Hi,
I have an (aged) RB433 and would like to utilize VLAN on eth1.
The goal is to have 2 VAPs bridged to two VLANs on eth1.
The switch chip (IC Plus 175C) which controls eth2 and eth3 does not support VLANs.
[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1 ether 1500 1526
1 R ether2 ether 1500 1522 1522
2 ether3 ether 1500 1522 1522
3 S wifiDMZ wlan 1500 2290
4 wifiMasterAP wlan 1500 2290
5 S wifiPC wlan 1500 2290
6 R brDMZ bridge 1500 1522
7 R brManagement bridge 1500 1522
8 R brPCs bridge 1500 1522
9 RS vlDMZ vlan 1500 1522
10 RS vlMgmt vlan 1500 1522
11 RS vlPC vlan 1500 1522
[admin@MikroTik] > /ip dhcp-client print
Flags: X - disabled, I - invalid
# INTERFACE USE ADD-DEFAULT-ROUTE STATUS ADDRESS
0 vlMgmt no no searching...
1 ether2 yes yes bound 192.168.121.6/24
2 brDMZ no no searching...
3 ether1 no no searching...
4 vlPC yes no searching...
[admin@MikroTik] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 I wifiDMZ brDMZ 0x80 10 none
1 I wifiPC brPCs 0x80 10 none
2 vlMgmt brManagement 0x80 10 none
3 vlPC brPCs 0x80 10 none
4 vlDMZ brDMZ 0x80 10 none
The attached switch (AT x610) is configured okay and works with that very same VLAN configuration on other ports.
Traffic indicates that packets are sent (Tx) but none are received (Rx).
Does anyone have an idea of how to approach this, please?
Cheers,
Stefan
Is Ether1 a port member of a bridge?
no, ether1 is not a bridge member. Should it be?
Try posting the config (output from /export compact) so we can see what is going on.
The switch configuration. Native VLAN should allow the “native VLAN” to obtain and IP address from the DHCP server listening in VLAN 2000
sw-core-01#show running-config interface port1.0.19
!
interface port1.0.19
description "trunk to wifi unit"
switchport
switchport mode trunk
switchport trunk allowed vlan add 2001,2006,2100
switchport trunk native vlan 2000
!
sw-core-01#show vlan all
VLAN ID Name Type State Member ports
(u)-Untagged, (t)-Tagged
======= ================ ======= ======= ====================================
1 default STATIC ACTIVE po1(t) port1.0.1(u) port1.0.3(u)
port1.0.23(t) port1.0.24(t)
1000 sq-vlServers STATIC ACTIVE po1(t) port1.0.21(t) port1.0.22(t)
port1.0.23(t) port1.0.24(t)
1006 sq-vlDMZ STATIC ACTIVE po1(t) port1.0.3(t) port1.0.21(t)
port1.0.22(t) port1.0.23(t)
port1.0.24(t)
2000 se-vlServers STATIC ACTIVE po1(t) port1.0.1(t) port1.0.4(u)
port1.0.5(u) port1.0.6(u) port1.0.7(u)
port1.0.8(u) port1.0.9(u)
port1.0.10(u) port1.0.11(u)
port1.0.12(u) port1.0.13(u)
port1.0.19(u) port1.0.23(t)
port1.0.24(t)
2001 se-vlMgmt STATIC ACTIVE po1(t) port1.0.2(u) port1.0.19(t)
port1.0.21(t) port1.0.22(t)
port1.0.23(t) port1.0.24(t)
2002 se-vlPhotography STATIC ACTIVE po1(t) port1.0.23(t) port1.0.24(t)
2003 se-vlCCTV STATIC ACTIVE po1(t) port1.0.23(t) port1.0.24(t)
2004 se-vlRobots STATIC ACTIVE po1(t) port1.0.23(t) port1.0.24(t)
2005 se-vlTelephony STATIC ACTIVE po1(t) port1.0.23(t) port1.0.24(t)
2006 se-vlDMZ STATIC ACTIVE po1(t) port1.0.3(t) port1.0.19(t)
port1.0.21(t) port1.0.23(t)
port1.0.24(t)
2100 se-vlPCs STATIC ACTIVE po1(t) port1.0.14(u) port1.0.15(u)
port1.0.16(u) port1.0.17(u)
port1.0.18(u) port1.0.19(t)
port1.0.20(u) port1.0.23(t)
port1.0.24(t)
sw-core-01#
the exported MT configuration
[admin@MikroTik] > /export compact
# jan/05/1970 16:19:20 by RouterOS 6.19
# software id = XH4Y-GCBY
#
/interface bridge
add l2mtu=1522 name=brDMZ
add l2mtu=1522 name=brManagement
add l2mtu=1522 name=brPCs
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no
/interface vlan
add interface=ether1 l2mtu=1522 name=vlDMZ vlan-id=2006
add interface=ether1 l2mtu=1522 name=vlMgmt vlan-id=2001
add interface=ether1 l2mtu=1522 name=vlPC vlan-id=2100
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profileWifiBusiness \
supplicant-identity="" wpa-pre-shared-key=somethingnot2easy% \
wpa2-pre-shared-key=somethingnot2easy%
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profileWifiDMZ \
supplicant-identity="" wpa-pre-shared-key=whateverthatpskis \
wpa2-pre-shared-key=whateverthatpskis
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=profileMasterAP supplicant-identity="" \
wpa2-pre-shared-key="sdgf53#\$hfhdfgryh545SRfdg\$218&^%"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g country="new zealand" disabled=\
no frequency=auto hide-ssid=yes l2mtu=2290 mode=ap-bridge name=\
wifiMasterAP security-profile=profileMasterAP ssid="v-C}2#TMKwh2B@7<" \
tx-power=30 tx-power-mode=all-rates-fixed
add disabled=no l2mtu=2290 mac-address=02:02:6F:48:DE:14 master-interface=\
wifiMasterAP name=wifiPC ssid="Skyline Business" wds-cost-range=0 \
wds-default-cost=0
add disabled=no l2mtu=2290 mac-address=02:02:6F:48:DE:13 master-interface=\
wifiMasterAP name=wifiDMZ ssid="Skyline Enterprises" wds-cost-range=0 \
wds-default-bridge=brDMZ wds-default-cost=0
/port
set 0 name=serial0
/interface bridge port
add bridge=brDMZ interface=wifiDMZ
add bridge=brPCs interface=wifiPC
add bridge=brManagement interface=vlMgmt
add bridge=brPCs interface=vlPC
add bridge=brDMZ interface=vlDMZ
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1 \
network=192.168.88.0
add address=192.168.120.66/26 interface=vlMgmt network=192.168.120.64
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=vlMgmt use-peer-dns=no use-peer-ntp=no
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether2
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=brDMZ use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=ether1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=vlPC
/ip upnp
set allow-disable-external-interface=no
/tool sniffer
set filter-interface=ether1
[admin@MikroTik] >
from the switch’s perspective the MAC of the routerboard is visible (per VLAN) but communication never makes it to layer 3 leaving the arp table empty.
sw-core-01>show mac address-table | include port1.0.19
2000 port1.0.19 000c.4229.eef2 forward dynamic
2001 port1.0.19 000c.4229.eef2 forward dynamic
2006 port1.0.19 000c.4229.eef2 forward dynamic
2100 port1.0.19 000c.4229.eef2 forward dynamic
sw-core-01>ping 192.168.120.66
PING 192.168.120.66 (192.168.120.66) 56(84) bytes of data.
From 192.168.120.126 icmp_seq=2 Destination Host Unreachable
From 192.168.120.126 icmp_seq=3 Destination Host Unreachable
From 192.168.120.126 icmp_seq=4 Destination Host Unreachable
From 192.168.120.126 icmp_seq=5 Destination Host Unreachable
--- 192.168.120.66 ping statistics ---
5 packets transmitted, 0 received, +4 errors, 100% packet loss, time 4000ms
pipe 3
sw-core-01>show arp | include port1.0.19
The switch’s IP address is 192.168.120.126 and is therefore in the same broadcast domain.
You seem to have the management VLAN in a bridge. If you want to do that then apply the IP address to the management bridge. Otherwise remove the management VLAN from the bridge and leave the IP address on the VLAN interface itself.
I tried that too. but no success.
The moment I disable all VLAN interfaces (on ether1) a DHCP offer is being received on ether1 and normal Layer3 operations start.
The same goes for any DHCP client. If you have the VLAN interface in a bridge apply the DHCP client to the bridge - not the VLAN directly.
regardless that I’ve seen it working with the DHCP client on the vlan interface rather than the bridge, i have followed your advice and put all DHCP clients on bridges.
Enabling the vlan interfaces on ether1 leaves it numb, i.e. no DHCP address is being obtained.
The most recent /export compact
[admin@MikroTik] > /export compact
sep/17/2014 07:33:52 by RouterOS 6.19
software id = XH4Y-GCBY
/interface bridge
add l2mtu=1522 name=brDMZ
add l2mtu=1522 name=brManagement
add l2mtu=1522 name=brPCs
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no
/interface vlan
add interface=ether1 l2mtu=1522 name=vlDMZ vlan-id=2006
add interface=ether1 l2mtu=1522 name=vlMgmt vlan-id=2001
add disabled=yes interface=ether1 name=vlPC vlan-id=2100
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=profileWifiBusiness
supplicant-identity=“” wpa-pre-shared-key=whateverthatpskis
wpa2-pre-shared-key=whateverthatpskis
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=profileWifiDMZ
supplicant-identity=“” wpa-pre-shared-key=anotherpsk
wpa2-pre-shared-key=anotherpsk
add authentication-types=wpa2-psk eap-methods=“” management-protection=
allowed mode=dynamic-keys name=profileMasterAP supplicant-identity=“”
wpa2-pre-shared-key=“sdgf53#$hgfhryh545SRfdg$218&^%”
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g country=“new zealand” disabled=
no frequency=auto hide-ssid=yes l2mtu=2290 mode=ap-bridge name=
wifiMasterAP security-profile=profileMasterAP ssid=“v-C}2#TMKw2B@7<”
tx-power=30 tx-power-mode=all-rates-fixed
add disabled=no l2mtu=2290 mac-address=02:02:6F:48:DE:14 master-interface=
wifiMasterAP name=wifiPC security-profile=profileWifiBusiness ssid=
“Skyline Business” wds-cost-range=0 wds-default-cost=0
add disabled=no l2mtu=2290 mac-address=02:02:6F:48:DE:13 master-interface=
wifiMasterAP name=wifiDMZ security-profile=profileWifiDMZ ssid=
“Skyline Enterprises” wds-cost-range=0 wds-default-bridge=brDMZ
wds-default-cost=0
/port
set 0 name=serial0
/interface bridge port
add bridge=brDMZ interface=wifiDMZ
add bridge=brPCs interface=wifiPC
add bridge=brManagement interface=vlMgmt
add bridge=brPCs interface=vlPC
add bridge=brDMZ interface=vlDMZ
add bridge=brPCs interface=ether2
/ip address
add address=192.168.120.66/26 interface=brManagement network=192.168.120.64
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=brManagement use-peer-dns=no use-peer-ntp=no
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no
interface=brPCs
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=brDMZ use-peer-dns=no use-peer-ntp=no
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=Pacific/Auckland
/system ntp client
set enabled=yes primary-ntp=192.168.120.20
/tool sniffer
set filter-interface=ether1
[admin@MikroTik] >