need help with basic vlan setup

torcolato · October 13, 2014, 4:28pm

Hi all.
Today arrived my first routerboard (rb2011UiAS-RM)!
But, even after reading a lot of documentation, I cannot get the vlan thing to work.

Whant I want to achive:
SFP1 as WAN Uplink, staticly assigned IP Address (this works:)
ETH2, ETH3, ETH4 and ETH6 in one vlan (vlan2, named OFFICE, untagged)
ETH9 and 10 in one vlan (vlan9, named HPE, untagged)
ETH5 in one vlan (vlan3, named GUESTS, tagged)

Interface VLAN2 should have ip address 10.202.2.1/24 and a dhcp server with pool 10.202.2.100-10.202.2.254.

But whatever I do, Laptop connected to ETH2 does not get an ip address

Can someone please point me to the most basic setup?

Thanks in advance for any help,
Christian

SystemErrorMessage · October 14, 2014, 7:42am

you could try making sure that physical ports of different vlans are not switched. Seems that none of your physical ports have multiple VLANs. Make sure your DHCP and ip services are set to work on the local ports of different vlans. Set the dhcp server and other ip services to the VLAN interface, not the physical interface.

torcolato · October 14, 2014, 9:46am

I did reset configuration and try with minimal config, only one vlan (vlan2 on ether2, name OFFICE):

[admin@fw-w-01] /interface bridge port> /export

jan/02/1970 17:53:41 by RouterOS 6.20

/interface vlan
add interface=ether2 l2mtu=1594 name=OFFICE vlan-id=2
/ip pool
add name=OFFICE ranges=10.202.2.100-10.202.2.254
/ip dhcp-server
add address-pool=OFFICE disabled=no interface=OFFICE name=OFFICE
/port
set 0 name=serial0
/system logging action
set 2 remember=yes
/ip address
add address=192.168.202.2/24 interface=ether1 network=192.168.202.0
add address=10.202.2.1/24 interface=OFFICE network=10.202.2.0
/ip dhcp-server network
add address=10.202.2.0/24 dns-server=8.8.8.8,8.8.4.4 domain=riedelorama.de gateway=10.202.2.1 netmask=24 wins-server=10.202.2.9
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=192.168.202.1
/ip upnp
set allow-disable-external-interface=no
/snmp
set trap-community=public
/system identity
set name=fw-w-01
/system routerboard settings
set boot-device=nand-only

But still no ip address for laptop connected to ether2.

Is something missing?

Thanks in advance!

cdiedrich · October 14, 2014, 11:10am

Add a bridge for each vlan you want.
Give the vlan2-bridge your desired address and add a DHCP server to it.
Configure eth3, eth4 and eth6 to have eth2 as master port.
Add eth2 to the bridge.

configure eth10 to use eth9 as master.
add eth9 to your vlan9-bridge.

add a vlan to eth5 (and give it vlan-id=3) and add this to your vlan3-bridge.

i guess eth1 should be a trunk port, so add vlan interfaces to it with the appropriate IDs and add those to the corresponding bridges.

You’re done.
-Chris

torcolato · October 14, 2014, 12:54pm

Hi Chris,

thanks for your reply.
Meanwhile I figured out it also works this way:

/interface vlan
add interface=ether2 l2mtu=1594 name=VLAN-OFFICE vlan-id=2

/interface bridge port
add bridge=BR-OFFICE interface=ether2
add bridge=BR-OFFICE interface=ether3
add bridge=BR-OFFICE interface=ether4
add bridge=BR-OFFICE interface=VLAN-OFFICE
add bridge=BR-OFFICE interface=ether6

/ip address
add address=192.168.202.2/24 interface=ether1 network=192.168.202.0
add address=10.202.2.1/24 interface=VLAN-OFFICE network=10.202.2.0

/ip dhcp-server
add address-pool=OFFICEPOOL disabled=no interface=BR-OFFICE lease-time=1w \
    name=OFFICE

Means, adding the physical ports and the vlan to a bridge and let the DHCP server us the bridge.

What are the advantages/disadvantages of both methods?

Thanks!!

cdiedrich · October 14, 2014, 1:52pm

Hi Torcolato,

You’ll be running into trouble with this portion of your config:
/interface bridge port
add bridge=BR-OFFICE interface=ether2
add bridge=BR-OFFICE interface=ether3
add bridge=BR-OFFICE interface=ether4
add bridge=BR-OFFICE interface=VLAN-OFFICE
add bridge=BR-OFFICE interface=ether61.: You have added the ether ports individually to the bridge, now all traffic on these ports will hit the CPU. You will never reach wire speed. It’s best practice to configure a master port (say ether2) having slave ports (ether 3,4,6). Now all traffic between those ports will be handled by the switch chip with no CPU impact.

2.: With adding the physical interface and the vlan interface to your bridge you now have duplicate traffic on your physical interface. tagged (vlan2) and untagged (etherXX).

By now I presume you don’t really need vlans as per definition but just seperate networks, only one of which (GUESTS, vlan3) needs to be treated as a vlan3 on eth5.
Could I be right?

edit:
I’d do it this way:
/interface ethernet
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether6 master-port=ether2

/interface bridge port
add bridge=BR-OFFICE interface=ether2

/ip address
add address=192.168.202.2/24 interface=ether1 network=192.168.202.0
add address=10.202.2.1/24 interface=BR-OFFICE network=10.202.2.0

/ip dhcp-server
add address-pool=OFFICEPOOL disabled=no interface=BR-OFFICE lease-time=1w name=OFFICEEdit2:
Just found a glitch in my thoughts:
Master & slave ports obviously need to be in the same switch group, so ether6 cannot be a slave of ether2.
Either add ether6 individually to the bridge (for the cost of CPU) or move your WAN port from ether1 (gigabit) to ether7 or higher, when it’s not more than 100MBit. Then you can use ether1 for another Gigabit access port and make all bementioned ports including ether2 slaves of ether1.
Sorry for that.

-Chris