Mikrotik 3011 VLAN setup voice + data

sprintership · October 29, 2018, 12:15pm

Experts,

I have currently switched from Peplink to Mikrotik and trying to figure out the config for Mikrotik already configured for dual static WAN load balancer with single LAN network. This works just great.

However, I need to start creating vlan for voice and data. The switches I used are Cisco 3560 and Cisco SG200 & SG300. I would like to configure ETH ports as trunks and connect each Mikrotik ETH port as a trunk to a single switch.

On the switch I will configure eaith switchport for single VLAN device or trunkport for phone and computer or phone and other network device. Picture attached.

My understanding would be:

192.168.100.1/24 current LAN network and that would be untagged

VLANS: 180 192.168.180.1/24 voice
170 192.168.179.1/24 data
171 192.168.179.1/24 wifi
172 192.168.172.1/24 printers
173 192.168.173.1/24 guest

I am new to mikrotik and wonder how that configuration would look like, and if this is possible at all. Thank You
ARR+VLANS.JPG

mixig · October 29, 2018, 5:18pm

Try with this:

/interface bridge
add name=bridge vlan-filtering=no

/interface vlan
add interface=bridge name=vlan_170 vlan-id=170
add interface=bridge name=vlan_171 vlan-id=171
add interface=bridge name=vlan_172 vlan-id=172
add interface=bridge name=vlan_173 vlan-id=173

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 vlan-ids=171,172,173,174

/interface bridge port
add interface=ether1 bridge=bridge
add interface=ether2 bridge=bridge
add interface=ether3 bridge=bridge
add interface=ether4 bridge=bridge

/ip address
add address=192.168.100.1/24 interface=bridge network=192.168.100.0
add address=192.168.170.1/24 interface=vlan_170 network=192.168.170.0
add address=192.168.171.1/24 interface=vlan_171 network=192.168.171.0
add address=192.168.172.1/24 interface=vlan_172 network=192.168.172.0
add address=192.168.174.1/24 interface=vlan_173 network=192.168.173.0

/interface bridge set bridge vlan-filtering=yes

P.S. by default PVID for bridge port is pvid=1, if I changed that to pvid=180 I cannot connect to the router any more.
If you are using vlan 180 as untagged/native VLAN on switches I believe it will be OK because traffic will be untagged between mikrotik and switches (vlan 180 is locally on the switch)

Jotne · October 29, 2018, 6:03pm

Just to give some information about this setup.
It is the old way by using many VLAN.
From 6.41 you can use Bridge aware VLAN.

Se some example here:
http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/1

xvo · October 29, 2018, 10:11pm

…and the config above is exactly a vlan-aware bridge. Aka “the new way”.

“The old way” would be а set of vlan-interfaces on top of each port, then bridged together by separate bridges - one for each vlan.

sprintership · October 30, 2018, 12:18am

thank you all for info provided here, I will try over the weekend and let you know how it works thank you again

Jotne · October 30, 2018, 6:14am

I did not see the vlan-filtering=yes at the bottom.

My fault

sprintership · November 10, 2018, 8:52pm

is this should work?

/interface bridge
add name=bridge vlan-filtering=no

I cannot even type it in terminal, V6.35.4 any thoughts?

anav · November 10, 2018, 11:56pm

Okay for the setup provided, I see one possible error
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 vlan-ids=171,172,173,174

Should be
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 vlan-ids=170, 171,172,173

To answer your question BEFORE YOU START configuring the router put into SAFE MODE!!!
Best strategy as outlined is start with the bridge vlan filtering set to off (which is I believe the default).
Once you have completed the setup, the very last step is to check the box for bridge vlan filtering.

sprintership · November 11, 2018, 12:07am

How to make that port to be workinglike trunk, in cisco it clear 4 - 5 lines of code and done here is tragedy

sprintership · November 11, 2018, 1:26am

This my config:

nov/09/2018 18:07:53 by RouterOS 6.35.4

software id = Z0NI-ZVVR

/interface bridge
add name=trunk
/interface ethernet
set [ find default-name=ether6 ] name=LAN
set [ find default-name=ether2 ] name=WAN-Cable
set [ find default-name=ether3 ] name=WAN-DHCP
set [ find default-name=ether1 ] name=WAN-Fiber
set [ find default-name=ether10 ] name=ether7

set [ find default-name=ether7 ] name=ether7-LAN
/interface vlan
add interface=trunk name=“vlan 169 CAMS” vlan-id=169
add interface=trunk name=“vlan 180 VOICE” vlan-id=180
/ip pool
add name=dhcp-pool ranges=192.168.168.50-192.168.168.254
add name=dhcp-voice ranges=192.168.180.100-192.168.180.200
add name=cams ranges=192.168.169.2-192.168.169.100
/ip dhcp-server

DHCP server can not run on slave interface!

add address-pool=dhcp-pool disabled=no interface=LAN lease-time=24m name=
dhcp-lan
add address-pool=dhcp-voice disabled=no interface=“vlan 180 VOICE”
lease-time=24m name=dhcp-voice
add address-pool=cams disabled=no interface=“vlan 169 CAMS” lease-time=24m
name=dhcp-cams
/interface bridge port
add bridge=trunk interface=LAN
/ip address
add address=192.168.168.1/24 interface=LAN network=192.168.168.0
add address=192.168.180.0/24 interface=“vlan 180 VOICE” network=192.168.180.0
add address=192.168.169.1/24 interface=“vlan 169 CAMS” network=192.168.169.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=WAN-Fiber use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=WAN-Cable use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.168.1
netmask=24
add address=192.168.169.0/25 dns-server=8.8.8.8 gateway=192.168.169.1
netmask=24
add address=192.168.180.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.180.1
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=WAN-Fiber protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN-Cable protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN-Fiber protocol=tcp
add action=drop chain=input dst-port=53 in-interface=WAN-Cable protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new
new-connection-mark=WAN1 nth=2,1 src-address=192.168.168.0/24
add action=mark-connection chain=prerouting connection-state=new
new-connection-mark=WAN2 nth=2,2 src-address=192.168.168.0/24
add action=mark-routing chain=prerouting connection-mark=WAN1
new-routing-mark=WAN1 src-address=192.168.168.0/24
add action=mark-routing chain=prerouting connection-mark=WAN2
new-routing-mark=WAN2 src-address=192.168.168.0/24
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.168.0/24
/ip route
add distance=1 gateway=WAN gateway routing-mark=WAN1
add distance=1 gateway=WAN-cable-IP routing-mark=WAN2
add distance=1 gateway=192.168.180.1
add disabled=yes distance=1 gateway=WAN gateway
add disabled=yes distance=2 gateway=WAN-cable-IP
/system clock
set time-zone-name=America/Chicago
/system routerboard settings
set protected-routerboot=disabled

what only works is

interface GigabitEthernet3/0/4
switchport access vlan 169
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast
!

from:

vlan 169,180
!
!
!
interface GigabitEthernet3/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet3/0/2
switchport access vlan 180
switchport mode access
!
interface GigabitEthernet3/0/3
switchport mode access
!
interface GigabitEthernet3/0/4
switchport access vlan 169
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast
!
interface GigabitEthernet3/0/5
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast

there is something wrong with tagged vlan 1 …

Jotne · November 11, 2018, 6:38am

You are running a router that does have a big security risk.
Do upgrade before you do any more configuration.
When you go above 6.41 you do also get the then VLAN aware bridges.
So again, do UPGRADE.

Read this post:
http://forum.mikrotik.com/t/urgent-security-reminder/124064/1

anav · November 11, 2018, 5:35pm

Concur, upgrade to the latest config and then we can talk apples to apples.
I did have some observations though to think about.
What is the difference beween WAN Cable and WAN DHCP and WAN FIBER
Can you describe these in more detail?? ( I can understand WAN cable and WAN fiber but what the heck is WAN DHCP???)

Also why did you take ether10 and name it ether7 that is very confusing???
Then you took ether7 and renamed it ether7-LAN, also very confusing??
What is being accomplished by this twisted nomenclature??

Your bridge ports are screwed up.
They should simply include a list of the physical interface you want on the bridge.

Your sourcenat rule needs work and your are missing one of the WANS anyway.

Your IP firewall filter rules are missing many necessary rules.

I would have to look at your mangle and routing rules after all the above is sorted out.

sprintership · November 12, 2018, 2:36am

I am sorry for the confusion in my earlier config. I update the OS and did config from scratch.

Here is my config:

# nov/11/2018 14:19:12 by RouterOS 6.43.4
# software id = Z0NI-ZVVR
#
# model = RouterBOARD 3011UiAS
# serial number = 71A00530D6DD
/interface bridge
add dhcp-snooping=yes fast-forward=no name=localnetwork
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN-Fiber
set [ find default-name=ether2 ] name=ether2-WAN-Cable
set [ find default-name=ether6 ] name=ether6-LAN
/interface vlan
add interface=localnetwork name=vlan_169_cams vlan-id=169
add interface=localnetwork name=vlan_170_dispatch vlan-id=170
add interface=localnetwork name=vlan_180_voice vlan-id=180
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan-dhcp ranges=192.168.168.50-192.168.168.220
add name=vlan-voice ranges=192.168.180.50-192.168.180.100
add name=vlan-cams ranges=192.168.169.2-192.168.169.10
add name=vlan-dispatch ranges=192.168.170.50-192.168.170.100
/ip dhcp-server
add address-pool=lan-dhcp disabled=no interface=localnetwork name=lan-dhcp
add address-pool=vlan-voice disabled=no interface=vlan_180_voice lease-time=\
    24m name=vlan-voice
add address-pool=vlan-cams disabled=no interface=vlan_169_cams lease-time=24m \
    name=vlan-cams
add address-pool=vlan-dispatch disabled=no interface=vlan_170_dispatch \
    lease-time=24m name=vlan-dispatch-dhcp
/interface bridge port
add bridge=localnetwork interface=ether6-LAN
/interface bridge vlan
add bridge=localnetwork tagged=localnetwork untagged=\
    vlan_169_cams,vlan_170_dispatch,vlan_180_voice vlan-ids=180,169,170
/ip address
add address=192.168.168.1/24 interface=localnetwork network=192.168.168.0
add address=50.238.23.x/29 interface=ether1-WAN-Fiber network=\
    50.238.x.x
add address=96.70.x.x/29 interface=ether2-WAN-Cable network=96.70.x.x
add address=192.168.180.1/24 interface=vlan_180_voice network=192.168.180.0
add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0
add address=192.168.169.1/24 interface=vlan_170_dispatch network=\
    192.168.169.0
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.168.1 \
    netmask=24
add address=192.168.169.0/24 dns-server=8.8.8.8 gateway=192.168.169.1 \
    netmask=24
add address=192.168.170.0/24 dns-server=8.8.8.8 gateway=192.168.170.1 \
    netmask=24
add address=192.168.180.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.180.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=ether1-WAN-Fiber new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=ether2-WAN-Cable new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan1 new-routing-mark=\
    wan1-out passthrough=yes
add action=mark-routing chain=output connection-mark=wan2 new-routing-mark=\
    wan2-out passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
    dst-address-type=!local in-interface=localnetwork new-connection-mark=\
    wan1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-state=new \
    dst-address-type=!local in-interface=localnetwork new-connection-mark=\
    wan2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan1 in-interface=\
    localnetwork new-routing-mark=wan1output passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2 in-interface=\
    localnetwork new-routing-mark=wan2output passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN-Fiber
add action=masquerade chain=srcnat out-interface=ether2-WAN-Cable
/ip route
add check-gateway=ping distance=1 gateway=50.238.x.x routing-mark=\
    wan1output
add check-gateway=ping distance=2 gateway=96.70.x.x routing-mark=\
    wan2output
add check-gateway=ping distance=1 gateway=50.238.x.x
add check-gateway=ping distance=2 gateway=96.70.x.x
/system clock
set time-zone-name=America/Chicago
/system routerboard settings
set silent-boot=no

WAN1 = Fiber = 50.238.x.x
WAN2 = Cable=96.70.x.x

now it should be more visible what is what so I did not have a chance to test loadbalance yet,but at least my vlans with cisco catalyst work partially, of course vlan filtering OFF !!!
oherwise it would not work,

vlan 169,180
!
!
!
interface GigabitEthernet3/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet3/0/2 THIS WORKSWHEN PLUGGED LAPTOP HAS 180 IP
switchport access vlan 180
switchport mode access
!

interface GigabitEthernet3/0/3 THIS DOES NOW WORK!!!!!!!!!!!!!!!!
switchport mode access
!
interface GigabitEthernet3/0/4 THIS WORKS WHEN PLUGGED LAPTOP HAVE 169 IP
switchport access vlan 169
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast
!
interface GigabitEthernet3/0/5 THIS WORKS WHEN PLUGGED LAPTOP HAVE 168 IP
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast

interface GigabitEthernet3/0/6   works ok when plugged laptop have 168 ip

OF COURSE next step would be to plug phone to

switchport access vlan 169
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast

and I should get on the phone 180 ip and on the laptop 169 ip but i will check that later. Also next step would be to check that on SG200 cisco.

With load balance voip is not going work since it should be prioritize to use only with WAN - fiber - is there a way to achieve that?

once again thank you allforhelp here,

Jotne · November 12, 2018, 6:32am

As far as I do understand VLAN on the Mikrotik.
When you connect VLAN to the Bridge, you need VLAN filtring ON.
Or else it does not underestand that you have more than one VLAN.

I do not see what interface VLAN 180,169, and 170 is connected to.

You may try some like this. Interface bridge vlan does connects to ports and bridge, not to the VLAN itself

/interface bridge vlan
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=169
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=170
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=180

Since all are equal, this may be shorten to some like this: (not testet so can not confirm this)

/interface bridge vlan
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=169,170,180

Now VLAN 1 should came untagged on port 6 and vlan 169.170 and 180 tagged on port 6

See my post at 9:15am here: http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/1

Jotne · November 12, 2018, 7:33am

You have the same IP for voice and dispatch in your config.
Here is a visio layout with VLAN filter on for the bridge.
.

sprintership · November 12, 2018, 10:15pm

Thank you for replying, my point was having tagged vlan 1, and untagged 169,170 & 180,

vlan 1 = 192.168.168.1/24 for management
vlan 169 192.168.169.0/24 for data
vlan 170 192.168.170.0/24 for dispatch
vlan 180 192.168.180.0/24 for voice

I have in that way on Peplink and all worked fine. I connected Polycom phone to the cisco port and have phone on voice - 180 vlan and my laptop having vlan 170 so I think its ok

Jotne · November 13, 2018, 5:59am

You can only have one untagged VLAN pr port, so to help you, list what port you like to have what VLAN (both tagged and untagged)

sprintership · November 14, 2018, 12:39am

should be fixed:

nov/13/2018 18:29:21 by RouterOS 6.43.4

software id = Z0NI-ZVVR

model = RouterBOARD 3011UiAS

serial number = 71A00530D6DD

/interface bridge
add dhcp-snooping=yes fast-forward=no name=localnetwork vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN-Fiber
set [ find default-name=ether2 ] name=ether2-WAN-Cable
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN
/interface vlan
add interface=localnetwork name=vlan_169_cams vlan-id=169
add interface=localnetwork name=vlan_170_dispatch vlan-id=170
add interface=localnetwork name=vlan_180_voice vlan-id=180
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s
pfs-group=none
/ip pool
add name=lan-dhcp ranges=192.168.168.50-192.168.168.220
add name=vlan-voice ranges=192.168.180.50-192.168.180.100
add name=vlan-cams ranges=192.168.169.2-192.168.169.10
add name=vlan-dispatch ranges=192.168.170.50-192.168.170.100
add name=VPN-L2tp ranges=10.10.10.10-10.10.10.30
/ip dhcp-server
add address-pool=lan-dhcp disabled=no interface=localnetwork name=lan-dhcp
add address-pool=vlan-voice disabled=no interface=vlan_180_voice lease-time=
24m name=vlan-voice
add address-pool=vlan-cams disabled=no interface=vlan_169_cams lease-time=24m
name=vlan-cams
add address-pool=vlan-dispatch disabled=no interface=vlan_170_dispatch
lease-time=24m name=vlan-dispatch-dhcp
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=10.10.10.1 name=VPN-L2TP
remote-address=VPN-L2tp use-encryption=required
/interface bridge port
add bridge=localnetwork interface=ether6-LAN
add bridge=localnetwork interface=ether7-LAN
/interface bridge vlan
add bridge=localnetwork tagged=vlan_169_cams,vlan_170_dispatch,vlan_180_voice
untagged=localnetwork vlan-ids=169,170,180
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=VPN-L2TP enabled=yes
keepalive-timeout=disabled
/ip address
add address=192.168.168.1/24 interface=localnetwork network=192.168.168.0
add address=50.238/29 interface=ether1-WAN-Fiber network=
50.238
add address=96.70/29 interface=ether2-WAN-Cable network=96.70
add address=192.168.180.1/24 interface=vlan_180_voice network=192.168.180.0
add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0
add address=192.168.169.1/24 interface=vlan_170_dispatch network=
192.168.169.0
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.168.1
netmask=24
add address=192.168.169.0/24 dns-server=8.8.8.8 gateway=192.168.169.1
netmask=24
add address=192.168.170.0/24 dns-server=8.8.8.8 gateway=192.168.170.1
netmask=24
add address=192.168.180.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.180.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new
in-interface=ether1-WAN-Fiber new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new
in-interface=ether2-WAN-Cable new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan1 new-routing-mark=
wan1-out passthrough=yes
add action=mark-routing chain=output connection-mark=wan2 new-routing-mark=
wan2-out passthrough=yes
add action=mark-connection chain=prerouting connection-state=new
dst-address-type=!local in-interface=localnetwork new-connection-mark=
wan1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-state=new
dst-address-type=!local in-interface=localnetwork new-connection-mark=
wan2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan1 in-interface=
localnetwork new-routing-mark=wan1output passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2 in-interface=
localnetwork new-routing-mark=wan2output passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN-Fiber
add action=masquerade chain=srcnat out-interface=ether2-WAN-Cable
add action=masquerade chain=srcnat comment=“NAT L2TP/IPSEC” src-address=
10.10.10.0/24
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override
passive=yes secret=12345
/ip route
add check-gateway=ping distance=1 gateway=50.238. routing-mark=
wan1output
add check-gateway=ping distance=2 gateway=96.70. routing-mark=
wan2output
add check-gateway=ping distance=1 gateway=50.238.
add check-gateway=ping distance=2 gateway=96.70.
/lcd
set time-interval=daily
/ppp secret
add name=test password=test profile=VPN-L2TP service=l2tp
/system clock
set time-zone-name=America/Chicago
/system routerboard settings
set silent-boot=no

I will check this with cisco catalyst. theoretically all should be ok now, I dont know but I have feeling like that load balance does not work properly, most data goes thought Cable ISP which is a way slower, also ideally would be send all traffic http https + voip only thought Fiber isp
I have ipsec vpn setup but I can connect to the WAN IP but later cannot access any internal resources.

sprintership · November 14, 2018, 3:09am

i just tested with cisco catalyst and looks like after disabling vlan filtering on bridge = localnetwork ports with above configuration works fine, when I enable vlan filtering nothing works

Jotne · November 14, 2018, 6:03am

This is the wrong part

/interface bridge vlan
add bridge=localnetwork tagged=vlan_169_cams,vlan_170_dispatch,vlan_180_voice \
untagged=localnetwork vlan-ids=169,170,180

You are connecting the Bridge/Vlan to the VLAN interface. It should be connected to the physical Interfaces .

You need to list what Vlan you like to get out of interface 6 and 7
Eks

Untagged vlan 1
Tagged 168,170, 180

If that is the case it should be

/interface bridge vlan
add bridge=localnetwork tagged=localnetwork, ether6-LAN, ether7-LAN vlan-ids=169,170,180

Bridge localnetwork need to be tagged as well.

You still have the same IP on VLAN 169 and 170. That does not work.

add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0
add address=192.168.169.1/24 interface=vlan_170_dispatch network=192.168.169.0

Change to

add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0
add address=192.168.170.1/24 interface=vlan_170_dispatch network=192.168.170.0

II also suggest that your Router is DNS for all network. And netmask is missing for your 180.0/24 network.

/ip dhcp-server network
add address=192.168.168.0/24 dns-server=192.168.168.1 gateway=192.168.168.1 netmask=24
add address=192.168.169.0/24 dns-server=192.168.168.1 gateway=192.168.169.1 netmask=24
add address=192.168.170.0/24 dns-server=192.168.168.1 gateway=192.168.170.1 netmask=24
add address=192.168.180.0/24 dns-server=192.168.168.1 gateway=192.168.180.1 netmask=24

Updated Viso: