Need help with complex vlan setup :( !!

RouterOS General
1

Hello,

I like to use my main switch (Mikrotik CRS317) not only as managed switch, but also as fall-back-router for my pfSense router/firewall.

The incoming provider connection has two vlan's. One fot iptv and one for internet. For the internet vlan the switch should behave as PPP0E-client. Note that ^gateway-one^ is providing the default route to internet.

The switch is also managed remotely via my network, so there is a second gateway(-2) also having a default route, but not towards the internet, but towards my management vlan. I do consider using multiple vrf's.

The main functionality of the CRS is ^managed 10G-switch^. For that purpose the switch is connected with a trunk to my firewall and with other trunks towards NAS, Server and small switches.

I defined the provider vlans based on the physical interface port and defined a WAN-bridge. Than I defined the PPPoE server, That is working.

The data destinated to or arriving from the internet should be connected to the destination vlans. I defined two one for my pclan and one for my guest lan. I defined the vlans in the ^interface tab^ using type vlan's. That seems to be ok and as expected I could assign vlanid and bridge.

Using those vlan's I could also define address range, bridge. VRF and DHCP are also definable. So that is about every thing you expect when you define a router internal vlan gateway.

But that is where the problems are starting:

  • I would expect those vlan's to show up under the bridge definition as vlan ....... but nop not so
  • I can import them in the bridge as interfaces ..... not as vlan's ....
  • so for a moment I assumed that I could / should see the imported vlans as vlan-gateways not as the vlan's it self
  • however I do need real vlan-defs in the bridge in order to connect the vlan to ports/trunks as present in the bridge
  • so I did define ^new^ vlans inside the bridge having the same vlanid ...... which does not feel OK

So just hoping that this was working I went to tools and did a ping test:

  • As expected I could pint the "vlan-gateway" from the "vlan-gateway" and I could ping using the bridgeport
  • But no way to ping the "vlan-gateway" from the bridge internal "second" identical vlan

I spend many hours trying to understand how to define vlan's, starting with defining the ^vlan gateway^ and how to tie that "vlan-gateway" to the vlan-ports as related to those vlan's. Next problem are of cause the firewall related rules. Hopefully easier to manage :smiley:

As you understand I need help to setup vlan's in the described complex setup. I am really lost :frowning: !!





\

2

Here a rough impression of the intended setup


ImpressionTargetSituation.JPG

3

I spend another couple of hours trying to solve the vlan setup problem ..... without sucsess :frowning:

I try to explain the problem using the attached picture (shown at the bottum)

In the picture the main bridge containing a couple of vlans connected to the outside world using mostly trunks.

The vlans are defined via the bridge menu vlans connecting the involved interfaces. That works for a managed switch without routing functionality.

However in this case I also want the CRS to behave as router, so I need to add vlan interfaces/gateways, which provide the connection to the router core and functionality like vlan subnet, dhcp-server, dns, internet access etc.

That is where the problem is. In pfSense you simply define an vlan interface and ready you are. But in router-OS I am lost.

  • I defined a vlan under interfaces, which is I think an vlan-interface which you can use as vlan "gateway"
  • I did assign a subnet to that gateway and a dhcp server, things I could not tie to vlans as defined in a bridge.
  • And I can use those vlan-interfaces in the firewall so that looks ok as well

'However that the problem starts :frowning: :frowning: I need to relate / connect ^the vlan-gateway^ to the manages swith vlans ....
and I simply do not manage .....

I tried that by including ^the vlan-gateway^ in the bridge. That is possible .... but it does not work ....

I tried to:

  • ping the vlan-gateway from an vlan trunk NOP (using ping tool)
  • tried to ping the PC form the vlan-gateway NOP (using ping tool)
  • tried to pint the vlan-gateway from the PC NOP
  • etc

So I am still completely lost

Note that I am using latest stable RouterOS 7 version
Below some small parts of the config

Louis

[admin@MikroTik] /interface> print
Flags: X - DISABLED, R - RUNNING; S - SLAVE
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

skipped some lines
;;; GW_CRS_GUESTS
17 R GW_CRS_GUESTS vlan 1500 65531 DE:55:2B:43:9F:24
;;; GW_CRS_MNGT
18 R GW_CRS_MNGT vlan 1500 1588 CC:2D:E0:A3:91:64
;;; GW_CRS_PCLAN
19 R GW_CRS_PCLAN vlan 1500 1588 CC:2D:E0:A3:91:64
20 R IPTV bridge 1500 65535 62:C5:B1:38:3B:61
;;; Internet via VLAN 6

[admin@MikroTik] /ip/address> print
Columns: ADDRESS, NETWORK, INTERFACE

ADDRESS NETWORK INTERFACE

;;; LocalMngt
0 192.168.88.2/24 192.168.88.0 00 RJ45-CRS317-MNGT
1 192.168.201.1/24 192.168.201.0 GW_CRS_PCLAN
2 192.168.202.1/24 192.168.202.0 GW_CRS_GUESTS
[admin@MikroTik] /ip/address>

[admin@MikroTik] /ip/dhcp-server> print
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME, ADD-ARP

NAME INTERFACE ADDRESS-POOL LEASE-TIME ADD-ARP

;;; CRS_GUESTS
0 GUESTS GW_CRS_GUESTS GUESTS 30m yes
;;; CRS_PCLAN
1 CRS_PCLAN GW_CRS_PCLAN PCLAN 30m yes
20 R IPTV bridge 1500 65535 62:C5:
;;; Internet via VLAN 6
21 R KPN-INTERNET-WAN vlan 1508 1594 CC:2D:
;;; IPTV via VLAN 4
22 R KPN-IPTV-WAN vlan 1508 1594 CC:2D:
;;; defconf
23 R MAIN-bridge bridge 1500 1592 CC:2D:
24 R MNGT-bridge bridge 1500 1592 CC:2D
;;; Router bridge
25 R Router bridge 1500 65535 DE:55:
;;; pfSense
26 RS RouterConn bond 1500 1592 CC:2D:
27 WAN (PPPoE KPN) pppoe-out
28 R WAN-bridge bridge 1508 1598 CC:2D:


[admin@MikroTik] /ip/dhcp-server/network> print
Columns: ADDRESS, GATEWAY, DOMAIN

ADDRESS GATEWAY DOMAIN

;;; CRS-PCLAN
0 192.168.201.0/24 192.168.201.0 crs-pc.lan
;;; CRS-GUESTS
1 192.168.202.0/24 192.168.202.1 crs-guests.lan

[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE

0 As 0.0.0.0/0 192.168.88.3 1
DAc 192.168.88.0/24 MNGT-bridge 0
DAc 192.168.201.0/24 GW_CRS_PCLAN 0
DAc 192.168.202.0/24 GW_CRS_GUESTS 0

[admin@MikroTik] /interface/bridge> print
Flags: X - disabled, R - running
0 R name="IPTV" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto
mac-address=62:C5:B1:38:3B:61 protocol-mode=rstp fast-forward=yes igmp-snooping=no
auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s
transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no

1 R ;;; defconf
name="MAIN-bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto
mac-address=CC:2D:E0:A3:91:64 protocol-mode=rstp fast-forward=yes igmp-snooping=no
auto-mac=no admin-mac=CC:2D:E0:A3:91:64 ageing-time=5m priority=0x8000 max-message-age=20s
forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=88
frame-types=admit-all ingress-filtering=yes dhcp-snooping=no

2 R name="MNGT-bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto
mac-address=CC:2D:E0:A3:91:64 protocol-mode=rstp fast-forward=yes igmp-snooping=no
auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s
transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no

3 R ;;; Router bridge
name="Router" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto
mac-address=DE:55:2B:43:9F:24 protocol-mode=rstp fast-forward=yes igmp-snooping=no
auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s
transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1
frame-types=admit-only-vlan-tagged ingress-filtering=yes dhcp-snooping=no

4 R name="WAN-bridge" mtu=auto actual-mtu=1508 l2mtu=1598 arp=enabled arp-timeout=auto
mac-address=CC:2D:E0:A3:91:54 protocol-mode=rstp fast-forward=yes igmp-snooping=no
auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s
transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
[admin@MikroTik] /interface/bridge>

VLAN-problem.JPG
VLAN-problem.JPG1300×693 53.1 KB