Native VLAN

Hi guys, I need some help! XD

I recently decided to buy a 750G for my home network. I've been using Cisco professionally for serveral years and I know exactly what I want to do but I have a hard time make it happen on RouterOS. Basicly I dont know if somethings isn't possibe to do on RouterOS or if I just dont understand how to do it.

My main issue is that I find the VLAN configuration confusing and I'm unsure if it's possible to set up Native VLANs or untagged ports in RouterOS...?


Here's my set up.
I get three white IP addresses via DHCP from my ISP, so I want to use one IP for the router and make a NAT router on VLAN interface "ISP" and then let my PC and server get a white IP aswell via the "ISP" VLAN. I think the rest is pretty obvius, the VOIP and AP boxes should get IP via NAT aswell as the PC and server.

750G

| 1 | 2 | 3 | 4 | 5 |

Port 1.
description; Uplink to ISP
NATIVE VLAN; ISP


Port 2.
description; PC
VLAN TRUNK; ISP and NAT


Port 3.
description; Server
VLAN TRUNK; ISP and NAT


Port 4.
description; VOIP
NATIVE VLAN; NAT


Port 5.
description; Wireless AP
NATIVE VLAN; NAT

The main thing to keep in mind about Mikrotik and VLANs is the Mikrotik is not a switch, it will not treat a VLAN that same way a switch will. It is based off of Linux, and will handle VLANs just like Linux does. When you make a VLAN on a Mikrotik, as far as it knows and it is concerned, it is just another physical interface that just so happens to tag for a VLAN for outgoing traffic and reads a VLAN tag coming in.

So in short, the way you are thinking of it, there is no way to set up a native VLAN on a port(where it will automatically tag each un-tagged packet with the specified VLAN). The way you make an untagged port for a VLAN is to make the VLAN and bridge that VLAN with another physical port on the Mikrotik.

Probably the best way for you to handle this is to bridge Ether1-3 and set up a DHCP client on the bridge and connect the servers to the appropriate ports. I’m not sure how well this will work however or if it will get messy or not. Hopefully this helps and gets you closer to what you want to do.

All ports are in their own native VLAN by default. There is no VLAN0. It is always enabled on each port and they are not connected as a switch. To connect them as a switch you can use the Switch feature. To be able to set up more precise configuration, you can put all ports in a Bridge (so the RB will act as a switch), and you will be able to isolate stuff more precisely with the Bridge Filter fuction. I love that Bridge filter! It has saved my life multiple times!

In order for me to be able to give you complete details, you should tell me what host you want to connect to what. Layer 2 from where to where? Layer 3 NAT-ed to what hosts? Direct Layer 2 to the ISP net to what hosts? You can draw it in paint as well. Or by hand and upload a shot of it.

Thanks for the input it cleared my vision a bit, but of course I have some counter questions.

Do you mind to paste a sample configuration of that? I think I’ve doned that but not manage to untag the packets.

I’ve partial done that, I manage to create two separate L2 domains. Port 1-3 is connected with the switch function and port 4,5 is combined with a bridge. I’ve a DHCP client in port 1 and a DHCP-server on the bridge and the NAT stuff is in place. See current design below.

What’s left to solve is that I want to be able to directly access the NATed clients from the PC and the server and the other way around. Also I want that the PC and the server should get additional IPs from the local DHCP-server. In a Cisco case I would just add tagged ports on port 2-3 with the same native VLAN as port 4-5 as the PC and the server can easily handle tagged packets.

What’s your thoughts

I would do this like this: All ports in a bridge + very serious Bridge Filters, so that none of my local packets, DHCP, etc, gets out to the ISP network.

But right now if you already have this set up, this way you will have better top speeds (max, and the board cpu will not even notice that traffic - cooool) for ports 1-3 because they use the switch function.

So to have access to the PC and Server from the Bridge DHCP clients, you can use NATed addresses. These packets will be routed. So you will be able to control them precisely with the IP Firewall Filter Clarifying a bit - the RouterBOARD has ping to the PC and to the Server on their respective IP addresses that they would have, if they were sitting on that side as your picture shows them. And the Bridge DHCP clients will be NATed so they will have different IPs. For traffic to go from the DHCP NAT clients to the PC and Server, you would not need to add anything, - they should simply be routed, this direction of establishing a connection is covered.

And for traffic to pass from the PC and Server to the NATed clients, as in - a new connection is trying to be establised in that direction, you would need either NAT rules*, or if the PC and Server’s Internet traffic goes though the RouterBAORD (their Gateway is the RouterBOARD) , again those packets will have to be routed.

*this would not be the case with this Switch configuration, you can not NAT right in the Switch. NAT is best performend in Routing mode.

So why do you need the PC and the Server to be in the ISPs Layer 2 network in the first place? To use the “white” IPs the ISP gave you?

To utilise the IPs you can use NAT, with only downside - the Server and PC will not be aware of their “white” addresses.

About the VLANs you said that the Server would handle an additional VLAN. To link the Brodge DHCP with the Server, for example in VLAN505 you can add that VLAN to the Server’s interface, add that VLAN to the RouterBOARD’s ether1 interface, put that newly created VLAN505 interface in the Bridge.

I hope no one else on the ISPs Layer 2 network uses VLAN505 (example) because if they did - traffic would pass accross and confusion and wasted work time would be the result. So to prevent the example VLAN from commucating to the ISP, you could use the Switch’es ability to disallow some stuff.

So it’s better than Cisco so far

I finally got around to continue working with the router. Right now I’m trying to solve the connection between PC/server and the NAT domain with routing. I’ve put static routes for the NAT network on the PC that points to the NAT-gateway. Partially it works, I can ping from the both sides but nothing else works. I’m digging in to it right now, not an optimal solution but will do if I get it to work.

Exactly, life is easier with white addresses

Actually, this is a good idea! My ISP will most likely not care about other VLANs. It’s easy to use VLANs in UNIX so it no trouble at all for me. Besides I still haven’t figured out how to assign the same VLAN to several interfaces in RouterOS. Would really appreciate an config example for this.

No. XD

What do you mean No? Its better than anything. I can prove it in writing!

I ment that I still prefer a Cisco box, that’s what I use every day at work.

Aha I see. Well I personally use and try to use only MikroTik. And x86 with RouterOS for more performance. I like the level of control that I have ove reverything. I like the fact that I can run The Dude on the router. I like the forums, the community. I like the fact that I can put a RouterBOARD ANYWHERE (small) and no one will notice it and it will drain only 5W of power. But I mostly like the fact that I can have all the networking power in the world for so cheap. And the list if things I like about it will take me 30 minutes to write so…
MikroTik FTW!

And about VLANs … What exactly do you need - do you need to have a bridge ? Thats sooo easy mate

…how to assign the same VLAN to several interfaces…

Added same tags to different ports will not be bridged by default. To bridge them - use Bridge functionality. Or you should bridge the phisical ports first, and then add the VLAN to the bridge interface ?

Look at my sketch above, I want to add VLAN X to port 2 and 3. Also, some how connect that VLAN with the bridge of port 4 and 5. Partially as you described a few posts up with VLAN505. I guess it simple but I don’t understand the syntax for that.