crewdi
October 17, 2019, 10:30am
1
Hello i everyone i have a simple situation but last days i burned my brain i cant find a solution.
I have 3 VLAN with 3 dhcp, 3 pools etc: VLAN10, VLAN20, VLAN30 on ether 8 (Its for unifi ap for 3 diffirent SSID) ITS Working!
Now i have buy 4 more AP and connect to ports ether3,ether4,ether5,ether6
All interface is under the same bridge with my WAN (ether1)
I just want the old function master-port for the interface 3-6 with ether8 to have the 3 VLAN on all interfaces
Clients connect to the 4 new AP but dont become IP VLAN is notworking.
Any can help me?
Thanks in advance
crewdi
October 20, 2019, 11:36pm
4
Of course i have read all this links and much more topics. I dont find a solution for my crs router switch.
mkx
October 21, 2019, 5:13am
5
How about posting current config (/export hide-sensitive … at least /interface section of it)?
crewdi
October 21, 2019, 6:02pm
6
Of course thank you for your time
But this function disable the fasttrack on all connections and the speed is decrease over 50%
I want connect all the APs on Mikrotik for each one port with 3 VLANS for 3 WLans, but i cant make 5 ports to have vlan50,60,70.
/interface bridge
add admin-mac=* auto-mac=no name=bridge
add name=bridgeVLAN10
add name=bridgeVLAN20
add name=bridgeVLAN30
/interface ethernet
set [ find default-name=ether4 ] comment=Netgear
set [ find default-name=ether1 ] name=etherVodafone
/interface vlan
add interface=ether2 name=vlan20 vlan-id=20
add interface=ether7 name=vlan50 vlan-id=50
add interface=ether7 name=vlan60 vlan-id=60
add interface=ether7 name=vlan70 vlan-id=70
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=\
ytonstaff supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys \
name=yton supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name=free \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors frequency=2452 installation=\
indoor mode=ap-bridge radio-name=MikroTik security-profile=yton ssid=MikroTik tx-power=22 \
tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=disabled
add keepalive-frames=disabled mac-address=* master-interface=wlan1 max-station-count=50 \
multicast-buffering=disabled name=FREE security-profile=free ssid="Staff" vlan-id=10 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add keepalive-frames=disabled mac-address=* master-interface=wlan1 max-station-count=100 \
multicast-buffering=disabled name=staff security-profile=staff ssid="Member" vlan-id=30 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=FREE name=vlan10 vlan-id=10
add interface=staff name=vlan30 vlan-id=30
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.249
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcpVLAN10 ranges=192.168.10.25-192.168.10.250
add name=dhcpVLAN20 ranges=192.168.2.10-192.168.2.200
add name=dhcpVLAN30 ranges=192.168.3.2-192.168.3.254
add name=dhcpVLAN50 ranges=192.168.50.2-192.168.51.254
add name=dhcpVLAN60 ranges=192.168.60.2-192.168.61.254
add name=dhcpVLAN70 ranges=192.168.70.2-192.168.71.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
add add-arp=yes address-pool=dhcpVLAN10 disabled=no interface=bridgeVLAN10 name=dhcpVLAN10
add address-pool=dhcpVLAN30 disabled=no interface=bridgeVLAN30 name=dhcpVLAN30
add address-pool=dhcpVLAN20 disabled=no interface=bridgeVLAN20 name=dhcpVLAN20
add add-arp=yes address-pool=dhcpVLAN50 disabled=no interface=vlan50 lease-time=5m name=vlan50
add add-arp=yes address-pool=dhcpVLAN60 disabled=no interface=vlan60 name=vlan60
add add-arp=yes address-pool=dhcpVLAN70 disabled=no interface=vlan70 name=vlan70
add address-pool=dhcp disabled=no interface=ether7 name=dhcp1
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6 pvid=30
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=sfp1
add bridge=bridge interface=wlan1
add bridge=bridgeVLAN10 interface=FREE
add bridge=bridgeVLAN30 interface=staff
add bridge=bridgeVLAN10 interface=vlan10
add bridge=bridgeVLAN20 interface=vlan20
add bridge=bridgeVLAN30 interface=vlan30
add bridge=bridge disabled=yes interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=none
/interface ethernet switch port
set 6 ingress-mirroring-according-to-vlan=yes
set 7 ingress-mirroring-according-to-vlan=yes
/interface ethernet switch vlan
add ports=ether7,ether8 vlan-id=50
add ports=ether7,ether8 vlan-id=60
add ports=ether7,ether8 vlan-id=70
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=etherVodafone list=WAN
add interface=vlan20 list=VLAN
add interface=vlan50 list=VLAN
add interface=vlan60 list=VLAN
add interface=vlan70 list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=*****/30 interface=etherVodafone network=*****
add address=192.168.10.1/23 interface=bridgeVLAN10 network=192.168.10.0
add address=192.168.2.1/24 interface=vlan20 network=192.168.2.0
add address=192.168.3.1/24 interface=vlan30 network=192.168.3.0
add address=192.168.50.1/23 interface=vlan50 network=192.168.50.0
add address=192.168.60.1/23 interface=vlan60 network=192.168.60.0
add address=192.168.70.1/23 interface=vlan70 network=192.168.70.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.3.0/24 gateway=192.168.3.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.50.0/23 dns-server=192.168.50.1,1.1.1.1,1.0.0.1 gateway=192.168.50.1
add address=192.168.60.0/23 dns-server=192.168.60.1,1.1.1.1,1.0.0.1 gateway=192.168.60.1
add address=192.168.70.0/23 dns-server=192.168.70.1,1.1.1.1,1.0.0.1 gateway=192.168.70.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow 8181" dst-port=8181 protocol=tcp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment=l2tp disabled=yes port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=\
WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes src-address=192.168.89.0/24
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=****
mkx
October 21, 2019, 8:06pm
7
Your VLAN setup is, bluntly said, a mess. Basically there are 3 ways of configuring VLANs under ROS and your setup is a mix of all 3. These days best practice is to configure vlan-enabled single bridge … and here’s a nice tutorial on how to do it. It has, however, a drawback: it’s not HW accelerated, everything is done by CPU and this means degraded performance. The other, somehow harder to configure, way is to let switch chip deal with VLANs. It is not that hard to covert setup from bridge to switch chip, so I recommend you to clear up the config, do it the bridge way and later, when everything works but you find switch underperforming, you can covert whole lot to switch chip way …
