how to Pass VLAN from WAN to LAN

RouterOS General
1

I’m trying to pass the management VLAN 10 from the WAN side to the LAN side so we can manage all devices (switches, AP’s) on one single VLAN. This VLAN is trunked from our core network to the site, however I can’t seem to get it to work. I have set VLAN 10 on the Mikrotik under the ether1-gateway interface, but am unable to get to devices behind it. I’ve tried bridges and the like with no luck. Any suggestions would be helpful, I’ve included my configuration.


/interface vlan
add interface=ether1-gateway l2mtu=1594 name=MGMT vlan-id=10
add interface=ether3 l2mtu=1594 name=Vlan100 vlan-id=100


/ip address
add address=172.16.10.130/30 interface=ether1-gateway network=172.16.10.128
add address=x.x.x.x interface=Vlan100 network=x.x.x.x
add address=172.16.10.5/25 interface=MGMT network=172.16.10.0

/ip route
add distance=1 gateway=172.16.10.129
2

Maybe I’m confused, but I only see a two vlan interfaces declared… no bridges or anything. Post your whole config.

3

i’ve since taken the bridging out. I had a management bridge with MGMT and Ether3 on the bridge. Here is my entire config as of now.

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether4 ] master-port=ether3
set [ find default-name=ether5 ] master-port=ether3
/ip neighbor discovery
set ether1-gateway discover=no
/interface vlan
add interface=ether1-gateway l2mtu=1594 name=MGMT vlan-id=10
add interface=ether3 l2mtu=1594 name=Vlan100 vlan-id=100
/ip hotspot profile
add hotspot-address=x.x.x.x html-directory=nexgen login-by=mac name=hsprof1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
add idle-timeout=none incoming-packet-mark=3M_IN keepalive-timeout=2m \
    mac-cookie-timeout=3d name=3M/3M outgoing-packet-mark=3M_OUT
add idle-timeout=none incoming-packet-mark=5M_IN keepalive-timeout=2m \
    mac-cookie-timeout=3d name=5M/5M outgoing-packet-mark=5M_OUT
add idle-timeout=none incoming-packet-mark=1.5M_IN keepalive-timeout=2m \
    mac-cookie-timeout=3d name=1.5M/1.5M outgoing-packet-mark=1.5M_OUT
add idle-timeout=none incoming-packet-mark=5M_IN keepalive-timeout=2m \
    mac-cookie-timeout=3d name=10M/5M outgoing-packet-mark=10M_OUT
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool-14 ranges=x.x.x.x
/ip dhcp-server
add address-pool=default-dhcp disabled=no name=default
add address-pool=hs-pool-14 disabled=no interface=Vlan100 lease-time=1h name=\
    dhcp1
/ip hotspot
add address-pool=hs-pool-14 disabled=no interface=Vlan100 name=hotspot1 \
    profile=hsprof1
/port
set 0 name=serial0
/queue type
add kind=pcq name=3M_download pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-rate=3M pcq-src-address6-mask=64
add kind=pcq name=3M_upload pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-rate=3M pcq-src-address6-mask=64
add kind=pcq name=5M_download pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-rate=5M pcq-src-address6-mask=64
add kind=pcq name=5M_upload pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-rate=5M pcq-src-address6-mask=64
add kind=pcq name=1.5M_download pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-rate=1536k pcq-src-address6-mask=64
add kind=pcq name=1.5M_upload pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-rate=1536k pcq-src-address6-mask=64
add kind=pcq name=10M_download pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-rate=10M pcq-src-address6-mask=64
/queue tree
add name=3M_download packet-mark=3M_OUT parent=global queue=3M_download
add name=3M_upload packet-mark=3M_IN parent=global queue=3M_upload
add name=5M_download packet-mark=5M_OUT parent=global queue=5M_download
add name=5M_upload packet-mark=5M_IN parent=global queue=5M_upload
add name=1.5M_download packet-mark=1.5M_OUT parent=global queue=1.5M_download
add name=1.5M_upload packet-mark=1.5M_IN parent=global queue=1.5M_upload
add name=10_download packet-mark=10M_OUT parent=global queue=10M_download
/routing ospf instance
set [ find default=yes ] router-id=172.16.10.130
/snmp community
add addresses=0.0.0.0/0 name=lookatit
/interface ethernet switch port
set 1 vlan-mode=fallback
set 3 vlan-header=add-if-missing vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=secure
set 11 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=no ports=ether3,switch1-cpu switch=switch1 vlan-id=100
add independent-learning=no ports=switch1-cpu,ether3,ether4,ether5 switch=\
    switch1 vlan-id=10
/ip address
add address=172.16.10.130/30 interface=ether1-gateway network=172.16.10.128
add address=x.x.x.x interface=Vlan100 network=x.x.x.x
add address=172.16.10.5/25 interface=MGMT network=172.16.10.0
/ip dhcp-server network
add address=x.x.x.x comment="hotspot network" gateway=x.x.x.x
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input dst-port=8291 protocol=tcp
add chain=input dst-port=8728 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
/ip firewall mangle
add action=jump chain=forward jump-target=hotspot
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes to-addresses=0.0.0.0
add action=src-nat chain=srcnat dst-port=53 out-interface=ether1-gateway \
    protocol=udp to-addresses=x.x.x.x
/ip hotspot user
add disabled=yes name=00:16:D4:3D:7E:65 profile=3M/3M
/ip route
add distance=1 gateway=172.16.10.129
4

You have some issues in your config… what is your exact goal?.. e.g. what VLANs do you want on what ports, etc? And are you trying to do it with bridging or with the switch chip?

-Eric

5

Here is my goal. Please take note, this is all being done in a lab environment at this point.

The site has three VLANs
100,200,300

Each corresponds to a floor in the building, each floor with it’s own switch.
Currently, those switches are managed with a public IP address from the customers scope. I want to switch this to a private IP on VLAN10.

Our network is set up like a big router on a stick. Our core cisco router has a sub interface dedicated to this Mikrotik and it’s switched to the site.

Core router → core switch → transport → Mikrotik

note from the core to the mikrotik it’s on VLAN 30. I’ve trunked VLAN 10 towards it as well.
Basically I want VLAN 10 to be the management VLAN by any means necessary. The reason we are using the switch chip feature is it seems to have improved performance when using hotspot. I don’t know if it actually is, but we have a production site that is utilizing the switch chip features and it’s working very well.

(please point out any issues I have with my config)

6

What about NAT? … and traffic between the VLANs? DHCP servers for the VLANs, etc.

Oh… and what model RB is this?

-Eric

7

NAT is not required, nor is traffic between VLAN’s 100,200, and 300. DHCP is being handled by the hotspot. One hotspot will be set up per VLAN. Note, the customers get a public facing IP (I have removed that IP from the configurations posted here).

EDIT: This is a RB2011UAS

8

You want something like this…
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] master-port=none name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local

/interface vlan
add interface=ether1-gateway name=ether1-vlan10 vlan-id=10
add interface=ether1-gateway name=ether1-vlan30 vlan-id=30

add interface=ether2-master-local name=ether2-vlan100 vlan-id=100
add interface=ether2-master-local name=ether2-vlan200 vlan-id=200
add interface=ether2-master-local name=ether2-vlan300 vlan-id=300

/interface ethernet switch port
set ether1-gateway vlan-header=add-if-missing vlan-mode=secure
set ether2-master-local vlan-header=add-if-missing vlan-mode=secure
set ether3-slave-local vlan-header=add-if-missing vlan-mode=secure
set ether4-slave-local vlan-header=add-if-missing vlan-mode=secure
set ether5-slave-local vlan-header=add-if-missing vlan-mode=secure

/interface ethernet switch vlan
add vlan-id=10 ports=ether1-gateway,switch1-cpu switch=switch1
add vlan-id=30 ports=ether1-gateway,switch1-cpu switch=switch1

add vlan-id=100 ports=ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,switch1-cpu switch=switch1
add vlan-id=200 ports=ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,switch1-cpu switch=switch1
add vlan-id=300 ports=ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,switch1-cpu switch=switch1Setup your hotspots on the VLANs… I also assumed that your VLAN 30 was tagged on the input.

9

Thank you for this. Would I then set my IP address that is currently tied to Ether1 onto VLAN30?

10

Right… so basically your management IP would be on the VLAN10, your “internet” IP would be on VLAN30. You would setup your hotspots on the VLAN100, VLAN200, and VLAN300 interfaces… you wouldn’t really have anything on the interfaces themselves. This assumes that you want ALL traffic leaving the device to be tagged and anything untagged to be ignored.

11

Okay, this kind of worked. Now, say I have switches on the local side that I want managed in VLAN 10, how can I do that? I currently have one that I cannot get management to on VLAN 10.

So I want VLAN 10 to also be trunked along side VLAN 100, 200, and 300.

12

I’m on my phone now, but I can give a mini answer. Basically you can either make all the ports part of the switch group and then use the switch chip to do it… Or you can add vlan10 to ether2 and use a bridge.

Sent from my SCH-I545 using Tapatalk

13

Here is a basic pictures of what I mean.

Red = VLAN 10
Black = VLAN 30

The remaining three colors are Vlans 100, 200, and 300.
Capture.PNG

14

Okay, when I tried to bridge it last time I lost all management via both the WAN and the Management address. I can try that again and see how it goes. would there be a benefit to using the switch chip over a bridge?

15

Yeah… I’ll post the config in a few hours when I get home. I get what you want.

Sent from my SCH-I545 using Tapatalk

16

Yes. It’s faster. Bridging uses the main cpu.

Sent from my SCH-I545 using Tapatalk

17

Thank you very much for the support.

18

Okay, so I got it working. I moved ether1-vlan10 and ether1-vlan30 to the ether2-master-local interface. I then added ether1-gateway as a slave of ether2.

Vlan table is as such
add independent-learning=no ports=ether1-gateway,ether2-master-local,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=ether1-gateway,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=no ports=ether2-master-local,switch1-cpu switch=switch1 vlan-id=100
add independent-learning=no ports=ether3-slave-local,switch1-cpu switch=switch1 vlan-id=200
add independent-learning=no ports=ether4-slave-local,switch1-cpu switch=switch1 vlan-id=300Everything is working as I wanted it to, now I only have to test the hotspot and I’m golden. I really appreciate the assistance today.

19

Yep. That’s the answer. Just make sure to set switch all ports yes

Sent from my SCH-I545 using Tapatalk

20

That has been done. Thank you again for all of the assistance.