Help with Extending WAN Physically with VLAN's.

Would appreciate some help with extending my WAN, I have a lot of firewall rules set up and don’t want to somehow negate the firewall or loss of service for too long. Backstory, my toddler is constantly attracted to my shiny RB5009 and is in danger of destroying it. I need to move it upstairs out of harms way, however I need some clarity on how to do this correctly if that’s ok.

I have multiple VLAN’s, the only port that isn’t is the WAN connection (ether1), that is receiving internet from my ISP router in passthrough mode. I have some VLAN aware switches that I will need to also move around physically.
Apart from configuring the switches, I think I have to set up a new VLAN for the WAN network, perhaps just a /32? then somehow assign a DHCP client to so it connects to the ISP network. Then place this VLAN in the WAN interface list so the firewall rules are still in place? Would I create a new VLAN bridge for this or put it on the current bridge? Would I also need to set the gateway somewhere or is this automatic?

Appreciate any help and forgive my lack of knowledge. I bought the RB as a learning experience, would like to spend more time learning about this change before I commit to it but the toddler is making this urgent now.

If you don’t mind postponing the learning on the Mikrotik and using two cables instead of just one between the VLAN switch and the 5009, you can as well leave the configuration of the 5009 untouched and do all the magic using the VLAN switches alone.

The port of the ISP modem that was connected to ether1 of the 5009 needs to be connected to an access port to VLAN X on the VLAN switch downstairs, and the ether1 of the 5009 needs to be connected to an access port to the same VLAN X on the VLAN switch upstairs; VLAN X must be permitted on the trunk path between the two VLAN switches. Done.

Later, you can permit VLAN X also on a trunk between the VLAN switch and the 5009, create an /interface vlan attached to the common VLAN bridge for VLAN X on the 5009, and change all the existing IP or PPPoE settings and firewall settings from ether1 to that new /interface vlan. Again, done, you can remove the cable between the upstairs switch and ether1.

To get useful help with configuration, use /export file=somenicename on the command line, then download somenicename.rsc, obfuscate any usernames to external services, serial numbers, MAC addresses, public/global addresses - whatever might identify you, and post the result between [code] and [/code] tags here.

Unfortunately adding another exterior cable is not an option. If I add another VLAN for the WAN connection, how do I attach a DHCP client to it, so that it will get a DHCP lease from the passthrough router? I assume it would have to be a /32 network as I would only get one IP from my ISP?

You’ve misunderstood me so I must have not expressed myself clearly. I just said you can use the pair of VLAN-capable switches (non-Mikrotik ones, I suppose) to use an additional VLAN instead of the patchcord that was connecting ether1 of the 5009 to the LAN port of the ISP modem directly in the old scheme. Of course this extra VLAN would be added to the other VLANs already living in the single exterior cable.

Also, please distinguish between a VLAN and a subnet. A VLAN interface works much like a bare Ethernet one in terms that you can attach the DHCP client to it instead of the ether1 later on. A /32 is a single address, not a subnet, in IPv4, but that’s not the point here.

Don’t give up if it still doesn’t click. What brand are the VLAN switches?

Not what you asked, but the (good?) ol’ way would have been to protect the router putting it inside an electrical box or, if WAF is involved, a hand made wooden box and keep the LAN topology as is.
I guess this shows how old I have become, attempting to solve problems with last century technology.

Other way round!
In the old hookup there were two connections coming to the 5009 ( one from ISP modem ) and one from closest switch
In the new hookup, there is only one connection available to the 5009 and that is single connection to the closest switch

It would appear that one creates a vlan ( vlan-WAN ) on the R5009 to use to terminate the ISP traffic.
This is added to the port already trunked to the closest switch.
ether1 is now a spare port ( which I would use as an OffBridge config port myself )

The switch closest to the ISP, needs to have this same vlan, as access port to the connection to the ISP modem…so modem traffic gets tagged with this vlan on the way in.
The vlan-WAN needs to be added to the trunk port going to the second switch.

The second switch needs to add this vlan to the incoming trunk port from the first switch and also to the trunk port heading to the router.

The router needs to terminate the vlan in IP DHCP client,

You can put ether1 in the same bridge as all the other ports, don’t put it in a separate bridge. The RB5009 has a switch chip connecting all ports with full hardware offload for VLAN filtering. My RB5009 also has all ports in the same bridge and the WAN connection is a VLAN on that bridge and all ports are hardware offloaded. Last time that I did the swap from “WAN port off bridge” to “WAN port on bridge as VLAN” I did this:

• /export file=reference and save reference.rsc somewhere
• Create new VLAN interface, vlan1000 for instance, on the bridge. The bridge interface must be in the tagged list of this VLAN, of course.
• Using a text editor, find instances of “ether1” in reference.rsc. In WinBox, go to the corresponding sections and swap ether1 with vlan1000 in the drop-downs. This will cover things like interface lists (WAN), DHCP, ARP, IP Addresses, IGMP Proxy, etc…
• /export file=current. Check that in current.rsc ether1 only appears under “/interface ethernet” and has been replaced by vlan1000 in all other places.
• Add ether1 to the bridge, update /interface bridge vlan accordingly. If at this point you configure the ether1 port as access port for VLAN 1000 (set PVID and mode) then everything will still work with your current topology (ether1 plugged into the ISP device), with the RB5009 at the current location!
• When you later move the RB5009 to the new location, you’ll need to make VLAN 1000 tagged on the port connecting the RB5009 to the managed switch.

Please note that your Bridge → VLANs configuration as shown in this picture is currently wrong!

You should either create separate entries, one for each VLAN id, or if you still want to group them together, you have to remove all the ports from the “Untagged” section (with the current RouterOS version you only need to set the PVIDs under Bridge → Ports and RouterOS will dynamically create the entries for the untagged ports). See VLAN filtering with simplified bridge VLAN table.

https://help.mikrotik.com/docs/spaces/ROS/pages/19136718/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithsimplifiedbridgeVLANtable

Thank you for all your comments, it’s appreciated, I have big gaps in my knowledge on networking but I’m trying. I feel like learning networking goes from 0 - 100 real quick and suddenly you have to know everything to get something done. I’m fairly well understood on the VLAN side of things, subnets and routing however I fall short on.

To respond;

They are TP-Link managed POE switches, 8 ports on each. They are all trunked and have been working well for a year now. I left the default Bridge with native VID of 1 on the Mikrotik because the switches also have a native VID of 1, more of a fallback incase the network/VLAN’s go down. The reason I asked about using a single address is that, I did try to create a VLAN and /24 subnet as a test for the WAN network a few days ago, and I enabled a DHCP client on it, but it would not fetch an address from ISP, and I don’t know why.

Just to clarify, the issue here isn’t with the switches and VLAN trunking, my lack of understanding is more to do with primarily the ISP network configuration, how I configure a new network for the gateway with a DHCP client (do I attach the client to a specific port on the VLAN), where it sits on the network, and assuming it has to be a VLAN to isolate it, and secondarily confirmation the firewall rules are completely derived from the interface WAN setting, all my rules use the ‘WAN’ setting in the Interface List so in theory I shouldn’t have to change any of them once the new WAN setting is set.

My line of thinking was, if I:
create a new small subnet,
create a new vlan for the subnet, attach it to the bridge and replicate/trunk it across switches and change physical layout,
attach a DHCP client to the new network,
plug the ISP cable into a port on the switch and set the PVID of the port to the new ISP VLAN,
mark the new interface as WAN for firewall,
success, but it doesn’t seem to work.

Out of interest, I can probably delete the default Bridge, and create a new VLAN ID 1 for native VLAN?

Please note that your Bridge → VLANs configuration as shown in this picture is currently wrong!

You should either create separate entries, one for each VLAN id, or if you still want to group them together, you have to remove all the ports from the “Untagged” section (with the current RouterOS version you only need to set the PVIDs under Bridge → Ports and RouterOS will dynamically create the entries for the untagged ports). See VLAN filtering with simplified bridge VLAN table.

https://help.mikrotik.com/docs/spaces/ROS/pages/19136718/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithsimplifiedbridgeVLANtable
[/quote]

Thank you for your help, could you please elaborate on this please? It’s all working fine. Separate entries for what?

The point is you dont have to create a subnet for the WAN traffic, just create a vlan, which will carry the data to the 5009.
Untagged port at the switch on the port to the ISP modem, added to the trunk port going to the other switch, added to the trunk port on second switch coming from first switch, added on trunk port going to the 5009, added to trunk port on 5009 coming from second switch. Terminate the vlan on IP DHCP client on the 5009, done!! Use ether1 for an oFFbridge config access safe point.

If you are planning on using vlanid=1 then you havent learned yet the MT vlan filtering, suggest this document - http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I have TP Link switches, netgear, dlink, all work fine and all have native vlan1, but this is NOT the management (or trusted) vlan, nor a data vlan, just sits in the background.
(on switches, it typically remains an untagged member off all trunk ports, and has no affiliation with access ports)

I dont work from screenshots but happy to review a proper config export
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)

That is why I’ve suggested that you go in small steps - before touching anything in the configration of the 5009, you should make sure that the “WAN VLAN” is set up properly on the downstairs TP-link. To do that, it is enough to add the WAN VLAN the same way like any other one on the two TP-links and set one Ethernet port on each as an access port to that new VLAN. Upstairs, you connect ether1 to that port on the TP-link, and that’s it.

And later you can just rearrange the tagging/untagging differently between the upstairs TP-link and the 5009, saving one pair of ports between the two, but never leaving the VLAN domain, i.e. not touching anything regarding routing and subnets. You just replace ether1 by the newly created /interface vlan vlan-id=xyz interface=bridge name=bridge.wan.xyz everywhere in the configuration of the 5009 (DHCP client, firewall) and allow VLAN xyz on the bridge and the trunk port connecting it to the TP-link.

With the ISP side, you cannot do what you want regarding subnets - you have to exactly follow the ISP choice. So if it was a DHCP client attached to ether1 of the 5009 while the ether1 of the 5009 was connected directly to the ISP modem in bridge mode, it has to stay like that, no matter whether you just replace the passive patchcord between the IPS modem and the 5009 by an additional VLAN linking two ports on the TP-links (so ether1 remains out of the bridge on the 5009) or whether you use an /interface vlan attached to a common bridge on the 5009 instead of interconnecting an access port on the upstairs TP-link with ether1 on the 5009.

In any case, if it works when the ether1 of the 5009 is connected directly to the ISP device but doesn’t work if you insert the pair of TP-links into this path, something is not set correctly on the TP-links and you have to find and fix it befroe moving further.

In boths setups, the frame from the ISP modem gets tagged as it enters the downstairs switch via a physical port made an access one to the WAN VLAN, stays tagged as it goes via the exterior cable from the downstairs TP-link to the upstairs one. The difference between the methods takes place upstairs; in the first case, that frame gets untagged as the upstairs TP-link sends it out via an access port for the WAN VLAN to ether1 of the 5009, in the second one, the upstairs TP-link sends it to the 5009 still tagged, and it is the task of the /interface vlan on the 5009 to remove the tag to present the frame tagless to the IP protocol stack.

In a correct configuration, each port can carry untagged frames for only one VLAN. What you are doing in your screenshot is one of the many cases of Layer 2 misconfiguration. Your /interface bridge vlan entry specifies a lot of VLAN ids, as well as a list of ports under Untagged. Let’s see what that means:

https://help.mikrotik.com/docs/spaces/ROS/pages/28606465/Bridge+VLAN+Table#BridgeVLANTable-Background

Quotes from the documentation:

• Tagged/Untagged - Under /interface bridge vlan menu, you can specify an entry that contains tagged and untagged ports. In general, tagged ports should be your trunk ports and untagged ports should be your access ports. By specifying a tagged port the bridge will always set a VLAN tag for packets that are being sent out through this port (egress). By specifying an untagged port the bridge will always remove the VLAN tag from > egress > packets.

• VLAN-ids - Under /interface bridge vlan menu, you can specify an entry in which certain VLANs are allowed on specific ports. The VLAN ID is checked on egress ports. If the packet contains a VLAN ID that does not exist in the bridge VLAN table for the > egress > port, then the packet is dropped before it gets sent out.

Please note the emphasis on the word egress. With the config from this dialog, port ether8 for instance will allow frames from VLAN 2, 3, 4, 5, 6, 7, 12, 100 to go out of it, and while the ethernet frames leave the port, the VLAN tag will also be removed from the frames. Which means port ether8, as well as ether4, ether5, ether6, will all send out frames from all those VLANs, and the other side of the links won’t even know which frames were really from VLAN 12, and which were from VLAN 7, because the vlan tag has been removed and everything was mixed together.

When you set the PVID value for the ports under /interface bridge ports, you only control the ingress traffic. Quotes from the same page above:

• PVID - The Port VLAN ID is used for access ports to tag all > ingress > traffic with a specific VLAN ID. A dynamic entry is added in the bridge VLAN table for every PVID used, the port is automatically added as an untagged port.

Setting PVID only ensures that incoming untagged frames/packets will be given the VLAN tag with the ID specified in PVID. It does not affect egress packets, and does not prevent frames from all those VLANs above to go out of ether8. This violates the principle that one port should only carry untagged frames of only one VLAN. The page also mentions exactly that:

The correct way here is to either create separate individual entries under /interface bridge vlan, one for each VLAN id, and ensure that one port only appears in the untagged list of at most one entry.

Or, alternatively, if you still want to keep only one entry for those multiple VLAN ids, you need to remove the ports from the Untagged list of that entry (the entry’s untagged list should be empty). Since version 7.15 RouterOS will, based on the PVID content from the /interface bridge port table, automatically create dynamic entries under /interface bridge vlan, one for each VLAN id that has untagged ports, and list the untagged ports for that VLAN. In your screenshot you can see that it has automatically created an entry for VLAN 1 (with D flag), because the bridge (vlan-bridge) specifies VLAN 1 in its PVID field. If you removed ether8, 4, 5, 6 from the Untagged list of the entries with VLAN ids 2, 3, 4, 5, 6, 7, 12, 100, RouterOS will add separate dynamic entries for VLAN 7, 12, 100 and correctly list ether6 in the Untagged list of the dynamic entry for VLAN id 7, for instance.