Possible for packet tagged "outside" switch to use pass through?

RouterOS General
1

I apologize firstly, as I’m not sure I can adequately explain what I need. Hopefully this doesn’t come across as a bad question!

First of all, I have a Mikrotik CRS switch where I have implemented this VLAN strategy titled VLAN Example - Trunk and Access Ports.

I also have a Mikrotik CCR router that is aware of each of the VLANs coming in over the trunk port from the switch. I’ve created an interface on this router for each VLAN and assigned it an ip (such as 10.10.10.1/24 for VLAN 10). I then setup a corresponding DHCP server to hand out IPs in that same range for the given VLAN.

I have a small home office router plugged into the switch that normally gets tagged with VLAN 10, then assigned an ip of 10.10.10.25. I’d like that router to be assigned a public IP while keeping all the other devices coming into that access port on VLAN 10. One way I’d prefer to accomplish it is by logging into the router and having the router tag itself with VLAN 100, then make the Mikrotik router aware of VLAN 100 and have a DHCP server setup to assign from the pool of public IPs. When I try this now, the home office router loses all access to the network until I remove the VLAN 100 tag.

My questions:

  1. Is it possible to have untagged traffic coming into that access port and get tagged with VLAN 10, while at the same time having another device “self-tagging” with vlan 100 and then still get it back to the router?

  2. Are there alternatives to what I’m hoping to accomplish with the DHCP server? I do like the idea of a DHCP server because it’ll allow me to manage the IP assignments since I can set them as static after the fact and then still know which device is using it.

Thanks!

2

1 - Yes. Use a hybrid port which supports untagged and one or more tagged VLANs, an access port is untagged only.

2 - It depends on how your public IPs are delivered. If they are a routed subnet separate from the WAN transit, or the WAN connection is PPPoE, you can simply have a public LAN/VLAN and DHCP server plus suitable firewall rules, however if they are part of a WAN subnet it is more complex but can be done.

A sketch of the network setup and posting your configs (the output of /export hide-sensitive with the serial number and any other identifying information such as public IP addresses redacted) would provide a clearer picture.

3

Thanks @tdw for the quick reply.

If I’m not mistaken, the only difference between a hybrid and access port is the frame types that it allows? Hybrid appears to “allow all” while the access is set to “admit-only-untagged-and-priority-tagged”? Is there anything else I would need to do on the switch to allow VLAN 100 to leave via the trunk?

4

Trunk
add bridge=bridge interface=etherX ingress-filtering=yes frame-types=admit-only-tagged

Access
add bridge=bridge interface=etherY ingress-filtering=yes frame-types=admit-priority-and-untagged PVID=AA

Hybrid
add bridge=bridge interface=etherX PVID=BB

5

The /interface bridge vlan settings should include the interface in the tagged= list for the VLAN (assuming it’s a CRS3xx using a VLAN aware bridge, CRS1xx/2xx use a different setup for hardware-offloaded VLAN switching)

6

I’ve attempted to disable the ingress filter and modified the frame type. It still seems that when I go to vlan=100 from my home router, it doesn’t allow traffic through the switch. Granted, my only real proof of this is that I don’t get a response from a DHCP server. I also tried to torch the vlan-100 interface from the router but don’t see any packets tagged with vlan 100.

My home router is plugged into ether4. My trunk port to the Mikrotik router is combo2.

Switch Config

# nov/27/2022 15:11:40 by RouterOS 6.49.7
# software id = 
#
# model = CRS312-4C+8XG
# serial number = 
/interface bridge
add admin-mac=DC:2C:6E:28:C4:4F auto-mac=no comment=defconf ingress-filtering=yes name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] comment="Garage Switch"
set [ find default-name=combo2 ] comment="to Dell QoE"
set [ find default-name=combo3 ] comment="Attic switch"
set [ find default-name=combo4 ] comment="Tower Switch"
set [ find default-name=ether1 ] comment="Emergency / Empty"
set [ find default-name=ether2 ] comment="Port 1 - office"
set [ find default-name=ether3 ] comment="Port 2 wire - Garage 60LR Quinton"
set [ find default-name=ether4 ] comment="Home Office - Port 3 Wire"
set [ find default-name=ether8 ] comment="QoE Management 10.0.1.5"
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4-ipv6
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment="Garage Switch Mikrotik" edge=yes frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=combo1 pvid=50
add bridge=bridge comment="Going to Mikrotik Router (via Dell QoE)" frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=combo2
add bridge=bridge comment="Attic Switch" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=combo3 pvid=40
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=combo4 pvid=9
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether1
add bridge=bridge comment="Office - VL78" interface=ether2 pvid=78
add bridge=bridge comment="VL20- Quinton" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether3 pvid=20
add bridge=bridge comment="VL78 Home Connection" edge=yes interface=ether4 pvid=78
add bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether5 pvid=78
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether6 pvid=78
add bridge=bridge comment="VL78: UISP / UNMS" ingress-filtering=yes interface=ether7 pvid=78
add bridge=bridge comment="VL78: QoE" ingress-filtering=yes interface=ether8 pvid=78
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether9
/ip settings
set max-neighbor-entries=2048
/interface bridge vlan
add bridge=bridge tagged=combo2 untagged=ether4,ether6,ether5 vlan-ids=78
add bridge=bridge tagged=combo2 vlan-ids=20
add bridge=bridge tagged=combo2 vlan-ids=10
add bridge=bridge tagged=combo2 vlan-ids=30
add bridge=bridge tagged=combo2 vlan-ids=40
add bridge=bridge tagged=combo2 vlan-ids=50
add bridge=bridge tagged=combo2 untagged=ether6 vlan-ids=9
add bridge=bridge tagged=combo2 vlan-ids=1
add bridge=bridge comment="vlan 100 will be used when we need an ip from the public pool" tagged=combo2 vlan-ids=100
/interface list member
add interface=ether9 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=combo1 list=LAN
add interface=combo2 list=LAN
add interface=combo3 list=LAN
add interface=combo4 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.1.6/24 comment=defconf interface=ether1 network=10.0.1.0
add address=10.10.10.12 interface=bridge network=10.10.10.12
add address=10.10.78.2 interface=bridge network=10.10.78.2
add address=10.255.1.2/30 interface=ether1 network=10.255.1.0
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip route
add distance=1 gateway=10.255.1.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MikroTik-CRS
/system routerboard settings
set boot-os=router-os

Router Config

# nov/27/2022 15:38:01 by RouterOS 7.6
# software id = 
#
# model = CCR2216-1G-12XS-2XQ
# serial number = 
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp28-1 ] comment="ISP1"
set [ find default-name=sfp28-2 ] auto-negotiation=no comment="ISP2"
set [ find default-name=sfp28-10 ] comment="Port to Switch (management)"
set [ find default-name=sfp28-12 ] comment="Mikrotik Switch (access ports)"
/interface vlan
add interface=sfp28-12 name=vlan-1 vlan-id=1
add comment="" interface=sfp28-12 name=vlan-9 vlan-id=9
add comment="Quinton" interface=sfp28-12 name=vlan-20 vlan-id=20
add comment="Office (af60 ptp)" interface=sfp28-12 name=vlan-30 vlan-id=30
add comment="Attic Switch" interface=sfp28-12 name=vlan-40 vlan-id=40
add comment="Garage Switch" interface=sfp28-12 name=vlan-50 vlan-id=50
add comment="Home office" interface=sfp28-12 name=vlan-78 vlan-id=78
add comment="Gets assigned static IPs" interface=sfp28-12 name=vlan-100 vlan-id=100
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Vlan-78 ranges=10.10.78.10-10.10.78.250
add name=dhcp ranges=10.10.10.10-10.10.10.250
add name=vlan-30 ranges=10.10.30.10-10.10.30.250
add name=vlan-10 ranges=10.10.10.10-10.10.10.250
add name=vlan-40 ranges=10.10.40.10-10.10.40.250
add name=vlan-20 ranges=10.10.20.10-10.10.20.250
add name=vlan-50 ranges=10.10.50.10-10.10.50.250
add name=vlan-9 ranges=10.10.9.20-10.10.9.250
# public ip range
add name=vlan-100 ranges=#########
/ip dhcp-server
add address-pool=Vlan-78 always-broadcast=yes interface=vlan-78 lease-time=5m name=dhcp-vl78 server-address=\
    10.10.78.1
add address-pool=dhcp interface=bridge1 name=dhcp1
add address-pool=vlan-30 interface=vlan-30 lease-time=5m name=dhcp-vl30
add address-pool=vlan-20 interface=vlan-20 lease-time=5m10s name=dhcp-vl20
add address-pool=vlan-40 interface=vlan-40 lease-time=5m name=dhcp-vl40
add address-pool=vlan-50 interface=vlan-50 lease-time=5m name=dhcp-vl50
add address-pool=vlan-9 interface=vlan-9 lease-time=5m name=dhcp-vl9
add address-pool=vlan-100 interface=vlan-100 lease-time=5m name=dhcp-vl100
/port
set 0 name=serial0
/routing table
add fib name=to_ISP1
add fib name=to_ISP2
add disabled=no fib name=isp1_bgp
/routing bgp template
set default address-families=ip as=xxxxxx disabled=no nexthop-choice=default routing-table=main
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 disabled=yes interface=qsfp28-1-2
add bridge=bridge1 disabled=yes interface=qsfp28-1-3
add bridge=bridge1 disabled=yes interface=qsfp28-1-4
add bridge=bridge1 disabled=yes interface=qsfp28-2-1
add bridge=bridge1 disabled=yes interface=qsfp28-2-2
add bridge=bridge1 disabled=yes interface=qsfp28-2-3
add bridge=bridge1 disabled=yes interface=qsfp28-2-4
add bridge=bridge1 disabled=yes interface=sfp28-1
add bridge=bridge1 disabled=yes interface=sfp28-2
add bridge=bridge1 disabled=yes interface=sfp28-3
add bridge=bridge1 disabled=yes interface=sfp28-4
add bridge=bridge1 disabled=yes interface=sfp28-5
add bridge=bridge1 disabled=yes interface=sfp28-6
add bridge=bridge1 disabled=yes interface=sfp28-7
add bridge=bridge1 disabled=yes interface=sfp28-8
add bridge=bridge1 disabled=yes interface=sfp28-9
add bridge=bridge1 disabled=yes interface=sfp28-10
add bridge=bridge1 disabled=yes interface=sfp28-11
add bridge=bridge1 disabled=yes interface=sfp28-12
/interface list member
add interface=sfp28-1 list=WAN
add interface=vlan-78 list=LAN
add interface=sfp28-2 list=WAN
/ip address
add address=x.xx.xxx.126/30 comment=ISP1 interface=sfp28-1 network=x.xx.xxx.124
add address=yy.yyy.yyy.1/24 interface=vlan-100 network=yy.yyy.yyy.0
add address=10.0.1.1/24 comment="Dell QoE" interface=vlan-78 network=10.0.1.0
add address=10.255.3.1/30 interface=sfp28-12 network=10.255.3.0
add address=10.10.10.1/24 interface=bridge1 network=10.10.10.0
add address=10.10.78.1/24 interface=vlan-78 network=10.10.78.0
add address=10.10.1.1/24 interface=vlan-1 network=10.10.1.0
add address=10.10.20.1/24 interface=vlan-20 network=10.10.20.0
add address=10.10.30.1/24 interface=vlan-30 network=10.10.30.0
add address=10.10.40.1/24 interface=vlan-40 network=10.10.40.0
add address=10.10.50.1/24 interface=vlan-50 network=10.10.50.0
add address=10.10.9.1/24 interface=vlan-9 network=10.10.9.0
add address=zz.zzz.zz.210/30 comment="ISP2" interface=sfp28-2 network=zz.zzz.zz.208
add address=10.255.1.1/30 interface=sfp28-10 network=10.255.1.0
/ip dhcp-client
add disabled=yes interface=qsfp28-1-1
/ip dhcp-server network
add address=10.10.9.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.9.1 netmask=24
add address=10.10.10.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.10.1 netmask=24
add address=10.10.20.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.20.1 netmask=24
add address=10.10.30.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.30.1 netmask=24
add address=10.10.40.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.40.1 netmask=24
add address=10.10.50.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.50.1 netmask=24
add address=10.10.78.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.78.1 netmask=24
add address=10.255.3.0/30 gateway=10.255.3.1 netmask=30
add address=yy.yyy.yyy.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=yy.yyy.yyy.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=10.10.10.1 name=www.somewhere.com ttl=1d5s
add address=10.10.78.9 name=unms.rimrockwireless.net
/ip firewall address-list
add address=yy.yyy.yyy.0/24 list=bgp-networks
add address=10.4.3.0/24 list=allow_to_router
add address=10.0.1.0/24 list=allow_to_router
add address=10.4.3.1-10.4.3.255 list=allow_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=10.10.10.0/24 list=allow_to_router
add address=174.230.207.251 list=allow_to_router
add address=10.0.3.0/24 list=allow_to_router
add address=10.255.3.0/24 list=allow_to_router
add address=10.10.78.0/24 list=allow_to_router
add address=10.10.30.0/24 list=allow_to_router
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allow_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input log-prefix=test
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log-prefix=invalid
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark connection-state=new new-connection-mark=ISP1_conn \
    out-interface=sfp28-1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1 out-interface=sfp28-1 \
    passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark connection-state=new new-connection-mark=ISP2_conn \
    out-interface=sfp28-2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2 out-interface=sfp28-2 \
    passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat comment="Home Office Outgoing IP over ISP1" out-interface=sfp28-1 src-address=\
    10.10.78.0/24 to-addresses=yy.yyy.yyy.11
add action=dst-nat chain=dstnat comment="Required for Incoming to hit khootz web server" dst-address=yy.yyy.yyy.11 \
    log=yes to-addresses=10.10.78.249
add action=dst-nat chain=dstnat comment="Incoming to Office" dst-address=yy.yyy.yyy.20 log=yes log-prefix=TED \
    to-addresses=10.10.78.136
add action=src-nat chain=srcnat comment="VLAN 9 Outgoing IP ISP1" out-interface=sfp28-1 src-address=\
    10.10.9.0/24 to-addresses=yy.yyy.yyy.209
add action=src-nat chain=srcnat out-interface=sfp28-1 src-address=10.10.20.0/24 to-addresses=yy.yyy.yyy.220
add action=src-nat chain=srcnat comment="Office Outgoing IP over ISP1" out-interface=sfp28-1 src-address=\
    10.10.30.0/24 to-addresses=yy.yyy.yyy.20
add action=src-nat chain=srcnat comment="VLAN 40 Outgoing IP over ISP1" out-interface=sfp28-1 src-address=\
    10.10.40.0/24 to-addresses=yy.yyy.yyy.240
add action=src-nat chain=srcnat out-interface=sfp28-1 src-address=10.10.50.0/24 to-addresses=yy.yyy.yyy.50
add action=masquerade chain=srcnat comment="Hairpin NAT for internal traffic to hit khootz" dst-address=10.10.78.249 \
    out-interface-list=LAN src-address=10.10.78.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT for internal traffic to hit UISP" dst-address=10.10.78.9 \
    out-interface-list=LAN src-address=10.0.0.0/8
add action=masquerade chain=srcnat comment="Regular masqerade out" disabled=yes out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=sfp28-1
add action=masquerade chain=srcnat out-interface=sfp28-2
add action=redirect chain=dstnat comment="THIS BREAKS UI CUSTOMERS!! Redirect all DNS to internal server" disabled=\
    yes dst-port=53 protocol=udp to-addresses=10.10.10.1 to-ports=53
/ip route
add comment="Legit default route with no failover (disable this for failover logic to work)" disabled=yes distance=1 \
    dst-address=0.0.0.0/0 gateway=x.xx.xxx.125 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add blackhole disabled=no dst-address=yy.yyy.yyy.0/24 gateway="" routing-table=main suppress-hw-offload=no
add disabled=yes distance=5 dst-address=0.0.0.0/0 gateway=10.255.2.2 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Monitor host via ISP 1 ()" disabled=no distance=1 dst-address=1.0.0.1/32 gateway=x.xx.xxx.125 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add comment="Monitor host via ISP 2 ()" disabled=no distance=1 dst-address=4.2.2.2/32 gateway=zz.zzz.zz.209 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Default Route Main / ISP1 ()" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=1.0.0.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="Default Route Backup / ISP2 ()" disabled=no distance=2 dst-address=0.0.0.0/0 \
    gateway=4.2.2.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=11
add disabled=yes distance=1 dst-address=zz.zzz.zz.208/30 gateway=zz.zzz.zz.209 pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
/ipv6 firewall filter
add action=drop chain=input
/routing bgp connection
add as=399525 disabled=no input.accept-nlri=bgp_accept local.role=ebgp name=ToISP1 output.network=bgp-networks \
    remote.address=x.xx.xxx.125/32 .as=3356 router-id=x.xx.xxx.126 routing-table=main
add as=399525 disabled=no input.accept-nlri=bgp_accept local.role=ebgp .ttl=2 multihop=no name=ToISP2 \
    remote.address=zz.zzz.zz.209/32 .as=209 .ttl=2 router-id=x.xx.xxx.126 routing-table=main
/routing filter community-list
add comment="Used to set ISP2 to 90% affinity (use as a backup)" communities=208:90 disabled=no list=isp2-secondary
/routing filter rule
add chain=BGP-ISP1-In disabled=no rule=reject
/system clock
set time-zone-name=America/Boise
/system identity
set name=MikroTik-Core-Router
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
7

Per my previous post you have to explicitly add tagged port membership in /interface bridge vlan, just changing frame-types is insufficient. The switch only has tagged VLANs on combo2.

Why are you adding VLAN interfaces with an ID of 1 to various ports, it is unusual and not recommended unless you have a very specific use case.

8

Are you referring to the /interface/bridge/vlan section where vlanid exists on combo2? Or do you refer to /bridge/ports where the PVID is set to 1? When I couldn’t remove the PVID value, I had assumed I needed to add vlan 1 to the interface/bridge/vlan area. Am I safe to remove it from the vlan list for combo2?


Ah, I think I understand. I had originally thought that meant I needed combo2 to allow vlan 100 to go out. You are saying that in addition to that, I need to set ether4 to also be “Current tagged” since it’ll come in from outside through ether4. Right?