I am trying to figure out how to setup my CHR as a replacement for my old Asus RT-AC66U, as it is starting to fail
Situation is as follows:
- CHR is running on VMWare
- My CHR has two connections (WAN(Ether1) and LAN(Ether2), both are connected to seperate switches* inside VMWare, with seperate NIC’s connected)
- Switch for WAN is called Internet and is connected to NIC1 on the host, Switch for LAN is called LAN on the host and is connected to NIC2
- ISP delivers two VLANs on WAN (VLAN300 for Internet(tagged) and VLAN640 for IPTV(tagged)
- VLAN640 needs to be passed through on the LAN as tagged with the same VLANID, otherwise TV-Tuner won’t work)
- The VLAN300 tag should be dropped on LAN
- The LAN network is connected to a managed switch, with the VLANs setup already. With the ASUS, this is working.
So in short:
WAN VLANs: 300(tagged) & 640(tagged)
LAN VLANs: 640(tagged)
How could I setup this in CHR?
My configuration is still factory, as I did try an setup with some articles I found here, but it rendered my router unaccessable, thus I have recreated it from scratch.
Edit: found out that the VLANS on the ISP side are all tagged, and that the VLAN640 should be a straight passthrough with no Firewall, NAT or anything.
My current ASUS router just forwards the packages with the VLAN640 tag from WAN to LAN, it doesn’t do anything else with those packages
I think I have the configuration figured out, however, as soon as I add the interfaces to the TRUNK (Bridge) I can’t access the CHR anymore.
Here is my configuration file:
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="RT-SP-RTR01"
#######################################
# VLAN Overview
#######################################
# 300 = Internet
# 640 = IPTV
# 1 = LAN
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
#from here I can't access the CHR to do the folowing configuration
# egress behavior
/interface bridge vlan
# Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether1 vlan-ids=300
add bridge=BR1 tagged=BR1,ether1,ether2 vlan-ids=640
add bridge=BR1 untagged=BR1,ether2 vlan-ids=1
#######################################
# IP Services
#######################################
# Internet VLAN interface creation and DHCP client
/interface vlan add interface=BR1 name=WAN vlan-id=300
/ip dhcp-client add interface=WAN
# IPTV VLAN interface creation and DHCP client
/interface vlan add interface=BR1 name=IPTV vlan-id=640
/ip dhcp-client add interface=IPTV
# LAN VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=LAN vlan-id=1
/ip address add interface=LAN address=10.0.1.254/24
/ip pool add name=LAN_POOL ranges=10.0.1.2-10.0.1.250
/ip dhcp-server add address-pool=LAN_POOL interface=LAN name=LAN_DHCP disabled=no
/ip dhcp-server network add address=10.0.1.0/24 dns-server=10.0.1.254 gateway=10.0.1.254
#######################################
# Firewalling & NAT
#######################################
/interface list add name=Internet
/interface list add name=TV
/interface list add name=Intern
/interface list member
add interface=WAN list=Internet
add interface=LAN list=Intern
add interface=IPTV list=TV
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=Intern comment="Allow LAN"
add chain=input action=accept in-interface-list=TV comment="Allow TV"
# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=LAN comment="Allow LAN Full Access"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=Intern out-interface-list=Internet comment="LAN Internet Access only"
add chain=forward action=accept connection-state=new in-interface-list=TV out-interface-list=Internet comment="IPTV Internet Access only"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
#######################################
# VLAN Security
#######################################
# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-untagged [find interface=ether2]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from LAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=Intern
/tool mac-server mac-winbox set allowed-interface-list=Intern
/tool mac-server set allowed-interface-list=Intern
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes