I recently purchased my first Microtik router (CRS125-24G-1S-2HnD-IN) to replace my old Fortigate firewall. As I know my way around in hardware firewalls like Fortigate and CheckPoint and swiches from Dell and HP, I thought this would be an easy one to configure
But after a couple of days, I am a completely lost in configuring my MicrotikâŚ.
The picture is the setup I want to achieve. But canât figure out on how I need configure the vlan and trunks onto the ports, so that I can sent more than one vlan trough one port and also to other ports. With the switches it was as easy as tagging and untagging the ports, but not with the Microtik.
So the part on right with HP Procurve Switch is correctly configured and checked. The port (eth24) on the left from the Microtik is configured and connected to the IPS, Internet access is also configured with PPPoE connection over VLAN 6, and the Desktop is also working on eth1. (forget VOIP vlan 7 as I am not using it)
But I canât get port 2, 3 and 23 correctly configured.
I just recently wrestled with all of this, with a procurve switch and everything. My post is actually still up on the board here. The fix isnât posted yet as it is still awaiting moderation, but it might be helpful.
In essence, what I had to do was create a separate bridge for each vlan, and then a vlan for each trunked interface. So in your case for port 23 I think youâd need something like:
This should enable all of the ports on the appropriate vlans to be able to talk to each other, and should enable the individual vlans to speak to each other as well, assuming you donât have any filtering set up. For more information, I found this blog post to be very helpful for understanding how this works.
Nooooo! No bridging!!! Do not bridge those interfaces, it does not need to be done and just causes the CPU to have to deal with everything rather than the switch hardware! The CRS platform uses a dedicated hardware switch with many features. In the case of the CRS125-24G this is a Qualcomm Atheros 8513L switch.
I struggled with this same problem for many hours until I sorted out the syntax (as I am used to Cisco switches). What you want to do is force the switch hardware to do all the work UNLESS you are routing between VLANs.
You need to tackle this in steps:
Only configure one master port. In your case, make it ether24
Make all other ports slaves of the master. This ensures that all ports are in the same isolation group. From here we use VLANs to perform any segmentation at layer 2.
Add ports to the VLANs they will be members of
Define VLAN tagging
Define what the untagged VLAN is for any ports. Microtik does this by translating any untagged packets (i.e. VLAN 0) to whatever you define.
#### Configure all switch ports to be in the same isolation group
/interface ethernet
set [ find default-name=ether1 ] master-port=ether24-master-local name=ether1-slave-local
set [ find default-name=ether2 ] master-port=ether24-master-local name=ether2-slave-local
set [ find default-name=ether3 ] master-port=ether24-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether24-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether24-master-local name=ether5-slave-local
set [ find default-name=ether6 ] master-port=ether24-master-local name=ether6-slave-local
set [ find default-name=ether7 ] master-port=ether24-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether24-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether24-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether24-master-local name=ether10-slave-local
set [ find default-name=ether11 ] master-port=ether24-master-local name=ether11-slave-local
set [ find default-name=ether12 ] master-port=ether24-master-local name=ether12-slave-local
set [ find default-name=ether13 ] master-port=ether24-master-local name=ether13-slave-local
set [ find default-name=ether14 ] master-port=ether24-master-local name=ether14-slave-local
set [ find default-name=ether15 ] master-port=ether24-master-local name=ether15-slave-local
set [ find default-name=ether16 ] master-port=ether24-master-local name=ether16-slave-local
set [ find default-name=ether17 ] master-port=ether24-master-local name=ether17-slave-local
set [ find default-name=ether18 ] master-port=ether24-master-local name=ether18-slave-local
set [ find default-name=ether19 ] master-port=ether24-master-local name=ether19-slave-local
set [ find default-name=ether20 ] master-port=ether24-master-local name=ether20-slave-local
set [ find default-name=ether21 ] master-port=ether24-master-local name=ether21-slave-local
set [ find default-name=ether22 ] master-port=ether24-master-local name=ether22-slave-local
set [ find default-name=ether23 ] master-port=ether24-master-local name=ether23-slave-local
set [ find default-name=ether24 ] name=ether24-master-local
set [ find default-name=sfp1 ] master-port=ether24-master-local name=sfp1-slave-local
### Allocate the list of valid VLANs to ports. **MUST** add switch1-cpu to any VLANs which are routed by the Microtik.
/interface ethernet switch vlan
add ports="ether24-master-local,ether3-slave-local,ether23-slave-local" vlan-id=4
add ports="ether24-master-local" vlan-id=7
add ports="ether24-master-local,switch1-cpu" vlan-id=6
add ports="ether1-slave-local,ether2-slave-local,ether23-slave-local" vlan-id=10
add ports="ether2-slave-local,ether23-slave-local" vlan-id=11
#### Define VLAN tagging. Switch1-cpu is always tagged for routed VLANs.
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether23-slave-local vlan-id=10
add tagged-ports=ether24-slave-local,switch1-cpu vlan-id=6
add tagged-ports=ether24-slave-local,ether23-slave-local vlan-id=4
#### Assign a VID to packets entering interfaces when they are not tagged.
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=10 ports="ether1-slave-local,ether2-slave-local" sa-learning=yes
add new-customer-vid=4 ports="ether3-slave-local,ether2-slave-local" sa-learning=yes
I was already aware that the bridging option was not the best due to unnecessary pressure on the CPU, especially as I am not needing any routing or other fancy stuff.
Ah - good point, Iâve been staring at my own problem so long I misread his post as being another CCR, not a CRS. Thanks for pointing that out and explaining how to do that when there is a switch cpu.
But now I am facing a new issue.
What do I need to do to configure the router with an ip address which is accessible trough VLAN10 and the pc connected to eth1?
This should work. Binding the VLAN interface to ether1-slave-local should be fine as Iâm pretty sure this just does some automatic VLAN allocation to the interface (which we have already done anyway). The fact that RouterOS forces you to bind a VLAN interface to a physical port is annoying, but itâs just a throwback to the way their code has worked for a while I guess.
Note I have called the interface below âFooblahâ purely to show you that you can call it whatever the heck you want.
If it wonât let you add switch1-cpu to the VLAN or add the tagging, just go into the GUI under Switchâ>VLANâ>VLAN tab and then add switch1-cpu to VLAN-10 in the GUI, then go into Switchâ>VLANâ>VLAN Tagging tab and add switch1-cpu as a tagged port for VLAN 10. Basically itâs easier to edit settings in the GUI than it is to edit them at the command line (as opposed to adding new settings).
The result of the above commands is that a virtual router interface called âFooblahâ is created and assigned an address. We then expose this interface on the VLAN 10 layer 2 network. From there, any device within VLAN 10 can reach that virtual router interface and route packets through it, assuming you donât have any IP firewall filter rules that would block it.
