Need help with setting up VLAN

winagain · September 4, 2015, 10:30am

I have the following setup:

VLAN1 (WORKING)

add arp=enabled disabled=no interface=ether1 l2mtu=1522 mtu=1500 name=
MAIN-VLAN use-service-tag=no vlan-id=246

Its added to a trunk-bridge with ports ether1 and main-vlan id 246 as above

IP Address is assigned to the VLAN = public ip address provided by service provider

I now need to link a remote site through the same provider however I can’t seem to get the VLAN setup for the new link working

Details provided:

VLAN ID = 1087 service tag enabled

What I have done is create a vlan with the above id and tag, added to the vlan as a port on vlan-trunk-bridge

Added a local ip 192.168.150.1/24 to vlan1087

on the remote site I have done the following

Created a VLAN with id 1087 service tag enabled on ether1

created a trunk-bridge
added port ether1 and vlan1087

Added IP 192.168.150.2/24 to vlan1087

I then created a srcnat masquerade rule under firewall

I am still however unable to get the link up.

Have I created it correctly, as they provider keeps saying it’s my configuration that must be at fault, and I am now wondering.

Since the VLAN 246 is working why wont the 1087 not work?

winagain · September 4, 2015, 1:41pm

Provider needs my original working vlan with ID246 tagged, but when tagging is enable it’s not functioning.

They are using cisco routers, what would I need to do to get it working. Quite frustrated at this stage and have no idea what to do or where to turn.

efaden · September 4, 2015, 2:22pm

Post your full config. Easier to read. Also post exactly what is coming in from your ISP…

winagain · September 4, 2015, 2:43pm

Here is an export:

I know that the vlan 1087 setup is incorrect just been trying everything to see if it will work

I never worked with VLAN’s untill switching to this provider.

Oh! The link is a fiber link…comming in, to a fiber converter, then to ether1 on router.

Same on the other end

efaden · September 4, 2015, 2:45pm

And what exactly is supposed to be coming in via Ether1? Which VLANs? Are they tagged? Service tag or normal?

winagain · September 4, 2015, 2:57pm

Eth1 is Vlan 246 - What my internet comes in on - this was untagged(add service dag=enabled/disabled)

They want it to be tagged, but when tagging is enabled it does not work anymore, they say it’s somthing to do with incompatibility between my equipment and theirs

So they want the tagging on the main-vlan#246 so that I can run another vlan on the same link to a site where I want to co-locate, and create a hotspot.

The new vlan id =1087

As soon as I enable add-service-tag internet goes down and original vlan246 becomes inoperable.

Remove the tagging and it’s working.

I enabled tagging and it stops functioning, so ISP ignores the tagging on their end, and it comes up again.

They are using cisco, I am using mikrotik on both ends of the link.

They have other clients that use mikrotik, apparently something needs to be done on my equipment to get it working, but they can’t say as they say they don’t have experience with mikrotik, I have asked them to ask their clients that use mikrotik, but doubt they will bother to ask.

efaden · September 4, 2015, 3:07pm

So you have a bunch of issues with the way your VLANs are setup…

Remove ether1 from all of the bridges etc… add two vlans to ether1 with the appropriate settings. Make a bridge that contains ether2/ether3 and anything else from the “inside” network. Configure everything else… basically treat VLAN_A as your internet connection and VLAN_B as the other VLAN connection from your ISP.

If you post your config without verbose mode it is much easier to deal with… FYI.

The current config isn’t handling the tags correctly.

winagain · September 4, 2015, 3:18pm

I will give you instructions a go when it will impact users the least.

How do I export non-verbose?

I only know how to export file=“name” or export compact file=“name” to get all the configs of the routers.

efaden · September 4, 2015, 3:19pm

export compact.

winagain · September 4, 2015, 3:24pm

Have edited the export above to show compact export.

winagain · September 4, 2015, 3:29pm

Thanks, I figured that it was something with the config, I hope that it will work once I have had a chance to modify, don’t want to do it during office hours as there will be quite an impact on clients.

Will let you know in about 12 hours, that will put us near midnight, and I’d be able to try the setup.

efaden · September 4, 2015, 5:07pm

Modify the config and then post an updated version if its still not working.

Can you also post what needs to be on your network?.. e.g. vlans, DHCP?, etc… diagram. I can help better.

winagain · September 4, 2015, 9:21pm

I have tried the above recommendations.

If the vlan id=246 and eth1 are not on the same bridge port, it’s not working.

Link only works if they are in the same bridge

The router only requires the internet incoming via vlan id 246, which then forwards on to another mikrotik at a remote site, which then transmits to clients in that area.

I also want to add the new vlan id 1087 which will extend my presence via fiber to my equipment at a highsite some 40km away.

Currently this is not able to be implemented as we can’t get the link up, due to vlan issue.

I am willing to reconfigure the entire router.

Ethernet 1 = incoming vlans 246 and vlan 1087
Ethernet 2 and wireless bridged - > ethernet is sent into our offices, wireless transmits another mikrotik distribution point…configured and working.

The only links I require from the config is ethernet2 and 5Ghz-AP to be bridged and route traffic through the vlan for internet access.

The other wireless are in-operable at present, as they are not in use.

But as soon as the ethernet and vlan246 are not on the same bridge I have no access at all, as soon as they are added back to the bridge vlan246 becomes usable again.

I also don’t understand it as all the vlan tutorials in the wiki show that it does not require bridging, but it’s the only way I can get that link up.

efaden · September 4, 2015, 9:58pm

Are you sure your ISP has it configured with tagging? If that config doesn’t work something seems wrong.

winagain · September 4, 2015, 10:05pm

Just an update, just got back from the office.

I took a new RB800.

Tried your config without forwarding traffic anywhere.

Setup

VLAN 246 attached to ether1 no tagging
VLAN 1087 attached to ether1 tagging enabled

Applied public ip to VLAN246 (not to bridge)
Applied private IP 192.168.150.1/24 to VLAN187 (not to bridge)

Tried pinging gateway ip of ISP → No Joy

Created a Bridge added ether1 and VLan246 -->immediately started getting internet access.

I then modified the config for tagging on 246, and the same as above, only starts working when vlan246 and ether1 is added to a bridge.

efaden · September 4, 2015, 10:13pm

Right… it seems like the traffic they are sending you isn’t tagged… Can you give me access to the router… just want to look at the traffic numbers.. Or post a screenshot of the interfaces with traffic passing. Something seems off.

-Eric

winagain · September 4, 2015, 10:15pm

I can give you access.

but dont want to publish public ip and so on here.

efaden · September 4, 2015, 10:17pm

Just send me an email… efaden at gmail.com. This is a really specific problem we can take offline.

-Eric