Help with switch chip VLANs - How to get IPs to untagged VLANs?

tuxtlequino · March 3, 2016, 8:40pm

Okay, I am trying to configure my CCR1009 using the switch core. I followed the instructions in the
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features mikrotik wiki, but couldn’t figure out how to get it working without compromising the whole idea of VLANs (somehow I can only make VLANs that are visible to each other). Can please somebody help me getting my VLANs working? Here is what I have so far

/interface ethernet
set ether2 master-port=ether1
set ether3 master-port=ether1
set ether4 master-port=ether1

/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=always-strip default-vlan-id=10
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=30
set ether4 vlan-mode=secure vlan-header=add-if-missing
set switch1-cpu vlan-mode=secure vlan-header=leave-as-is

/interface ethernet switch vlan
add ports=ether1,ether4 switch=switch1 vlan-id=10
add ports=ether2,ether4 switch=switch1 vlan-id=20
add ports=ether3,ether4 switch=switch1 vlan-id=30

Okay, I get this, but how do I get an address to the untagged VLANs? If I try to add an address to a port, I can only get that with something like this,

/interface ethernet switch vlan
add ports=ether4,switch1-cpu switch=switch1 vlan-id=99 

/interface vlan
add name=vlan99 vlan-id=99 interface=ether1

/ip address
add address=192.168.88.1/24 interface=vlan99 network=192.168.88.0

/ip pool
add name=pool-vlan99 ranges=192.168.88.10,192.168.88.100

/ip dhcp-server
add address-pool=pool-vlan99 disabled=no interface=vlan99 name=dhcp-vlan99

/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1

If I add another VLAN address like that, every VLAN can see each other. What am I doing wrong? What do I need to do to add IPs addresses so that I can connect a cable to the ether1 and have the addresses I want for VLAN10?

I would like my VLANs to be the following, and be able to create a DHCP server in my ccr1009 to serve addresses to those connected to me too.
vlan10 - 10.10.10.1/24
vlan20 - 10.10.20.1/24
vlan30 - 10.10.30.1/24

chechito · March 3, 2016, 10:34pm

tuxtlequino:

Okay, I am trying to configure my CCR1009 using the switch core. I followed the instructions in the
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features mikrotik wiki, but couldn’t figure out how to get it working without compromising the whole idea of VLANs (somehow I can only make VLANs that are visible to each other). Can please somebody help me getting my VLANs working? Here is what I have so far
/interface ethernet
set ether2 master-port=ether1
set ether3 master-port=ether1
set ether4 master-port=ether1

/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=always-strip default-vlan-id=10
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=30
set ether4 vlan-mode=secure vlan-header=add-if-missing
set switch1-cpu vlan-mode=secure vlan-header=leave-as-is

/interface ethernet switch vlan
add ports=ether1,ether4 switch=switch1 vlan-id=10
add ports=ether2,ether4 switch=switch1 vlan-id=20
add ports=ether3,ether4 switch=switch1 vlan-id=30
Okay, I get this, but how do I get an address to the untagged VLANs? If I try to add an address to a port, I can only get that with something like this,
/interface ethernet switch vlan
add ports=ether4,switch1-cpu switch=switch1 vlan-id=99 

/interface vlan
add name=vlan99 vlan-id=99 interface=ether1

/ip address
add address=192.168.88.1/24 interface=vlan99 network=192.168.88.0

/ip pool
add name=pool-vlan99 ranges=192.168.88.10,192.168.88.100

/ip dhcp-server
add address-pool=pool-vlan99 disabled=no interface=vlan99 name=dhcp-vlan99

/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
If I add another VLAN address like that, every VLAN can see each other. What am I doing wrong? What do I need to do to add IPs addresses so that I can connect a cable to the ether1 and have the addresses I want for VLAN10?

I would like my VLANs to be the following, and be able to create a DHCP server in my ccr1009 to serve addresses to those connected to me too.
vlan10 - 10.10.10.1/24
vlan20 - 10.10.20.1/24
vlan30 - 10.10.30.1/24

in switch do you have vlan 10 , 20 , 30 but on router you have configured vlan 99 no way dhcp can serve address to vlans on switch

you need to add switch cpu port to each vlan to allow vlan to get router cpu

tuxtlequino · March 3, 2016, 11:01pm

Yes, but when I do that, all my VLANs are visible. So I can ping 10.10.20.1 from my VLAN 10 (10.10.10.0/24). Or am I incorrect?

chechito · March 3, 2016, 11:56pm

to troubleshoot

enable independent learning on each vlan to use the host tab on switch menu to see if mac are on the correct vlan

tuxtlequino · March 4, 2016, 12:56am

It is showing the right VLAN id for the port, but all the VLANS are visible. Here is how I am adding an IP to a VLAN.

Let’s say that I am going to add the vlan10. First I modify the switch VLAN I had created with,

/interface ethernet switch vlan
add ports=ether1,ether4, switch=switch1 vlan-id=10

to something that includes the switch1-cpu. If I do not add the “switch-1cpu”, the VLAN never works. I have this weird feeling that this is the problem, but I cannot get anything to work without using this “switch-1cput”.

/interface ethernet switch vlan
set ports=ether1,ether4,switch1-cpu switch=switch1 vlan-id=10 numbers=0

Then I create an interface that I can use to add IPs and other things.

/interface vlan
add name=vlan10 vlan-id=10 interface=ether1
/ip address
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
/ip pool
add name=pool-vlan10 ranges=10.10.10.10,10.10.10.100
/ip dhcp-server
add address-pool=pool-vlan10 disabled=no interface=vlan10 name=dhcp-vlan10
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1

Can you spot something wrong here?

chechito · March 4, 2016, 6:25am

i think your vlans are working correctly

if you can ping the gateway of another vlan sucessfully that only proves you are in contact with router

is normal you can ping another vlan host, thats called routing if you want to isolate the acces from vlan to vlan you have to use firewall rules to allow or drop the traffic you need

tuxtlequino · March 4, 2016, 6:19pm

Chechito, using the configuration that I used above, would it be possible to get a quick example? I am honestly lost.