10       none
 6 I H ether7                                        bridge                                     yes    1     0x80         10                 10       none
 7 I H ether8                                        bridge                                     yes    1     0x80         10                 10       none
 8 I H ether9                                        bridge                                     yes    1     0x80         10                 10       none
 9 I H ether10                                       bridge                                     yes    1     0x80         10                 10       none

I’d like to create a new VLAN, eg VLAN 10 and it have a network address of 10.0.10.0/24. What steps are required to implement this?
Appreciate any assistance.

Thanks

usdmatt · July 31, 2018, 8:15am

Create a vlan sub-interface on the bridge with your relevant vlan number.
In “/switch vlan” create a vlan entry and add ether2 and switch1-cpu. You can also add other ports if they might handle vlan traffic. If it’s something like an RB2011 you may need to add switch2-cpu to the list to use ports 6+
Add an ip to the vlan interface and setup a dhcp server on it

samsung172 · July 31, 2018, 8:16am

just add a vlan to your bridge and add an ip to this new interface. next you need to tag the vlan at your ubnt device, and use it for your requirements.

nichky · July 31, 2018, 8:49am

see here

https://mum.mikrotik.com/presentations/ID13/khomeini.pdf

BassTeQ · August 1, 2018, 12:57am

Thanks for the tips, will try these suggestions shortly.

Is it best to tag traffic for my current 192.168.100.0 network as well, or leave this untagged as-is?

BassTeQ · August 1, 2018, 10:50am

I’ve made the suggested changes, does everything look ok? Any obvious mistakes?
When I try connect to the UniFi wireless network, it has VLAN 10 set, it fails trying to obtain IP address.
I think as a starting point I want to first take Unifi and the main switch connected on Eth2 out of the equation. If I can connect a PC to Eth3, and get an IP on the VLAN 10, that would be a good start. Is there anything additional I might need to achieve this?

Unifi Network

Thanks!

skylark · August 1, 2018, 11:28am

VLAN configuration depends on what kind of the device do you use. You can find more setup examples here:
https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Port_Based_VLAN
https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN#Layer2_VLAN_examples
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#VLAN_Example_1_.28Trunk_and_Access_Ports.29

Samot · August 1, 2018, 12:24pm

I’m not sure why the majority of the suggestions are pre-6.41 since that hasn’t been the case for almost a year now. You’ve got most of it right but here is what needs to happen.

Do not use the Switch setup. That’s wrong, it’s done via the Bridge now.
Under Bridge go to the VLAN tab, you’ll want to add a new VLAN. Add the VLAN ID where it asks and then add the bridge itself and the ether ports (3 in this case) that need to be tagged.
Enable VLAN Filtering on the Bridge.

Having the VLAN interface as a port on the bridge, correct.
Having the DHCP/IP Addresses assigned to the VLAN interface, correct.

You just need to set this up on the bridge instead of the switch interface.

BassTeQ · August 1, 2018, 11:28pm

Thanks Samot, this is what caused me confusion, lots of the content in forums, youtube etc is pre 6.41.

I’ve done as you suggested, removed the config in the “switch”
Enabled VLAN Filtering, and added the details in the VLAN tab.

However when I connect a PC into Eth3 I’m getting a 192.168.100.X IP address when it should be 10.0.10.X.

Cheers

CZFan · August 2, 2018, 3:11pm

Vlan10 must be on Bridge
In Bridge–>Ports, change ether3 PVID from 1 to 10
In Bridge–>Vlan make Bridge as tagged and ether3 untagged for Vlan id 10

BassTeQ · August 2, 2018, 11:17pm

Thanks CZFan,

Vlan10 must be on Bridge
Is this correct?

[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                      VLAN-IDS  CURRENT-TAGGED                      CURRENT-UNTAGGED                     
 0   bridge                      10

In Bridge–>Ports, change ether3 PVID from 1 to 10
Done

[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                  BRIDGE                  HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2-LAN                 bridge                  yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       ether6-master              bridge                  yes    1     0x80         10                 10       none
 2 I   ;;; defconf
       sfp1                       bridge                  no     1     0x80         10                 10       none
 3 I H ether3                     bridge                  yes   10     0x80         10                 10       none
 **--snip--**

In Bridge–>Vlan make Bridge as tagged and ether3 untagged for Vlan id 10
Like this?

Thank you.

CZFan · August 3, 2018, 6:54am

Vlan10 must be on Bridge
In Bridge–>Ports, change ether3 PVID from 1 to 10
In Bridge–>Vlan make Bridge as tagged and ether3 untagged for Vlan id 10

Thanks CZFan,

Vlan10 must be on Bridge
Is this correct?
[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                      VLAN-IDS  CURRENT-TAGGED                      CURRENT-UNTAGGED                     
 0   bridge                      10
…

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10

BassTeQ · August 3, 2018, 10:07am

I already have this setup using a different name, will this be ok?

[admin@MikroTik] /interface vlan> print
Flags: X - disabled, R - running, S - slave 
 #    NAME                   MTU ARP             VLAN-ID INTERFACE               
 0 R  vlan10_Guest          1500 enabled              10 bridge

CZFan · August 3, 2018, 1:04pm

should be good to go, then if you want to prevent the guest vlan communication via layer 3 with other devices, use firewall filter rules

diddie17 · August 3, 2018, 4:19pm

I’m very happy to be corrected, but for my own education, I hadn’t understood is as being as binary as using the switch menu before 6.41 and VLAN filtering after. My understanding was that if there was a VLAN switching requirement, you should still use the switch menu for devices with a switch chip, rather than VLAN filtering on the bridge, in order to maintain HW offload and wirespeed switching (with the exception of the crs3xx range that can maintain HW offload using VLAN filtering on the bridge).

If I’ve understood correctly, the answer given is right for the eth1 and eth2 question being asked by the OP as there is no switching going on. But wouldn’t there be benefit even after 6.41 to using the switch menu and chip to maintain HW offload if eth3, eth4 etc. were also used with VLAN’s?

CZFan · August 3, 2018, 9:40pm

@diddie17, you are 100% correct, if you want to switch VLAN’s, i.e. Ether3 and ether4 is in same vlan, then it is best to use switch vlan config except for crs3xx devices.
Between VLAN’s will happen with routing and this will go via cpu

BassTeQ · August 4, 2018, 6:33am

Getting closer, when I connect to PC to Eth3 I now get an IP in the 10.0.10.0 subnet, however it can’t access the internet, or ping google dns 8.8.8.8.
Am I missing something? I’ve not put in any firewall rules to block traffic, the same rules remain as before I started trying to add this VLAN.
Traffic on the 192.168.100.0 subnet is fine, and has full connectivity.

Thanks again!

CZFan · August 4, 2018, 10:46am

provide output of “export hide-sensitive”

BassTeQ · August 4, 2018, 11:14am

# aug/04/2018 21:09:53 by RouterOS 6.42.6
# software id = UUZ2-Z8I4
#
# model = RouterBOARD 3011UiAS
# serial number = 
/interface bridge
add admin-mac=CC:2D:E0:7B:34:9F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether6 ] name=ether6-master
/interface vlan
add interface=bridge name=vlan10_Guest vlan-id=10
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.1-192.168.100.254
add name=Guest ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=LAN
add address-pool=Guest disabled=no interface=vlan10_Guest name=GUEST
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=10
/interface list member
add interface=ether2-LAN list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1-WAN list=WAN
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2-LAN network=\
    192.168.100.0
add address=10.0.10.1 interface=vlan10_Guest network=10.0.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server network
add address=10.0.10.0/24 comment=GUEST dns-server=10.0.0.1 gateway=10.0.10.1 \
    netmask=24
add address=192.168.100.0/24 comment=LAN gateway=192.168.100.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.254 name=router
/ip firewall address-list
add address=my.dynamic.host list=WANIP
/ip firewall filter
add action=log chain=prerouting disabled=yes dst-port=22 log=yes log-prefix=\
    step1 protocol=tcp
add action=log chain=forward disabled=yes dst-port=22 log=yes log-prefix=\
    step2 protocol=tcp
add action=log chain=postrouting disabled=yes dst-port=22 log=yes log-prefix=\
    step3 protocol=tcp
add action=drop chain=input comment="Drop Ping from WAN" in-interface=\
    ether1-WAN protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp \
    protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward disabled=yes dst-port=8228 in-interface=\
    ether1-WAN log=yes log-prefix="accept forward port 22" protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1-WAN log-prefix="drop all from wan - input"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix="drop invalid"
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-WAN log-prefix=\
    "drop from wan not dstnated"
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN Nat for loopback" \
    dst-address=192.168.100.0/24 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1-WAN
add action=dst-nat chain=dstnat comment="SSH Server" dst-port=9922 \
    in-interface=ether1-WAN protocol=tcp to-addresses=192.168.100.150 \
    to-ports=22
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/lcd
set backlight-timeout=never default-screen=stat-slideshow
/lcd interface
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether6-master disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=ether1-WAN,ether2-LAN
/system clock
set time-zone-name=Australia/Melbourne
/system ntp client
set enabled=yes primary-ntp=150.101.178.147 secondary-ntp=203.7.149.150
/system routerboard settings
set silent-boot=no
/system scheduler
/system script
/tool graphing interface
add interface=ether1-WAN
add interface=ether2-LAN
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

CZFan · August 6, 2018, 4:41pm

Below some corrections of mistakes and suggestions, so change these first and come back:

From
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2-LAN network=
192.168.100.0
add address=10.0.10.1 interface=vlan10_Guest network=10.0.10.0

To
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2-LAN network=
192.168.100.0
add address=10.0.10.1**/24** interface=vlan10_Guest network=10.0.10.0

From
/ip dhcp-server network
add address=10.0.10.0/24 comment=GUEST dns-server=10.0.0.1 gateway=10.0.10.1
netmask=24
add address=192.168.100.0/24 comment=LAN gateway=192.168.100.254 netmask=24

To
/ip dhcp-server network
add address=10.0.10.0/24 comment=GUEST dns-server=10.0.10.1**,8.8.8.8** gateway=10.0.10.1
netmask=24
add address=192.168.100.0/24 comment=LAN dns-server=192.168.100.254,8.8.8.8 gateway=192.168.100.254 netmask=24

From
/ip dns
set allow-remote-requests=yes

To
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4