Inter-Vlan Routing on CRS112-8G-4S-IN

vben · October 26, 2023, 6:03pm

hello guys,

I come to you for asking for some help, I bought one week ago an switch Mikrotik the CRS112-8G-4S-IN to my internal network, After a week + few extra hours of searching, reading, videos I didn’t fond the answer for my issue.

What I want to do ? I want to setup a topology of my network and use the MikroTik as a Layer 3 switch. Can I use the CRS112 as a Layer 3 switch?

tangent · October 26, 2023, 6:08pm

There’s a section on InterVLAN routing with the CRS1xx/2xx series in the manual. It works differently than in the more modern CRS3xx and 5xx lines, which is what most other tutorials will be covering.

vben · October 26, 2023, 6:19pm

hello,

ok, thanks for the answer. I already tried all the examples from the wiki, docs, videos and didn’t work.

Soo to be more easy and also probably you can help me with some guide in the config process I can write down some info.

I have the next topology: Firewall → CRS → one VLAN for clients, one VLAN for printers and one for two PCs that acts as an servers.

Also I want to have an DHCP for now on the CRS to can test de connectivity for each VLAN

vlan100 → 192.168.100.0/24 → DHCP
vlan200 → 192.168.200.0/24 → DHCP
vlan300 → 192.168.300.0/24 → DHCP

can you help me with the guides in the config ?

mkx · October 26, 2023, 6:23pm

You can (as @tangent already wrote). BUT: the performance will be waaaay lower than wirespeed. L3 is on CRS1xx entirely done by CPU and your switch’s CPU is pretry slow.

vben · October 27, 2023, 5:00am

ok, I’m new in the MikeoTik world I uesd cisco, hp (olso aruba from hp) and there a l3 sw is a l3 sw l2 sw is a l2 sw.., the reason of been attracted of the MikroTik sw it was he have the POE ports and L3 capabilit, after a lot of search I saw in the description of the product said the the CRS112 have a dedicate chip for switch and l3 hardwareoffloading, (is true or is just and marketing ?)

mkx · October 27, 2023, 6:21am

Where did you see L3 HW offloading mentioned for CRS112 (it does have L3 functionality but not performance)? There are products that indeed feature L3 HW offloading, but those are in CRS3xx family.

vben · October 28, 2023, 6:41am

hello,

I understand that my switch CRS112 is not a dedicated L3 switch and is a dedicated L2 switch, that have a slow CPU, but now I need help in how to start and build the config, what I mean is I need a place from where to begin and from there to build.

I need if some one can help me with a basic and guild line to config my switch to act as a L3 switch in my network.

The topology is Firewall → switch L3 (here I have 3 vlans) → one vlan for client
→ one vlan for printers
→ one vlan from 2 servers
can someone help me with a basic config to start where rhe Inter-VLAN routing work ?

mkx · October 28, 2023, 8:10am

L2 config: https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples

L3 config: just like ordinary router running ROS. Since you’ll have VLANs on switch chip, bridge will be configured as VLAN-agnostic entity. But you’ll need vlan interfaces, one per VLAN, and IP setup will be bound to those vlan interfaces.

I suggest you to get started and if you get stuck somewhere, you can come back, post current config at that time, and we’ll help you get going again.

lfoerster · October 28, 2023, 8:21am

If you have a translator (unfortunately German) you can find a detailed setup here with a “router on a stick”. This means a L3 device routing between VLANs on a L2 only switch:
https://administrator.de/tutorial/vlan-installation-und-routing-mit-pfsense-mikrotik-dd-wrt-oder-cisco-rv-routern-110259.html

On the other hand is your CRS RouterOS capable so it can locally route between your VLANs which is a far better setup in terms of performance.
There is also an example setup here:
https://administrator.de/tutorial/mikrotik-vlan-konfiguration-ab-routeros-version-6-41-367186.html
The pictures and setups are self explaining even without the text.

vben · October 31, 2023, 10:00am

hello,

finally I have successfully made the Inter-Vlan Routing but I have another issue.

to can access the internet I need to set it up the NAT, how can I config without to set the NAT.

Let me give you a little context.

I have the Sophos firewall with a WAN link to my ISP model and the LAN link to my internal network, the LAN ip on the port is 10.0.0.1 and is connected to my CRS112 on sfp12 (this port is the uplink for CRS112 and have the ip 10.0.0.2). From here is my internal network.

*(also i want to say I set it up already the static ip on my Sophos firewall to know where to send back the info)

when I config the CRS112 with all the config that I need such DCHP, Inter-Vlan Routing, with static ip, also ip in the route list I can ping the bridge ip 192.168.200.1 (this is the gateway of my local network) I can ping 10.0.0.2 and 10.0.0.1 but I can’t ping 8.8.8.8 (the google dns), but when I set the NAT in my CRS112 it work fine, why and how can I set the CSR112 without the NAT and work like an cisco L3 switch?

bellow is my config

/interface bridge
add name=bridge1

/interface ethernet
set [ find default-name=sfp12 ] name=WAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip pool
add name=dhcp_pool0 ranges=192.168.200.2-192.168.200.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1

/port
set 0 name=serial0

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2

/ip address
add address=192.168.200.1/24 interface=bridge1 network=192.168.200.0
add address=10.0.0.2/24 interface=WAN network=10.0.0.0

/ip dhcp-server network
add address=192.168.200.0/24 gateway=192.168.200.1

/ip dns
set allow-remote-requests=yes servers=193.231.252.1,10.0.0.2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.1 pref-src=“”
routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/system clock
set time-zone-name=Europe/Bucharest

/system note
set show-at-login=no

mkx · October 31, 2023, 10:52am

Nothing you can do on CRS (apart from disabling that SRC NAT rule). Instead you have to configure Sophos with static route towards your LAN. I’m not familiar with sophos syntax, in Mikrotik diakect it would be this

/ip/route
add dst-address=192.168.200.0/24 gateway=10.0.0.2

Quite likely Sophos will perform SRC NAT (necessary for internet access) for your LAN segment just fine without any further changes.

BTW beware when setting multiple DNS addresses, they are supposed to return identical replies because clients will use one of them (you can’t affect selection process) and won’t use another one if the used one replies with negative answer - clients will change used DNS server only in case of no reply (time out). And setting to use own IP address actually creates a loop.