I’m wondering how you might go about setting up a common management vlan so that all backhaul radios would be on a single IP block while having a dedicated IP Block (DHCP) for each interface?
So I want to be able to configure all backhaul radius on any interface to all be managed from a single IP block, but want to keep the client IP Blocks separate for each interface. That way I don’t have to deal with the problems associated with sharing IP Blocks across multiple interfaces later down the road.
For example:
Bridge → backhaul_radio_mgnt_bridge:
Bridge Port → backhaul_mgnt_bridge:Eth2, Eth3, Eth4
IP Addr → backhaul_mgnt_bridge:10.10.0.1/28
IP Addr → Eth2:172.25.0.1/24 (w/ DHCP configured to offer from Pool)
IP Addr → Eth3:172.26.0.1/24 (w/ DHCP configured to offer from Pool)
IP Addr → Eth4:172.27.0.1/24 (w/ DHCP configured to offer from Pool)
Thank you for your input and recommendations based on your experience with MTR
Your explanation is confusing to me. What is the end goal? When you say management bridge port are you talking about wireless bridge between locations or an actual bridge interface in the MikroTik?
Sorry for any confusion. Let me see if I can better explain. There are no mikrotik wireless links in this equation nor does the router itself have a wireless card. All links from the router are either a UBNT, Cambium, Siklu, or Dragonwave. These are APs or PtP links connected to eth ports. We are only talking about the router and routing itself. I would like to use one common IP block to manage the backbone radios and APs. However, I want separate IP blocks serving the customers from those APs.
For example:
I want to put my mgmt IP block on vlan 10. All of my radios will look for tagged traffic (id 10) or I would have an out of band eth link where radios have two eth port for out of band mgmt.
vlan 10 - mgmt - 10.10.0.0/28
I believe this will work, but I can verify when I get home. This weekend I didn’t have any UBNT radios at home to test with and now at work all I have available are a couple of MT x86 boxes and a few RB411 that don’t have enough ethernet ports to set up a lab here.
This is a walkthrough using winbox:
Interfaces > VLAN Tab > Add
You want to create the management vlan for each interface and the “customer” vlans on their respective interfaces. For example:
name=eth2-vlan10
vlan id=10
interface=eth2
name=eth3-vlan10
vlan id=10
interface=eth3
name=eth2-vlan101
vlan id=101
interface=eth2
name=eth3-vlan102
vlan id=102
interface=eth3
etc…
Next, create a bridge interface:
Bridge > Bridge Tab > Add
name=bridge1-management (or whatever you would like)
Bridge > Ports Tab > Add
interface=eth2-vlan10, bridge=bridge1-management
interface=eth3-vlan10, bridge=bridge1-management
Next, add IP addresses:
IP > Addresses > Add
address=10.10.0.0/28, interface=bridge1-management
address=172.25.0.1/24, interface=eth2-vlan101
address=172.26.0.1/24, interface=eth3-vlan102
That should get you close, you would still have DHCP server setup, NAT, and adding a default gateway to the MT. Hopefully this helps. I can setup a lab tonight and test if that would help. Not sure if you’re making these changes to a production environment, but it sounds like it.
This will depend on each wireless device’s ability to create a tagged in-band management VLAN.
The Mikrotik portion is straightforward -
Create a bridge, and call it “Mgmt” - put the management network on this interface e.g. 10.0.0.1/24
Now choose some vlan tag e.g. 10 -
Every interface which will use tagged vlan 10 for in-band management will need a vlan interface created on it.
To help keep things straight, name them something like ether3.v10 / ether5.v10 / etc.
Any device that has a dedicated, out-of-band management interface will need an un-tagged interface on the Mikrotik, which is included in the management bridge - let’s say ether 4 is connected to such a device’s management interface.
Now, on the management bridge, add ports ether3.v10, ether4, and ether5.v10
Now you will have one management network which is tagged as vlan 10 on ports 3 and 5, and un-tagged on ether4.
So the devices on ports ether3 and ether5 should consider “un-tagged” traffic as customer access network traffic, and traffic tagged vlan 10 = management traffic.
Finally, create your customer IP blocks directly on interfaces ether3 and ether5.
Now, any access traffic will interact with ether3 and ether5 as seperate isolated interfaces, but traffic that is tagged vlan10 will interact with the vlan sub-interfaces and get bridged together into one management vlan.
Again, the details on how to set this up in the various wireless equipment will vary from vendor to vendor.
Hi All, Thank you for your responses and additional efforts to test. I’ve been out of the states for a couple of weeks. I will review your comments and let you know how this works out.