HEX VLAN configuration question

SDTikker1 · April 4, 2020, 3:15pm

Hello:
I have a HEX-S (RB760iGS) as a home router and I’m having a bit of an issue getting it to play nice with VLANs. Per my understanding, this chipset (MediaTek) only supports VLANs at the Bridge level. I have followed the wiki guides but failed to get it working. Here is what I am trying to do:
ETH1 => WAN (public IP)
ETH2 => VLAN tagged trunk supporting three VLAN 10/20/30 (this port goes to a CRS…)
VLAN10: 192.168.10.0/24
VLAN20: 192.168.20.0/24
VLAN30: 192.168.30.0/24
ETH3 => untagged VLAN10
ETH4 => untagged VLAN20
ETH5 => untagged VLAN30
The HEX will handle NAT and inter VLAN routing.
Is this configuration possible?
Thanks forward.

mada3k · April 4, 2020, 7:13pm

This was my solution
http://forum.mikrotik.com/t/vlan-bridge-with-filter-problem-hex/137623/3

SDTikker1 · April 4, 2020, 8:56pm

Unfortunately, that didn’t work for me.

mada3k · April 5, 2020, 6:26am

Then you should probably post you configuration here

JohnTRIVOLTA · April 5, 2020, 7:08am

/interface bridge
add name=bridge_trunk
add name=bridge_vlan10
add name=bridge_vlan20
add name=bridge_vlan30
/interface ethernet
set [ find default-name=ether1 ] comment="-- WAN --"
/interface vlan
add interface=bridge_trunk name=vlan10 vlan-id=10
add interface=bridge_trunk name=vlan20 vlan-id=20
add interface=bridge_trunk name=vlan30 vlan-id=30
/interface bridge port
add bridge=bridge_trunk interface=ether2
add bridge=bridge_vlan10 interface=vlan10
add bridge=bridge_vlan20 interface=vlan20
add bridge=bridge_vlan30 interface=vlan30
add bridge=bridge_vlan10 interface=ether3
add bridge=bridge_vlan20 interface=ether4
add bridge=bridge_vlan30 interface=ether5

Put ip addresses on the bridges for each vlans !

SDTikker1 · April 5, 2020, 9:45pm

Here is my non working configuration:

/interface ethernet
set [ find default-name=ether1 ] comment="WAN Port"
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30

/interface ethernet switch port
set 1 vlan-mode=disabled
set 2 vlan-mode=disabled
set 3 vlan-mode=disabled
set 5 vlan-mode=disabled

/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3 pvid=10
add bridge=bridge1 comment=defconf interface=ether4 pvid=20
add bridge=bridge1 comment=defconf interface=ether5 pvid=30
add bridge=bridge1 comment=defconf interface=sfp1

/interface bridge vlan
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether3 vlan-ids=10
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether4 vlan-ids=20
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether5 vlan-ids=30

/interface ethernet switch vlan
add disabled=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=10
add disabled=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=20
add disabled=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=30

/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0

sid5632 · April 5, 2020, 11:53pm

Not surprising seeing as you didn’t enable bridge vlan-filtering.

SDTikker1 · April 6, 2020, 12:31am

Sorry, I should have pointed out that after setting the above config, I enable vlan filtering on the bridge and then the unit becomes unreachable…

SDTikker1 · April 6, 2020, 3:05am

Hi All:
Just wanted to share the configuration that worked for me on the Hex. In this configuration, which is a starting point, I ended up implementing the following:
ETH1 => WAN
ETH2 => VLAN trunk for VLAN 10,20,30
ETH4 => VLAN 30 untagged.
Thanks for the suggestions, hope this helps others.

# model = RB760iGS

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge1 \
    vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment="WAN Port"

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30

/interface ethernet switch port
set 1 vlan-mode=disabled
set 2 vlan-mode=disabled
set 3 vlan-mode=disabled
set 5 vlan-mode=disabled

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=All-LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=pool-vlan20 ranges=192.168.20.100-192.168.20.199
add name=pool-vlan10 ranges=192.168.10.100-192.168.10.199
add name=pool-vlan30 ranges=192.168.30.100-192.168.30.199

/ip dhcp-server
add address-pool=default-dhcp interface=bridge1 name=defconf
add address-pool=pool-vlan20 disabled=no interface=vlan20 lease-time=30m \
    name=dhcp-vlan20
add address-pool=pool-vlan10 disabled=no interface=vlan10 lease-time=30m \
    name=dhcp-vlan10
add address-pool=pool-vlan30 disabled=no interface=vlan30 lease-time=30m \
    name=dhcp-vlan30

/interface bridge port
add bridge=bridge1 comment=defconf hw=no interface=ether2
add bridge=bridge1 comment=defconf hw=no interface=ether3
add bridge=bridge1 comment=defconf hw=no interface=ether4 pvid=30
add bridge=bridge1 comment=defconf hw=no interface=ether5
add bridge=bridge1 comment=defconf hw=no interface=sfp1

/ip neighbor discovery-settings
set discover-interface-list=All-LAN

/interface bridge vlan
add bridge=bridge1 tagged=ether2,bridge1 vlan-ids=10
add bridge=bridge1 tagged=ether2,bridge1 vlan-ids=20
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether4 vlan-ids=30


/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=All-LAN
add interface=vlan10 list=All-LAN
add interface=vlan20 list=All-LAN
add interface=vlan30 list=All-LAN

/ip address
add address=192.168.30.1/24 comment=defconf interface=vlan30 network=\
    192.168.30.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0

/ip dhcp-server config
set store-leases-disk=15m

/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24 
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24 

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip route
add disabled=yes distance=1 gateway=192.168.30.1

/tool mac-server
set allowed-interface-list=All-LAN

/tool mac-server mac-winbox
set allowed-interface-list=All-LAN