Hi All,
I’m new to this forum I’m sorry if this isn’t the place to ask this question…
So I have a pfsense device as my FW, and I just purchased a mikrotik device as it’s the cheapest I can find with sfp+ and I’m having some trouble restricting a port to just one vlan tag… I’ve done it in Unifi controller where I had to create a network and then assign a port a vlan tag and it worked fine, but I just can’t get it to work on the mikrotik. Is there something I have to do to get it to work? I just need the switch to be able to force a port to use a vlan tag I’ve created in the FW and use the rules from the firewall. Also one last question.. Will the rules from the FW be remembered in the mikrotik? Meaning the switch will remember rules and route packets where they need to be port-to-port or will it route them back to the FW then to where they need to be (Sorry if dumb question lol)?
You haven’t said which Mikrotik device you have, there are many with a broad range of capabilities and VLAN configuration differs significantly for some groups of devices.
Also one last question.. Will the rules from the FW be remembered in the mikrotik? Meaning the switch will remember rules and route packets where they need to be port-to-port or will it route them back to the FW then to where they need to be (Sorry if dumb question lol)?
Firewalling and routing interact with each other, but are separate processes. The routing determines the destination for ranges of IP addresses, and firewalling permits, drops or modifies packets between source and destination.
If you have a pfSense box to handle firewalling then that is likely to also be providing routing, in which case the Mikrotik would probably just be configured as a layer-2 switch.
Firewalling and routing interact with each other, but are separate processes. The routing determines the destination for ranges of IP addresses, and firewalling permits, drops or modifies packets between source and destination.
If you have a pfSense box to handle firewalling then that is likely to also be providing routing, in which case the Mikrotik would probably just be configured as a layer-2 switch.
So that means even if I have iSCSI traffic the packets will route all the way back up to the FW with 1G ports then back down to the SFP+ ports on the mikrotik? Is there a way to not do that?
That depends on your network architecture. Traffic within a layer2 network will be switched, e.g. IP traffic within the same subnet, whereas traffic between networks has to be routed.
I guess I have had it set up wrong for some time.. I’ve been reading about how to have VLAN tags passed from pfSense to the Switch which is a CRS354-48G-4S+2Q+RM
and I was told that I have to create a bridge with VLAN tag 10 for example, and then assign that bridge to a port? Is that the correct way to segment a port to only 1 VLAN? Also I wanted to create a VLAN for iSCSI is there a way to segment it out in the switch so the traffic moves through the switch and not back up to the FW
Thank you so much for your time! Sorry I’m not very strong with networking, but I have a good understanding of subnetting/vlans just I haven’t set up any mikrotiks before
The port connecting to your pfSense can either have all VLANs tagged (a.k.a. ‘trunk’), or one VLAN untagged and the remainder tagged (a.k.a. ‘hybrid’ or ‘trunk with native’).
It is considered to be good practice to separate general and iSCSI traffic, the iSCSI network shouldn’t need access to any other networks or the internet. You could either use separate network interfaces on devices connecting to untagged (a.k.a. ‘access’) switch ports for the appropriate VLANs, or a single network interface connecting to a trunk or hybrid switch port.
I just printed out all kinds of documentation so I can ready over tonight.. in the meantime what would I have to do to have port 3 on the switch pass down VLAN 10 from the fw? So if I were to hook up a device to that port then DHCP witch is in my FW will get passed down to it
One more question if i have port 6 & 7 tagged for iSCSI then layer 2 switching would happen on the switch and it would not get routed back to the firewall then back down correct?
Assuming all of the ports are in a VLAN-aware bridge, so
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether1
add bridge=bridge ingress-filtering=yes interface=ether2
…
Then to make ether3 an access port for VLAN 10 (i.e. untagged) change the bridge port PVID
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=10
And add VLAN 10 tagged to the port connecting with your pfSense box (you haven’t said which one it is)
/interface bridge vlan
add bridge=bridge tagged=UPLINKPORT vlan-ids=10
One more question if i have port 6 & 7 tagged for iSCSI then layer 2 switching would happen on the switch and it would not get routed back to the firewall then back down correct?
Yes, the traffic would be switched between those ports.
Ok so I followed your steps and still I’m getting not DHCP from VLAN 10 on port 3.
My FW is on port 2, and I have a device that I want only on VLAN 10 on port 3. I’ve attached some screenshots to show you what I have so far let me know if there’s something wrong here that I should change. I want to pass all my vlans through port 2 from the FW as they have my DHCP/DNS settings in them, and I want only some ports to have just ONE vlan that as soon as something gets plugged into the switch it will automatically pull a DHCP address from the vlan thats on that port
Edit: I’ve had this working with Ubiquity Switch before so I know the vlans are working. I have esxi running right now that I can assign vlan tags to VM’s and theyre getting a DHCP address from the tag
In a terminal window run /export hide-sensitive and paste the configuration output in a code block (the icon above the reply box) which makes it more readable.
You only require /interface vlan entries if you wish VLANs to interface with services on the Mikrotik, they are not required for VLANs merely passing through the Mikrotik bridge/switch.
Under /interface bridge port setting frame-types= has no effect unless ingress-filtering=yes.
There is little point having /interface bridge settings use-ip-firewall-for-vlan=yes, with hardware acceleration packets are handled by the switch chip and never make it to the bridge, you can use switch chip rules although these are much more limited.
Adding IP addresses to child interfaces (ether1 in this case) often causes odd behaviour, they should be applied to the parent interface (bridge in this case).
None of those is the cause of your connectivity issue - you haven’t included your firewall uplink port in the bridge VLAN entries, also Mikrotik specifically warn against having untagged members of bridge VLAN entries which specify a range of VLAN IDs (in the configuration export you can see # port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry).
I would remove
/interface bridge vlan
add bridge=bridge vlan-ids=1-4094
and replace it with
/interface bridge vlan
add bridge=bridge tagged=ether2 vlan-ids=10
plus additional entires for each VLAN you use.
if i have port 6 & 7 tagged for iSCSI then layer 2 switching would happen on the switch and it would not get routed back to the firewall then back down correct?
