Mikrotik VLANs and skinning rabbits

WiFi4lyfe · February 19, 2019, 4:43pm

Well they say there’s a million ways to skin a rabbit and apparently the same goes for VLAN’s in Mikrotik. I have been reading, testing, reading, testing and over and over again and can’t seem to find the correct combination that works. We are implementing a Wireless network and using CRS112-8P-4s at tower sites and Subscriber sites to handle our VLANs and equipment. When I think I have one issue resolved it knocks something else off and back and forth we go. I could really use some help on this and I am really hoping my fellow MT friends can give me some light at the end of the tunnel.

Here is a diagram of what I’m trying to accomplish.

Here is the Config I tried running based off https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Port_Based_VLAN Port Based VLAN Example 1 & 2.

jan/03/1970 18:23:47 by RouterOS 6.43.12

software id = KYSD-KSCZ

model = CRS112-8P-4S

serial number = 84CB0726C156

/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=sfp9 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp10 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp11 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp12 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=ether1 name=“vlan 10” vlan-id=10
/interface ethernet switch trunk
add member-ports=ether1,ether5,ether6,ether7,ether8,sfp9 name=“trunk 1”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 hw=no interface=ether8
add bridge=bridge1 interface=sfp9
add bridge=bridge1 interface=sfp10
add bridge=bridge1 interface=sfp11
add bridge=bridge1 interface=sfp12
/interface ethernet switch egress-vlan-tag
add tagged-ports=“trunk 1” vlan-id=20
add tagged-ports=“trunk 1” vlan-id=40
add tagged-ports=“trunk 1” vlan-id=60
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=20 ports=ether2 sa-learning=no
add new-customer-vid=40 ports=ether3 sa-learning=no
add new-customer-vid=60 ports=ether4 sa-learning=no
/interface ethernet switch vlan
add learn=no ports=“trunk 1,switch1-cpu” vlan-id=10
add learn=no ports=“trunk 1,ether2” vlan-id=20
add learn=no ports=“trunk 1,ether3” vlan-id=40
add learn=no ports=“trunk 1,ether4” vlan-id=60
/ip address
add address=192.168.10.40/24 interface=bridge1 network=192.168.10.0
/ip dns
set servers=192.168.10.1
/ip route
add distance=1 gateway=192.168.10.1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=TWR-MT-01

I disabled hw offload on ether 5,6,7,8 because otherwise I wasn’t pulling DHCP from the main tower site. However, when I would plug in APs into ether 5 and 6 only one of them would get online, while the other. Then if I would plug into ether 2, assign an ip address for that VLAN I could talk back to that VLAN’s gateway at the main tower site, I then plug in an AP into ether 5, it stays up, I plug in the next AP into ether 6 and my pings stop to VLAN 20’s gateway. However, if I unplug it from ether 6 and move it to ether 7 it stays up and running, totally at a loss for that.

I honestly don’t know and I think can’t see the Forrest for the trees at this point. ANY help would be greatly appreciated.
Trunk VLAN Network.jpg

pcunite · February 19, 2019, 6:08pm

Several of us forum members have put our heads together and have come up with this. Please read is slowly and with a cup of coffee. Also, throw away everything you know about MikroTik and VLANs as you read it. If you have any trouble afterwards, help can be provided.

anav · February 19, 2019, 6:11pm

Im no wisp guy so some basic questions.
Are all units fed from the internet in the top right (including the router on the bottom left)?

Why do you have ether1 as a trunk port connecting to the internet and all your vlans.
shouldnt it be eth1 for internet (DHCP to the world aka client) ONLY??

Is the bottom left unit acting as a router or just as switch?

Where are the vlan IPs handed out?

WiFi4lyfe · February 19, 2019, 7:20pm

Thank you so much, I came across that the other day but hadn’t had a chance to read it, I will do so now. Thank you again.

WiFi4lyfe · February 19, 2019, 8:03pm

Thank you for your reply, yes all units are fed from upper right hand corner. Main tower site has the internet feeding in and we have 4 Cambium APs broadcasting out. The first switch is at another tower site that connects back to the main tower via a Cambium SM and we will be setting up some Cambium APs as well to further our reach. That site has the CRS112-8P-4S, all the CRS112-8P-4S are acting as switches, they are merely passing along DHCP from the main site from VLAN 10. The AP’s are on the vlan 10 subnet of 192.168.10.x/24 as well as the switches have 192.168.10.x/24 IPs statically assigned.

WiFi4lyfe · February 19, 2019, 8:11pm

Also ether1 is a trunk because since it is my WAN it would be carrying all the vlans or at least that was my thought process.

anav · February 19, 2019, 9:01pm

Suggest remove ether1 from the trunk port status, remove from bridge
eth1=wan only
Following all on bridge name ‘bridgerouter’
eth2,3,4 could be access ports?
eth5,6,7,8 have to be trunk ports.

Again not being a wisp guy I have serious doubts as to the quality and throughput on the second router onwards based on the link from eth5.
Im assuming the sole purpose of this link is to feed the second switch/router.

On the second unit,
Following all on bridge name ‘bridgeswitch’
eth1, probably only trunk port
eth2-5 being access ports??

WiFi4lyfe · February 19, 2019, 9:13pm

I am implementing the switches, not doing any routers, those are already in place and out of my hands. Those are cisco switches and I’ve been told vlans 10,20,30,40 need to be used. The reason they want ether 2,3,4 to be access ports is IF they want to plug devices(cameras, sensors, controllers) in ON Site they have the option to do so. The 2nd switch would be the end point where ether 3 would be utilized for a controller via the VLAN 30 network. Ports 2,3,4 would be access ports for 20,30,40 and If I could have another one for vlan 10 would be best.

Now, being that ether1 is my connection to the world, if I take it out of the bridge won’t that kill my connection to the world since the bridge is what has the IP??

anav · February 19, 2019, 9:22pm

Okay that clears much up, thanks. Over my head, others are better suited to answer!