multiple VLAN's on multiple interfaces

RouterOS Beginner Basics
1

I have problems configuring my routerboard 450G with multiple VLAN's on multiple interfaces. Not all VLAN's should be on all interfaces. Note this is my full configuration, part of it is on purpose incomplete to have a workable running config. I have accented the relevant parts.

[wido@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2MTU MAX-L2MTU

0 R 1-upc ether 1500 1520 1520
1 R 2-d9 ether 1500 1520 1520
2 R 3-htpc ether 1500 1520 1520
3 R 4-unifi ether 1500 1520 1520
4 R 5-cisco ether 1500 1520 1520
5 R 6in4 sit 1280
6 R vlan11-d11-p4unifi vlan 1500 1516
7 R bridge1-vlan11 bridge 1500 1516
8 R vlan9-d9-p4unifi vlan 1500 1516
9 R vlan20-gast-p4unifi vlan 1500 1516
10 R vlan30-free-p4unifi vlan 1500 1516
11 R bridge2-vlan9 bridge 1500 1516
12 R bridge3-vlan20 bridge 1500 1516
13 R bridge4-vlan30 bridge 1500 1516
14 R vlan11-d11-p5cisco vlan 1500 1516
15 R vlan11-d11-p3htpc vlan 1500 1516
16 R vlan20-gast-p5cisco vlan 1500 1516


[wido@MikroTik] > interface vlan print
Flags: X - disabled, R - running, S - slave

NAME MTU ARP VLAN-ID INTERFACE

0 R vlan11-d11-p4unifi 1500 enabled 11 4-unifi
1 R vlan9-d9-p4unifi 1500 enabled 9 4-unifi
2 R vlan20-gast-p4unifi 1500 enabled 20 4-unifi
3 R vlan30-free-p4unifi 1500 enabled 30 4-unifi
4 R vlan11-d11-p5cisco 1500 enabled 11 5-cisco
5 R vlan11-d11-p3htpc 1500 enabled 11 3-htpc
6 R vlan20-gast-p5cisco 1500 enabled 1 5-cisco


[wido@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic

INTERFACE BRIDGE PRIORITY PATH-COST HORIZON

0 vlan9-d9-p4unifi bridge2-vlan9 0x80 10 none
1 vlan20-gast-p4unifi bridge3-vlan20 0x80 10 none
2 vlan30-free-p4unifi bridge4-vlan30 0x80 10 none
3 vlan11-d11-p3htpc bridge1-vlan11 0x80 10 none
4 vlan11-d11-p5cisco bridge1-vlan11 0x80 10 none


[wido@MikroTik] > ip pool print

NAME RANGES

0 default-dhcp 192.168.88.10-192.168.88.254
1 pool111 10.0.0.2-10.0.0.254
2 pool1-vlan11 10.0.11.2-10.0.11.254
3 pool2-vlan9 10.0.9.2-10.0.9.254
4 pool3-vlan20 10.0.20.2-10.0.20.254
5 pool4-vlan30 10.0.30.2-10.0.30.254

[wido@MikroTik] > ip dhcp-server print
Flags: X - disabled, I - invalid

NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

0 default 2-d9 default-dhcp 3d
1 server111 4-unifi pool111 3d
2 server1-vlan11 bridge1-vlan11 pool1-vlan11 3d
3 server2-vlan9 bridge2-vlan9 pool2-vlan9 3d
4 server3-vlan20 bridge3-vlan20 pool3-vlan20 3d
5 server4-vlan30 bridge4-vlan30 pool4-vlan30 3d


[wido@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; default configuration
192.168.88.1/24 192.168.88.0 2-d9
1 10.0.0.1/24 10.0.0.0 4-unifi
2 D 213.46.x.y/24 213.46.a.b 1-upc
3 10.0.11.1/24 10.0.11.0 bridge1-vlan11
4 10.0.9.1/24 10.0.9.0 bridge2-vlan9
5 10.0.20.1/24 10.0.20.0 bridge3-vlan20
6 10.0.30.1/24 10.0.30.0 bridge4-vlan30


With this configuration I expected vlan11 to be available on ether interfaces 3 and 5, untagged on ether3 and tagged on ether5. However the devices behind ether3 (a direct connected linux machine) and on ether5 (a manageable switch) do not get IP adresses from DHCP. I can't figure out what I'm doing wrong. Any help is much appreciated, oh and I'm a newbie on VLAN's and RouterOS.

2

As far as I can tell your configuration is fine.
But some things to double check

  • How is the switch connected to ether5 handling vlan information?
  • How is the linux system configured?
  • And what if you configure static IP’s to two devices connected to ether3 and ether5, are they able to communicate?
3

The switch is a 8 port cisco sg200 http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps11229/data_sheet_c78-634369.html. The uplink port on the switch (from ether5 on the mikrotik) is configured as a trunk and is a member of untagged vlan1 (default management) and tagged vlan11.

  • How is the linux system configured?

Nothing fancy there, DHCP enabled. This box is an OpenElec XBMC install.

  • And what if you configure static IP’s to two devices connected to ether3 and ether5, are they able to communicate?

Just tried it, but without success. No communication between gateway (mikrotik) and switch or linux box. Thanks for your suggestion, do you have any other ideas?

4

What version of RouterOS are you using. Suddenly remember that there are issues with Vlan and DHCP on some latest version. I do not know out of my head what version is affected but if you search the forum maybe you find it.

5

You are right. I run 6.7 and forum members make notice of DHCP problems on VLAN’s. Tomorrow I will try to downgade. Thank you for your reply.

6

No luck there. No DHCP to host in VLAN and with fixes IP no communication from host in VLAN to Routerboard. Can somebody help me with my setup?

Layer 1 setup:
Cable modem (bridge mode) —> ether1 RB450G
ether2 → Ubiquity UniFi access point
ether3 → OpenElec.tv htpc
ether4 → Ubiquity UniFi access point
ether5 → Cisco SG-200 switch

VLAN setup:
VLAN9 on ether 2 & 4
VLAN11 on ether 2,3,4,5
VLAN20 on ether 2,4,5
VLAN30 on ether 2 & 4

I’ve created VLAN-interfaces for each VLAN on each ether-interface with service tags except for VLAN11 on ether3 which is configured without service tag, changed the ether-interfaces into routed ports, created addresses on the RB450, created DHCP pools and created DHCP servers. I’ve created bridges and added the VLAN interfaces as ports on the bridges. After that DHCP does not work and even when using a manually configured IP on one of the hosts there is no communication possible between host and Routerboard. I don’t understand what I’m doing wrong.

7

Do you have any active firewall rules?

8

Just the default rules:

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established

2 ;;; default configuration
chain=input action=accept connection-state=related

3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

4 ;;; default configuration
chain=forward action=accept connection-state=established

5 ;;; default configuration
chain=forward action=accept connection-state=related

6 ;;; default configuration
chain=forward action=drop connection-state=invalid

9

After studying the wiki some more, I’ve decided to try a different route. Instead of putting the ports in routed mode I tried them in switched mode.

Model
Routerboard 450G
Firmware 3.10
RouterOS 6.7

Goal
-ether1 as gateway to modem
-ether2 with tagged VLANs 9,11,20 and 30
-ether3 with untagged VLAN 11
-ether4 with tagged VLANs 9,11,20 and 30
-ether5 with tagged VLANs 11 and 20
-all hosts get their IP from DHCP

Solution
-ether3, 4 and 5 using master port ether2
-vlans configured as interfaces on interface ether2 (in the interface tab)
-vlans configured with the different ports in them (in the switch tab)
-addresses configured for the different vlans (in the ip tab)
-pools configured for the different vlans (in the ip tab)
-networks and dhcp-servers configured for the different pools on the vlan interfaces (in the ip tab)
-changed the vlan mode of the ports in the switch tab to secure for switch1 cpu, ether2, ether4, ether5
-changed the vlan mode of the port in the switch tab to fallback for ether1
-changed the vlan mode of the port in the switch tab to disable for ether3 and configured vlan11 to ‘add if missing’

Result
No communication between any of the hosts and the routerboard, not even when configuring static ip’s to the hosts.

Please help :slight_smile:.