RB2011 not segregating vlans properly

steixeira · January 29, 2015, 7:16pm

I am trying to add some new wireless AP’s to our current setup. I’ve got two different networks, a trusted network and a guest network. Each are on their own separate switches, but the guest network switch is only using 6 ports for wired connections. The trusted network is a couple switches. On both the trusted and the guest network, all traffic is untagged and not on VLANs because they are on seperate physical LANs.

By adding the new access points, I will have a wireless guest and wireless trusted network, but I will be segregating the wireless networks with VLANs. To get the traffic back to our trusted and guest wired networks, I’m trying to use an RB2011 to separate the VLANs on the trunk port and forward the traffic to the respective LAN, but I am running into some weird behavior.

After implementing the new APs and the RB2011, wireless clients have a hard time connecting to the trusted network. They can connect to the AP, but have a hard time getting a DHCP address. It usually takes some time(varies). Eventually, a DHCP address might be given to the client, but most users aren’t waiting around long enough for it to happen. Even when a client gets an address on the trusted network, the client can’t communicate with other devices(servers, and sometimes even the gateway). When pinging from the client to a server/other device, sometimes pings just time out, sometimes I get one reply, sometimes the local address of the client responds with “Destination host unreachable”. If I torch the ethernet port I’m using as the trunk port, I can see traffic going from one VLAN, but coming back on another VLAN. I don’t expect that.

Also, something else that is strange: I’m seeing traffic that isn’t supposed to be going through the RB2011. For example, if I torch my trunk port, I see connections between clients on the wired trusted switches and servers on the wired trusted switches. Very strange.

Here is my configuration, and attached is a simplified network diagram of what I’m trying to accomplish, plus some test pings.

#################
## Set master-ports
#################
/interface ethernet
	set [ find default-name=sfp1 ] master-port=none
	set [ find default-name=ether1 ] master-port=none
	set [ find default-name=ether2 ] master-port=none
	set [ find default-name=ether3 ] master-port=none
	set [ find default-name=ether4 ] master-port=ether3
	set [ find default-name=ether5 ] master-port=ether3
	set [ find default-name=ether6 ] master-port=none
	set [ find default-name=ether7 ] master-port=ether6
	set [ find default-name=ether8 ] master-port=ether6
	set [ find default-name=ether9 ] master-port=ether6
	set [ find default-name=ether10 ] master-port=ether6
#################
## Create VLANs on trunk port
#################
/interface vlan
	add name=vlan-private vlan-id=10 interface=ether2 disabled=no
	add name=vlan-guest vlan-id=20 interface=ether2 disabled=no
#################
## Create and configure bridges
#################
/interface bridge
	add name=br-private
	add name=br-guest
/interface bridge port
	add interface=ether1 bridge=br-private
	add interface=vlan-private bridge=br-private
	add interface=vlan-guest bridge=br-guest
	add interface=ether3 bridge=br-guest
	add interface=ether6 bridge=br-guest

CelticComms · January 29, 2015, 9:24pm

Have you looked at the switch chip VLAN functions? The switch chip can give you untagged access ports on (say) Ether 2-5 connected to one or more VLANs on a trunk port on (say) Ether 1 - and it does it at wire speed with no CPU impact. If you need the routerboard itself to access one or more of the VLANs that is possible too.

http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

steixeira · January 29, 2015, 9:57pm

Thanks for the reply.

I had looked at the switch chip VLAN settings, but got a little lost. With the RB2011, there’s 2 switch chips, so I had some problems making sure traffic was forwarded between the two switches on the RB2011. I believe I tried to use a bridge interface to do this, but it didn’t work. Perhaps my configuration was wrong. I think I’ll try again and post a config for that, but if anyone else has any suggestions, they are very welcome.

steixeira · January 29, 2015, 11:49pm

I tried again to use switch chip features and it looks like it will work for segregating my VLANs(all other attempts looked good at first too), but the only thing missing to complete this next attempt is how to forward VLAN20 traffic between the two switches in the RB2011. Ether3 through ether10 is replacing the dumb network switch for my guest network connections(6 ethernet cables), so I’m trying to get the VLAN20 traffic on the trunk port, ether3-ether5, and ether6-ether10 on the sameVLAN and traffic forwarding between all those.

I tried a bridge interface again with ether1 and ether6 as the bridge ports, but that didn’t work. I can simply put an ethernet cable from ether5 to ether6 and that works. If I have to do it that way, I will since I have 2 open ports after connecting all other cables from ether3 to ether10, but there must be a smarter way to do it within the router. Although, I probably did not need to add any configuration to switch2 if I just use a cable between the switches, but maybe I do if I do it within the router? Any ideas?

Also, just for my correct understanding, when I configure the trunk port with vlan-header=add-if-missing, does this mean that ONLY traffic forwarded from ether1(VLAN10) that isn’t tagged will get tagged with VLAN10 when it leaves ether2? And does it mean that ONLY traffic forwarded from ether3-ether10(VLAN20) that isn’t tagged will get tagged with VLAN20 when it leaves ether2? Any chance that traffic forwarded from ether1(VLAN10) that isn’t tagged will get tagged with VLAN20 instead or traffic forwarded from ether3-ether10(VLAN20) that isn’t tagged will get tagged with VLAN10 instead? It almost seems that this was my problem in my original post and it’s what I’m afraid of.

Here’s an updated configuration:

#################
## Set master-ports
#################
/interface ethernet
	set [ find default-name=sfp1 ] master-port=none
	set [ find default-name=ether1 ] master-port=none
	set [ find default-name=ether2 ] master-port=ether1
	set [ find default-name=ether3 ] master-port=ether1
	set [ find default-name=ether4 ] master-port=ether1
	set [ find default-name=ether5 ] master-port=ether1
	set [ find default-name=ether6 ] master-port=none
	set [ find default-name=ether7 ] master-port=ether6
	set [ find default-name=ether8 ] master-port=ether6
	set [ find default-name=ether9 ] master-port=ether6
	set [ find default-name=ether10 ] master-port=ether6
#################
## Configure switch chip settings
#################
/interface ethernet switch port
	set ether1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
	set ether2 vlan-header=add-if-missing vlan-mode=secure
	set ether3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
	set ether4 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
	set ether5 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
	set ether6 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
	set ether7 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
	set ether8 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
	set ether9 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
	set ether10 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
	set switch1-cpu vlan-mode=secure
	set switch2-cpu vlan-mode=secure
/interface ethernet switch vlan
	add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=10
	add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=20
	add ports=ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=20
#################
## Create management VLAN
#################
/interface vlan
	add interface=ether1 name=management-vlan vlan-id=10
#################
## Add address
#################
/ip address
	add address=192.168.88.1/24 interface=management-vlan

Thanks again for your help.