need help vlanning hex poe RB960PGS

Pacifist · July 5, 2017, 1:32am

Hi,
I bought a Hex POE RB960PGS but have been having a hard time getting the vlan setups I’ve seen to work.

I have a pfsense router doing dhcp and providing some vlan’s which I believe is working (mostly) but have had seriouss trouble getting any of the mikrotik guide’s I’ve seen to work, I’ve reset it I don’t know how many times but often locked myself out or otherwise found it not working and got into a mess where I thought it best to reset.

the pfsense box has/provides:
(non-vlan) 10.0.10.1/24 & dhcp pool 10.0.10.100-150.
vlan200 10.20.20.1 &dhcp pool 10.20.20.100-120
vlan300 10.20.20.1 & dhcp pool 10.30.30.100-120
vlan66 10.0.66.1 & dhcp pool 10.0.66.100-120

I also have an ubiquiti UAP I’d like to have on the same non-vlan network(10.0.10.x) above for management purposes
So, what I’d ideally like to have working is something like:
ether1 - trunk for vlan’s (& non-vlan IP to the mikrotik if possible for mikrotik management but flexible) - ether1 picked here for PoE proximity reasons.
ether2 - untagged 10.0.10.x for management, and tagged vlan200/vlan300 for wifi networks for the UAP
ether3 - untagged vlan200
ether4 - untagged vlan66
ether5 - flexible, either management for the mikrotik if needed, alternatively untagged vlan200, tagged vlan300

If someone is able to help on how I get started (from the point I reset the hex poe) I’d really appreciate it.. I’ve tried so many guides but am clearly getting something wrong.
I think I’m trying to do something similar to https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN#Port_based_VLAN_tagging_.232_.28Trunk_and_Hybrid_ports.29 but haven’t had any luck with that or other guides, both with the vlan99 management example and others the addressing for the mikrotik seems a problem.

One of my attempts had me getting the right dhcp addresses for vlan’s on different ports on the mikrotik(& the right dhcp on the UAP too, though I broke something maybe the gateway config from dhcp was wrong, wireless hosts couldn’t get net), but the mikrotik itself I could no longer reach an IP for so I reset it since things weren’t right.

And to be clear - when I reset the device I’ve been using the web interface to check the initial settings (and do I choose switch or router? I figured it doesn’t matter with what I’m changing but maybe I missed something) - I’ve then usually been ssh’ing into what IP’s I can to configure it, but sometimes locking myself out by not giving the mikrotik an IP that was reachable or something.

I’ve taken from the material available that the hex poe has one of the fancy switch chips, and that for performance reasons I should use switch if I can, but if bridge is what I need I’ll go with that, it may be worth being clear to me on how I make sure the one I don’t want is disabled. Even changing the master-port to ether1 I seem to struggle with doing (I think i succeeded once, do I just make sure nothing is using ether2 as a master-port then I can set ether1 to master?, do I need to use switch-all-ports=yes ?)

All help appreciated, thanks!

idlemind · July 5, 2017, 4:56am

For me, starting without the switch chip was the easiest. The catch though is that you’ll want to make sure “master-port” is set to none for the interfaces you want to use with basic software bridging.

/interface ethernet set ether3 master-port=none

^^ would set ether to not have a master-port.

If you want to use the switch-chip the master-port is the one that links up to the CPU from what I understand. This plays into where you assign VLAN interfaces. That’s covered in the guides as well.

Pacifist · July 12, 2017, 10:56pm

Ill post configs later but i went two steps forward one step back, and a few other things ill mention incasee the beginners find my post.
This wont be the ‘right’ way, its a mess, but ive had more success than i wqs from the guides out there that just dont seem to work and i cant see why.

I got vlan66 to work though i put it on ether1 mode=secure tags=always strip default vid 66,
I added a vlan switch for 66 between ether1&ether2 and added an interface for vlan66 on ether2

I successfully gave ether2 an address on the untagged lan which is reachablr through ether2 even though its trunk.

Untagged traffic works correctly on ether4/5 which arent tagged/vlan disabled, since the default bridge between porta 2,3,4,5 is still in place.

the remaining problems are:
A: ether3 should be vlan200 but isnt working.
the only difference between the setup of ether1, (works as vlan66) - and ether3 as vlan200: ether3 is also a member of the untagged bridge. I thought this isnt a problem?

I found a reference that vlan switch entries are higher priority than bridge settings, but this still doesnt work

B: my ubiquitiy ap (uap-lr-ac) will get dhcp correctly for itself when on the untagged ether4/5, but wireless clients cant get dhcp?.. does the mikrotik have some kind of port security or is discovery/arp somehow braking dhcp off untagged ports on the hex?
Trunk on ether2-master goes to my pfsense box which actually has dhcp servers for each of the vlan’s & untagged.

Help?

Pacifist · July 13, 2017, 9:09am

ok so config, work except that ether 3,4,5 are currently just an untagged bridge, and I’d like one to be UAP with wifi lans on vlan200/300 & untagged for management, if that will work, if not i might stick management on another vlan.

# jul/13/2017 19:04:12 by RouterOS 6.39.2
# software id = KYQL-19EJ
#
# this has vlan666 on ether1
#trunk on ether2
#ether3,4,5 untagged bridge
#10.10.20.2 hardcoded interface for management.
/interface bridge
add admin-mac=64:D1:54:3C:22:E7 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
set ether2-master discover=no
set ether3 discover=no
set ether4 discover=no
set ether5 discover=no
set sfp1 discover=no
set bridge discover=no
/interface vlan
add interface=ether2-master loop-protect-disable-time=1m loop-protect-send-interval=1m \
    name=vlan200 vlan-id=200
add interface=ether2-master loop-protect-disable-time=1m loop-protect-send-interval=1m \
    name=vlan666 vlan-id=666
/ip neighbor discovery
set vlan200 discover=no
set vlan666 discover=no
/interface ethernet switch port
set 0 default-vlan-id=666 vlan-header=always-strip vlan-mode=secure
set 1 vlan-mode=fallback
set 2 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure
set 3 vlan-header=always-strip
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=sfp1
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2-master switch=switch1 vlan-id=666
add independent-learning=yes ports=ether2-master,ether3,ether4,switch1-cpu switch=switch1 \
    vlan-id=200
add independent-learning=yes ports=ether2-master,ether3,ether4 switch=switch1 vlan-id=300
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
add address=10.10.120.2/24 interface=vlan200 network=10.10.120.0
add address=10.10.20.2/24 interface=ether2-master network=10.10.20.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
/system clock
set time-zone-name=Australia/Sydney
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
[admin@MikroTik] >