Multiple VLANs on a single Router Port.

ninja365 · November 13, 2020, 12:49pm

Hi all,

I would like to setup a RB960PGS Router for a new customer to mimic a configuration i have on a Draytek router elsewhere that pushes 3 IP subnets and 2 VLANs down a single port to a smart switch in another building. The configuration i am looking for is:-

Any port 1 to 4 (5 will be for connection to SXT LTE and also POE)

Lan 1 with ip range 192.168.10.0/24 - Untagged
Lan 2 Tills/Card Machines ip range 192.168.20.0/24 - VLAN Tag 20
Lan 3 Public Wifi ip range 192.168.30.0/24 - VLAN Tag 30

This will then be plugged into a VLAN aware switch configured as:-

Port 1 - Trunk port
Ports 2 - 10 - Lan 1
Ports 11 - 15 - LAN 2
Port 16 - LAN 3

Is this possible as would like to do more with MikroTik but find them more complex to configure than a Draytek.

Thanks.

anav · November 13, 2020, 12:57pm

Which MT? ahh Hex POE got it.
Read this article for setting it up.
Basically I would run all vlans from the MT for itself and to the switch
The switch can then unpack the untagged or tagged traffic where appropriate.

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Sob · November 13, 2020, 5:17pm

If “any port 1 to 4” means “any of them, but just one”, then it’s extremely simple:

/interface vlan
add name=vlan20 interface=etherX vlan-id=20
add name=vlan30 interface=etherX vlan-id=30
/ip address
add address=192.168.10.x/24 interface=etherX
add address=192.168.20.x/24 interface=vlan20
add address=192.168.30.x/24 interface=vlan30

anav · November 13, 2020, 5:27pm

Learn something new every day.
One can set one standard lan subnet and multiple vlans to one etherport? (but no more than one standard lan subnet)

Also
One can set one subnet to a bridge and have it go on all bridge ports while serving vlans on same ports (assuming vlans with interface bridge).

But one cannot mix on a single etherport.
Bridge spawed subnet and NON bridge standard lan subnet
OR
vlan subnet (on bridge) and independent VLAN assigned to etherport (not associated with bridge)

Sob · November 13, 2020, 6:10pm

I can’t say that I can follow all your thoughts (that’s standard, but now even more, so I warn about that in advance), but let’s try it like this:

The example I posted is for simple case when you want some vlans and only need to use one port. So no same interconnected vlanX on ports etherX and etherY, or anything like that, just one physical port for everything. In that case you don’t need to bother with bridge and vlan filtering, because it doesn’t have any added value (except the ability to easily include other physical ports in future, but you may already know that you will never need that).

As for subnets, you can have as many anywhere you want them. Want another 192.168.11.x/24 on same otherX where you already have 192.168.10.x/24? No problem, router doesn’t mind. Add ten more if you want, it’s still ok. Of course some things may have problem with that, for example dhcp server with dynamic leases won’t be possible for all at once. But dhcp server with only static reservations in multiple subnets would work.

anav · November 13, 2020, 9:12pm

Okay got it, more than one lan subnet attached to a port is no problem but only one will be able to dynamically assign DHCPs and only the ones with static set to the second lan subnet would get traffic intended for that subnet.

Now the next layer of complication can you add ONE? or more? vlans to that port (interface is the port) Im assuming yes!!

Can you add a bridge to the scenario above and have that port as a bridge port?? In other have standard lan subnets ONE? or more? already assigned but not part of the bridge??

I know with a bridge you can throw many vlans at the port too but still asking (ie on bridge transparent to whatever is already on the port)??

mkx · November 13, 2020, 10:40pm

@anav: bridge (the switch-like entity) is pretty much transparent on ethernet level, so when an ethernet frame (optionally VLAN-tagged) enters bridge, it will exit through another port unaltered.

The bridge interface is functionality-wise identical to other interfaces members of bridge. So if bridge interface can carry multiple VLANs (you have mastered this part already, haven’t you?), then other ports (including ether ports) can as well. And this ability has nothing to do with bridge (the switch-like entity), it’s inherent to being interface passing ethernet frames - optionally prepended with tiny 4 bytes long 802.1q header.

When it comes to ROS ability to communicate with particular VLAN, the key is vlan (pseudo) interface which can be thought of as a tiny pipe which sifts frames carrying 802.1q header with particular value of VLAN ID on one end and delivers those frames with 802.1q header stripped. In the reverse direction this pipe takes frames, adds 802.1q header with VLAN ID set to (same) particular value and emits the frame on the other hand. Both ends are handling ethernet frames. Which means that “tagged” end of the pipe has to be attached (or anchored) to some interface handling ethernet frames. It can either be physical ethernet interface or bridge interface. It can’t be bridge switch-like entity!

Then IP addresses: device can have any number of IP addresses set on same interface. The prerequisite is that it knows to answer ARP whohas queries for those IP addresses with own MAC address. Which then is used by other devices to deliver packets. Next device has to know how to deal with packets with some particular dst-address. On normal network devices there will be some services bound to some (or all) of those IP addresses.

Similar process happens when interface has arp=proxy-arp set. In this case device answers ARP whohas queries with own MAC address even for IP addresses belonging to other devices if device in question knows how to forward packets to real receivers (usually from own MAC table, either static or dybamic).
Similar process (delivery of packets with “alien” dst-address to device in question) happens if device in question is a gateway … in this case other devices will sene ARP whohas queries for gateway’s IP address and gateway will answer with own MAC address. Other devices will deliver packets to router’s MAC address and router then forwards packets according to routing rules for IP dst-address set in packets. This is similar to proxy-arp case, the difference is only in IP address used in ARP whohas queries sent by LAN devices (in gateway case LAN devices know that they are directly communicating with gateway while in proxy-arp case LAN devices think they’re communicating directly to end device).

anav · November 16, 2020, 1:56pm

THanks, much to digest.
My question is lets say you have subnet 192.168.10.X assigned by itself to etheport 5. Full DHCP etc.
Lets say you have a separate bridge, also includes etheport 5

Two scenarios.

a. bridge has vlans only and does not function DHCP itself, I dont see a conflict/
b. bridge has vlans AND IS ALSO giving dhcp itself…

What happens when I connect a computer to etherport 5?? Does it get DHCP from the 192.168.10.x subnet or the bridge subnet??

biomesh · November 16, 2020, 5:16pm

A request that is not tagged would get the PVID of the bridge(default is PVID=1) and use the config of the bridge as long as it allows untagged packets (admit all or admit only untagged and priority tagged). If the packet is a tagged packet and there is no config for that vlan ID then it will not be processed or dropped, depending on the options enabled.

The config on a router vs the switches can be similar, but the routers will generally not have full switch chip hardware offloading. The performance really depends on the hardware and switch chip features.

ninja365 · November 16, 2020, 6:29pm

Thank you to all for your responses, and i think there’s a few items that need clarification.

I don’t have a preference to which port i apply this to between 1 and 4 so for simplicity lets use port 4. Ports 1 to 3 will use LAN 1.
Port 5 will be reconfigured to be the incoming WAN port as it will also be powering the SXT LTE unit.
This will be connecting into either a Netgear or Zyxel 24 port smart switch with port 1 as the trunk port .

I already have this configuration setup on a Draytek 2862 at another site which works really well as have one backbone CAT6 between the 2 buildings with the Draytek at one end and the Switch at the other. Just looking to try and rationalise hardware with MikroTik.

ninja365 · November 30, 2020, 9:25pm

If “any port 1 to 4” means “any of them, but just one”, then it’s extremely simple:

/interface vlan
add name=vlan20 interface=etherX vlan-id=20
add name=vlan30 interface=etherX vlan-id=30
/ip address
add address=192.168.10.x/24 interface=etherX
add address=192.168.20.x/24 interface=vlan20
add address=192.168.30.x/24 interface=vlan30

Hi Sob,

Just a quick note to thank you for the above. I have used the configuration on a SXT LTE unit running down a single port to a remote smart switch and am delighted it worked straight away. I did try to manually set this up without using terminal and have to admit that i just couldn’t get it right but using your script was actually quicker and a lot easier.

Once again many thanks for your help, its greatly appreciated.

Sob · November 30, 2020, 10:40pm

Config structure is mostly the same for all interfaces (CLI, WinBox and WebFig). Only when you’re not used to it, finding some option among all presented may take a few extra seconds, but use it few times and it quickly gets easier.

aliboy · May 18, 2021, 1:02am

Hi,

As of now, the Mikrotik is not configured to use any vlans (aside from vlan1 if that is the default). How do I configure the Mikrotik so that Bridge-HS will use vlan28? The goal is to make ng port 4 and 5 of the Mikrotik to be part vlan28. The AP that connected to port 5 of Mikrotik is not vlan capable. The TPlink Switch connected to port 4 of the Mikrotik is already configured to have vlan28 at that port 4 and 5 of the TPlink Switch. Thank you!

anav · May 18, 2021, 1:19am

Have a read of this first and then see if you still have questions…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

and if you do post your config to see what you have accomplished.
/export hide-sensitive file=anynameyouwish

aliboy · August 1, 2021, 12:31am

Hi Anav,

It has been a while and there were many changes I have done to my router. I have set up the Mikrotik again just to make it clean when I post it here. Here is the current setup:

bridge1 = eth3, eth5, wlan1 and wlan2
bridge2-hs = eth4, wlan3 and wlan4

My goal is to utilize VLAN. VLAN1 for bridge1 and VLAN50 for bridge2-hs and ensure that it allows traffic for both VLANs on eth5. The eth5 is connected to a network switch that is capable of using VLAN on the configuration.

I have attached the exported copy of the current configuration.

I tried to copy the router.rsc configuration I found on the existing file from the link you recommended but everytime I add the last line I get disconnected and unable to get back to the router anymore and end up resetting the router.

Here is that last line from router.rsc

“/interface bridge set BR1 vlan-filtering=yes”

Here is my router configuration that is not working “NewlyConfigured.rsc”

Please suggest of what are the things I have to add on the configuration to make this happen.

Thank you.
router.rsc (7.18 KB)
NewlyConfigured.rsc (3.95 KB)

anav · August 1, 2021, 2:50pm

purpose of:
vanblue?? (okay this is the home vlan)
vlanbase ?? (okay for config purposes isolating to admin only,

Why do you have two vlans but three dhcp pools, servers etc>>>

Why do you have 3 bridges??
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Okay so you have three requirements,
Hotspot vlan (for hotspot wifi)
Home vlan (for wired and wifi users - blue)
Management vlan. (base for admin)

You need to add one vlan
add interface=BR1 name=hotspot_vlan vlan-id=66

You need to drop the other bridges, not required.
change list members accordingly to this
lte1 list=WAN
ether1 list=WAN
ether2 list=WAN
BR1 list=LAN
BASE_VLAN list=BASE

ip address ----> with interface as per three vlans (not bridges)
dhcp server —> interface as vlan (not bridges)
dhcp server network -----> blue gateway is wrong should be add address=192.168.28.0/24 gateway=192.168.28.1 dns-server=192.168.28.1
(plus what dns will hotspot use?)

There are no firewall rules in place and thus should not be connected to the internet yet!!!

UPNP, why is this enabled???

Bridge port settings!
Do not use vlan id=1 ?? Its not even defined anywhere and the only place it belongs is the default vlanID of the single bridge itself not in interface bridge port or bridge vlan settings.

/interface bridge port
add bridge=BR1 interface=ether3
add bridge=BR1 interface=wlan1 pvid=50 admit only priority and untagged frames ingress-filtering=yes
add bridge=BR1 interface=wlan2 pvid=50 admit only priority and untagged frames ingress-filtering=yes
add bridge=BR1 interface=ether4
add bridge=BR1 interface=wlan3 pvid=66 admit only priority and untagged frames ingress-filtering=yes
add bridge=BR1 interface=wlan4 pvid=66 admit only priority and untagged frames ingress-filtering=yes
add bridge=BR1 interface=ether5

I do not know what to assign on ports 3, 4,5 as it not clear to what they are connected to.
I will give examples though,
ex1. if ether3 is to a home computer (dumb device) then
add bridge=BR1 interface=ether3 pvid=50 admit only priority and untagged frames ingress-filtering=yes

ex2. if ether4 is to a managed switch (smart device) then
add bridge=BR1 interface=ether4 admit only tagged frames ingress-filtering=yes

To complete the interface bridge port and especially bridge interface vlan settings one needs a better network diagram or listing to show
what ports are connected to what device and what vlans need to be passed.