Task: to create VLAN across WAN. Below is the scenerio:
MK router 1:
Port 1 → WAN(Internet)
Port 2 → VLAN X (LAN port that have access to internet traffic)
Port 3 → VLAN B (LAN port only allow access to Port 3 in MK#2)
MK router 2:
Port 1 → WAN(Internet)
Port 2 → VLAN Y (LAN port that have access to internet traffic)
Port 3 → VLAN B (LAN port only allow access to Port 3 in MK#1)
I am creating access for 2 locations that need access to the internet and to their other remote office via port 3. They need it to look like an extended LAN. I figured VLAN would be perfect solusion but I can’t get MK router to work. Seem like I am missing something Like ‘trunk’ maybe?
Hello:
I realized that I was looking at something like Q-in-Q that offered by some other routers/switchs. Since Mikrotik do not have Q-in-Q built-in , I was able to use tunnels along with Mikrotik EoIP option. I don’t even have to mess with VLAN at all!
Interesting… Found the news but I can’t find it anywhere that show you how to do that. I searched through the V3.0 manual and did not return anything for “Q in Q”, “QinQ”, or “Q-inQ”
but… how do you plan transmit VLAN tag via Internet?
Well, my users are not quite on the internet. We are the ISP so they all passing through my routers/switches before going out to internet. So, if I am connecting the 2 loactions, I have full control of all switches in between…
MK router 1:
Port 1 → WAN(Internet) + VLAN B
Port 3 bridged with VLAN B
because if you put VLAN interface on Port 3, it means that packets are transmitted from Port 3 with VLAN tag - and on port 3 should be device that understand VLAN tags
I would also be interested in your configs, as I’m currently trying to do something similar to your original setup. I am having nothing but trouble trying to run multiple VLANs across the same interface and I think using Q-in-Q will solve that.
Cool down bro. Just did not have a chance to get to it yet since I made so many changes to the config. Also, when I connected to the MK, I am isolated from internet. Ok, below is the export from router B. Router A same config except with different IP on same subnet for ether1 and vlan B.
jan/01/2000 02:42:18 by RouterOS 3.3
software id = P1NS-3TT
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
comment=“” disabled=no full-duplex=yes mac-address=00:0C:42:12:6D:6A
master-port=none mtu=1500 name=“ether1” speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
comment=“” disabled=no full-duplex=yes mac-address=00:0C:42:12:6D:6B
master-port=none mtu=1500 name=“ether2” speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
comment=“” disabled=no full-duplex=yes mac-address=00:0C:42:12:6D:6C
master-port=none mtu=1500 name=“ether3” speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
comment=“” disabled=no full-duplex=yes mac-address=00:0C:42:12:6D:6D
master-port=none mtu=1500 name=“ether4” speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
comment=“” disabled=no full-duplex=yes mac-address=00:0C:42:12:6D:6E
master-port=none mtu=1500 name=“ether5” speed=100Mbps
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes
comment=“” disabled=no forward-delay=15s max-message-age=20s mtu=1500
name=“bridge1” priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface vlan
add arp=enabled comment=“” disabled=no interface=ether3 mtu=1500 name=“vlanB”
vlan-id=33
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet
boot-protocol=bootp cpu-frequency=175MHz cpu-mode=power-save
enable-jumper-reset=yes enter-setup-on=any-key
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet
boot-protocol=bootp cpu-frequency=175MHz cpu-mode=power-save
enable-jumper-reset=yes enter-setup-on=any-key
/user group
add name=“read” policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sn
iff,!ftp,!write,!policy
add name=“write” policy=local,telnet,ssh,reboot,read,write,test,winbox,password
,web,sniff,!ftp,!policy
add name=“full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo
x,password,web,sniff
/ip ipsec proposal
add auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=“default” pfs-group=modp1024
/ppp profile
set default change-tcp-mss=yes comment=“” name=“default” only-one=default
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment=“” name=“default-encryption”
only-one=default use-compression=default use-encryption=yes
use-vj-compression=default
/routing bgp instance
set default as=65530 client-to-client-reflection=yes comment=“” disabled=no
ignore-as-path-len=no name=“default” out-filter=“”
redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=no
redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing ospf area
add area-id=0.0.0.0 authentication=none disabled=no name=“backbone”
type=default
/ip hotspot service-port
set ftp disabled=no ports=21
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100
audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00
frame-size=300 frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name=“” memory-limit=10
multiple-channels=no only-headers=no receive-errors=no
streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/interface bridge port
add bridge=bridge1 comment=“” disabled=no edge=auto external-fdb=auto
horizon=none interface=ether1 path-cost=10 point-to-point=auto
priority=0x80
add bridge=bridge1 comment=“” disabled=no edge=auto external-fdb=auto
horizon=none interface=vlanB path-cost=10 point-to-point=auto
priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-vlan=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.10.10.2/24 broadcast=10.10.10.255 comment=“” disabled=no
interface=ether1 network=10.10.10.0
add address=172.16.0.2/24 broadcast=172.16.0.255 comment=“” disabled=no
interface=vlanB network=172.16.0.0
add address=192.168.22.1/24 broadcast=192.168.22.255 comment=“” disabled=no
interface=ether2 network=192.168.22.0
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB
max-udp-packet-size=512 primary-dns=0.0.0.0 secondary-dns=0.0.0.0
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no
set pptp disabled=no
/ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
set ether4 discover=yes
set ether5 discover=yes
set vlanB discover=no
set bridge1 discover=yes
/ip proxy
set always-from-cache=no cache-administrator=“webmaster” cache-drive=system
cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none
max-client-connections=600 max-fresh-time=3d max-server-connections=600
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080
serialize-connections=no src-address=0.0.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.254
scope=255 target-scope=10
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
set vlanB queue=default
set bridge1 queue=default
/radius incoming
set accept=no port=1700
/system clock manual
set dst-delta=+00:00 dst-end=“jan/01/1970 00:00:00” dst-start=“jan/01/1970
00:00:00” time-zone=+00:00
/system console
add disabled=no port=serial0 term=“vt102”
/system health
set fan-mode=auto use-fan=main
/system identity
set name=“MikroTik”
/system logging
add action=memory disabled=no prefix=“” topics=info
add action=memory disabled=no prefix=“” topics=error
add action=memory disabled=no prefix=“” topics=warning
add action=echo disabled=no prefix=“” topics=critical
/system note
set note=“” show-at-login=yes
/system ntp client
set enabled=no mode=broadcast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0
secondary-server=0.0.0.0 user=“”
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m
watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=10
/tool e-mail
set from=“<>” server=0.0.0.0
/tool graphing
set store-every=5min
/tool mac-server
add disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sniffer
set file-limit=10 file-name=“” filter-address1=0.0.0.0/0:0-65535
filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only
filter-stream=yes interface=all memory-limit=10 only-headers=no
streaming-enabled=no streaming-server=0.0.0.0
/user
add address=0.0.0.0/0 comment=“system default user” disabled=no group=full
name=“admin”
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128
default-profile=default enabled=no keepalive-timeout=60
mac-address=FE:68:6A:B5:36:EC max-mtu=1500 mode=ip netmask=24 port=1194
require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m
gateway-selection=no-gateway origination-interval=5s
preferred-gateway=0.0.0.0 timeout=1m ttl=50
/routing ospf
set distribute-default=never metric-bgp=20 metric-connected=20
metric-default=1 metric-rip=20 metric-static=20 redistribute-bgp=no
redistribute-connected=no redistribute-rip=no redistribute-static=no
router-id=0.0.0.0
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no
redistribute-connected=no redistribute-ospf=no redistribute-static=no
timeout-timer=3m update-timer=30s
/ip dhcp-server config
set store-leases-disk=5m
[admin@MikroTik] >
, I was able to use tunnels along with Mikrotik EoIP option. I don’t even have to mess with VLAN at all! 
